From c4c0635a79fd489d9813ad5528761f01e06e6516 Mon Sep 17 00:00:00 2001 From: patrick-stephens <6388272+patrick-stephens@users.noreply.github.com> Date: Wed, 17 Dec 2025 06:03:19 +0000 Subject: [PATCH] ci: update cve scan results Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- docs/security/agent/grype-25.10.1.json | 1336 +++++++-------- docs/security/agent/grype-25.10.1.md | 6 +- docs/security/agent/grype-25.10.2.json | 1336 +++++++-------- docs/security/agent/grype-25.10.2.md | 6 +- docs/security/agent/grype-25.10.3.json | 1336 +++++++-------- docs/security/agent/grype-25.10.3.md | 6 +- docs/security/agent/grype-25.10.4.json | 1336 +++++++-------- docs/security/agent/grype-25.10.4.md | 6 +- docs/security/agent/grype-25.10.5.json | 1336 +++++++-------- docs/security/agent/grype-25.10.5.md | 6 +- docs/security/agent/grype-25.10.6.json | 1336 +++++++-------- docs/security/agent/grype-25.10.6.md | 6 +- docs/security/agent/grype-25.10.7.json | 1336 +++++++-------- docs/security/agent/grype-25.10.7.md | 6 +- docs/security/agent/grype-25.10.8.json | 1288 +++++++------- docs/security/agent/grype-25.10.8.md | 6 +- docs/security/agent/grype-25.10.9.json | 1304 +++++++------- docs/security/agent/grype-25.10.9.md | 6 +- docs/security/agent/grype-25.11.1.json | 1336 +++++++-------- docs/security/agent/grype-25.11.1.md | 6 +- docs/security/agent/grype-25.11.2.json | 1336 +++++++-------- docs/security/agent/grype-25.11.2.md | 6 +- docs/security/agent/grype-25.12.1.json | 1352 +++++++-------- docs/security/agent/grype-25.12.1.md | 6 +- docs/security/agent/grype-25.12.2.json | 1320 +++++++-------- docs/security/agent/grype-25.12.2.md | 6 +- docs/security/agent/grype-25.12.3.json | 1320 +++++++-------- docs/security/agent/grype-25.12.3.md | 6 +- docs/security/agent/grype-25.7.1.json | 2168 ++++++++++++------------ docs/security/agent/grype-25.7.1.md | 8 +- docs/security/agent/grype-25.7.2.json | 2168 ++++++++++++------------ docs/security/agent/grype-25.7.2.md | 8 +- docs/security/agent/grype-25.7.4.json | 2154 +++++++++++------------ docs/security/agent/grype-25.7.4.md | 8 +- docs/security/agent/grype-25.8.2.json | 2080 +++++++++++------------ docs/security/agent/grype-25.8.2.md | 8 +- docs/security/agent/grype-25.8.4.json | 2072 +++++++++++----------- docs/security/agent/grype-25.8.4.md | 8 +- docs/security/agent/grype-25.9.1.json | 1538 ++++++++--------- docs/security/agent/grype-25.9.1.md | 6 +- docs/security/agent/grype-25.9.2.json | 1538 ++++++++--------- docs/security/agent/grype-25.9.2.md | 6 +- docs/security/agent/grype-25.9.3.json | 1538 ++++++++--------- docs/security/agent/grype-25.9.3.md | 6 +- docs/security/agent/grype-25.9.4.json | 1336 +++++++-------- docs/security/agent/grype-25.9.4.md | 6 +- docs/security/agent/grype-25.9.5.json | 1336 +++++++-------- docs/security/agent/grype-25.9.5.md | 6 +- docs/security/oss/grype-4.0.10.json | 724 ++++---- docs/security/oss/grype-4.0.11.json | 724 ++++---- docs/security/oss/grype-4.0.12.json | 708 ++++---- docs/security/oss/grype-4.0.13.json | 708 ++++---- docs/security/oss/grype-4.0.3.json | 828 ++++----- docs/security/oss/grype-4.0.4.json | 828 ++++----- docs/security/oss/grype-4.0.5.json | 796 ++++----- docs/security/oss/grype-4.0.6.json | 796 ++++----- docs/security/oss/grype-4.0.7.json | 796 ++++----- docs/security/oss/grype-4.0.8.json | 796 ++++----- docs/security/oss/grype-4.0.9.json | 796 ++++----- docs/security/oss/grype-4.1.0.json | 744 ++++---- 60 files changed, 22967 insertions(+), 22967 deletions(-) diff --git a/docs/security/agent/grype-25.10.1.json b/docs/security/agent/grype-25.10.1.json index 98ae33a..92aa8b7 100644 --- a/docs/security/agent/grype-25.10.1.json +++ b/docs/security/agent/grype-25.10.1.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1803,8 +1803,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1878,20 +1878,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1899,27 +1899,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1930,92 +1924,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2033,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -2061,13 +2034,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2078,20 +2051,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -2099,21 +2072,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2124,71 +2103,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2206,21 +2206,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2234,13 +2234,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2274,8 +2274,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2316,8 +2316,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2411,8 +2411,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2548,8 +2548,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2607,8 +2607,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2699,8 +2699,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2861,8 +2861,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2911,8 +2911,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3003,8 +3003,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3051,8 +3051,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3143,8 +3143,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3191,8 +3191,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3294,8 +3294,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3337,8 +3337,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3432,8 +3432,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3475,8 +3475,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3570,8 +3570,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3619,8 +3619,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3711,8 +3711,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3772,8 +3772,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3869,8 +3869,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3930,8 +3930,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4027,8 +4027,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4100,8 +4100,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4206,8 +4206,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4254,8 +4254,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4349,8 +4349,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4441,8 +4441,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4518,8 +4518,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4624,8 +4624,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4690,8 +4690,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4864,8 +4864,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4965,8 +4965,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5041,8 +5041,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5153,8 +5153,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5227,8 +5227,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5322,8 +5322,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5376,8 +5376,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5477,8 +5477,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5569,8 +5569,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5619,8 +5619,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5711,8 +5711,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5753,8 +5753,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5848,8 +5848,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5890,8 +5890,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5985,8 +5985,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6047,8 +6047,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6139,8 +6139,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6192,8 +6192,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6284,8 +6284,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6337,8 +6337,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6440,8 +6440,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6502,8 +6502,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6594,8 +6594,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6642,8 +6642,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6739,8 +6739,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6787,8 +6787,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6884,8 +6884,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6932,8 +6932,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7077,8 +7077,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7174,8 +7174,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7228,8 +7228,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7331,8 +7331,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7397,8 +7397,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7495,8 +7495,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7556,8 +7556,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7648,8 +7648,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7716,8 +7716,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7825,8 +7825,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7887,8 +7887,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7979,8 +7979,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8049,8 +8049,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8147,8 +8147,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8209,8 +8209,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8301,8 +8301,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8362,8 +8362,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8905,87 +8905,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.10.1.md b/docs/security/agent/grype-25.10.1.md index bf1199e..c6b144d 100644 --- a/docs/security/agent/grype-25.10.1.md +++ b/docs/security/agent/grype-25.10.1.md @@ -30,16 +30,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.10.2.json b/docs/security/agent/grype-25.10.2.json index f97c466..298e7d4 100644 --- a/docs/security/agent/grype-25.10.2.json +++ b/docs/security/agent/grype-25.10.2.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1803,8 +1803,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1878,20 +1878,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1899,27 +1899,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1930,92 +1924,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2033,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -2061,13 +2034,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2078,20 +2051,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -2099,21 +2072,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2124,71 +2103,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2206,21 +2206,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2234,13 +2234,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2274,8 +2274,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2316,8 +2316,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2411,8 +2411,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2548,8 +2548,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2607,8 +2607,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2699,8 +2699,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2861,8 +2861,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2911,8 +2911,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3003,8 +3003,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3051,8 +3051,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3143,8 +3143,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3191,8 +3191,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3294,8 +3294,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3337,8 +3337,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3432,8 +3432,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3475,8 +3475,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3570,8 +3570,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3619,8 +3619,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3711,8 +3711,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3772,8 +3772,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3869,8 +3869,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3930,8 +3930,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4027,8 +4027,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4100,8 +4100,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4206,8 +4206,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4254,8 +4254,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4349,8 +4349,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4441,8 +4441,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4518,8 +4518,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4624,8 +4624,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4690,8 +4690,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4864,8 +4864,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4965,8 +4965,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5041,8 +5041,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5153,8 +5153,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5227,8 +5227,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5322,8 +5322,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5376,8 +5376,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5477,8 +5477,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5569,8 +5569,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5619,8 +5619,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5711,8 +5711,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5753,8 +5753,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5848,8 +5848,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5890,8 +5890,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5985,8 +5985,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6047,8 +6047,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6139,8 +6139,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6192,8 +6192,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6284,8 +6284,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6337,8 +6337,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6440,8 +6440,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6502,8 +6502,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6594,8 +6594,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6642,8 +6642,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6739,8 +6739,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6787,8 +6787,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6884,8 +6884,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6932,8 +6932,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7077,8 +7077,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7174,8 +7174,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7228,8 +7228,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7331,8 +7331,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7397,8 +7397,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7495,8 +7495,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7556,8 +7556,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7648,8 +7648,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7716,8 +7716,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7825,8 +7825,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7887,8 +7887,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7979,8 +7979,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8049,8 +8049,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8147,8 +8147,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8209,8 +8209,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8301,8 +8301,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8362,8 +8362,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8913,87 +8913,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.10.2.md b/docs/security/agent/grype-25.10.2.md index ba387ff..6b2926a 100644 --- a/docs/security/agent/grype-25.10.2.md +++ b/docs/security/agent/grype-25.10.2.md @@ -30,16 +30,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.10.3.json b/docs/security/agent/grype-25.10.3.json index 64bbab1..00f9ef2 100644 --- a/docs/security/agent/grype-25.10.3.json +++ b/docs/security/agent/grype-25.10.3.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1803,8 +1803,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1878,20 +1878,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1899,27 +1899,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1930,92 +1924,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2033,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -2061,13 +2034,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2078,20 +2051,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -2099,21 +2072,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2124,71 +2103,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2206,21 +2206,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2234,13 +2234,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2274,8 +2274,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2316,8 +2316,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2411,8 +2411,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2548,8 +2548,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2607,8 +2607,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2699,8 +2699,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2861,8 +2861,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2911,8 +2911,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3003,8 +3003,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3051,8 +3051,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3143,8 +3143,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3191,8 +3191,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3294,8 +3294,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3337,8 +3337,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3432,8 +3432,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3475,8 +3475,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3570,8 +3570,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3619,8 +3619,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3711,8 +3711,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3772,8 +3772,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3869,8 +3869,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3930,8 +3930,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4027,8 +4027,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4100,8 +4100,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4206,8 +4206,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4254,8 +4254,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4349,8 +4349,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4441,8 +4441,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4518,8 +4518,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4624,8 +4624,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4690,8 +4690,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4864,8 +4864,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4965,8 +4965,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5041,8 +5041,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5153,8 +5153,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5227,8 +5227,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5322,8 +5322,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5376,8 +5376,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5477,8 +5477,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5569,8 +5569,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5619,8 +5619,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5711,8 +5711,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5753,8 +5753,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5848,8 +5848,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5890,8 +5890,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5985,8 +5985,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6047,8 +6047,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6139,8 +6139,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6192,8 +6192,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6284,8 +6284,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6337,8 +6337,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6440,8 +6440,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6502,8 +6502,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6594,8 +6594,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6642,8 +6642,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6739,8 +6739,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6787,8 +6787,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6884,8 +6884,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6932,8 +6932,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7077,8 +7077,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7174,8 +7174,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7228,8 +7228,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7331,8 +7331,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7397,8 +7397,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7495,8 +7495,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7556,8 +7556,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7648,8 +7648,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7716,8 +7716,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7825,8 +7825,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7887,8 +7887,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7979,8 +7979,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8049,8 +8049,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8147,8 +8147,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8209,8 +8209,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8301,8 +8301,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8362,8 +8362,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8913,87 +8913,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.10.3.md b/docs/security/agent/grype-25.10.3.md index 2bfd0d1..35eb199 100644 --- a/docs/security/agent/grype-25.10.3.md +++ b/docs/security/agent/grype-25.10.3.md @@ -30,16 +30,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.10.4.json b/docs/security/agent/grype-25.10.4.json index 542ae66..05de93d 100644 --- a/docs/security/agent/grype-25.10.4.json +++ b/docs/security/agent/grype-25.10.4.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1803,8 +1803,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1878,20 +1878,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1899,27 +1899,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1930,92 +1924,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2033,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -2061,13 +2034,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2078,20 +2051,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -2099,21 +2072,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2124,71 +2103,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2206,21 +2206,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2234,13 +2234,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2274,8 +2274,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2316,8 +2316,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2411,8 +2411,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2548,8 +2548,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2607,8 +2607,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2699,8 +2699,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2861,8 +2861,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2911,8 +2911,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3003,8 +3003,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3051,8 +3051,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3143,8 +3143,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3191,8 +3191,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3294,8 +3294,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3337,8 +3337,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3432,8 +3432,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3475,8 +3475,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3570,8 +3570,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3619,8 +3619,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3711,8 +3711,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3772,8 +3772,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3869,8 +3869,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3930,8 +3930,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4027,8 +4027,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4100,8 +4100,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4206,8 +4206,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4254,8 +4254,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4349,8 +4349,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4441,8 +4441,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4518,8 +4518,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4624,8 +4624,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4690,8 +4690,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4864,8 +4864,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4965,8 +4965,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5041,8 +5041,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5153,8 +5153,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5227,8 +5227,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5322,8 +5322,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5376,8 +5376,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5477,8 +5477,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5569,8 +5569,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5619,8 +5619,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5711,8 +5711,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5753,8 +5753,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5848,8 +5848,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5890,8 +5890,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5985,8 +5985,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6047,8 +6047,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6139,8 +6139,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6192,8 +6192,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6284,8 +6284,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6337,8 +6337,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6440,8 +6440,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6502,8 +6502,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6594,8 +6594,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6642,8 +6642,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6739,8 +6739,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6787,8 +6787,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6884,8 +6884,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6932,8 +6932,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7077,8 +7077,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7174,8 +7174,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7228,8 +7228,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7331,8 +7331,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7397,8 +7397,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7495,8 +7495,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7556,8 +7556,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7648,8 +7648,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7716,8 +7716,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7825,8 +7825,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7887,8 +7887,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7979,8 +7979,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8049,8 +8049,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8147,8 +8147,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8209,8 +8209,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8301,8 +8301,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8362,8 +8362,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8913,87 +8913,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.10.4.md b/docs/security/agent/grype-25.10.4.md index 013d45f..8db1701 100644 --- a/docs/security/agent/grype-25.10.4.md +++ b/docs/security/agent/grype-25.10.4.md @@ -30,16 +30,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.10.5.json b/docs/security/agent/grype-25.10.5.json index 21c3f39..9d6c33a 100644 --- a/docs/security/agent/grype-25.10.5.json +++ b/docs/security/agent/grype-25.10.5.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1803,8 +1803,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1878,20 +1878,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1899,27 +1899,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1930,92 +1924,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2033,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -2061,13 +2034,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2078,20 +2051,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -2099,21 +2072,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2124,71 +2103,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2206,21 +2206,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2234,13 +2234,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2274,8 +2274,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2316,8 +2316,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2411,8 +2411,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2548,8 +2548,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2607,8 +2607,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2699,8 +2699,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2861,8 +2861,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2911,8 +2911,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3003,8 +3003,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3051,8 +3051,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3143,8 +3143,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3191,8 +3191,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3294,8 +3294,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3337,8 +3337,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3432,8 +3432,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3475,8 +3475,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3570,8 +3570,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3619,8 +3619,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3711,8 +3711,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3772,8 +3772,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3869,8 +3869,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3930,8 +3930,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4027,8 +4027,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4100,8 +4100,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4206,8 +4206,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4254,8 +4254,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4349,8 +4349,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4441,8 +4441,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4518,8 +4518,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4624,8 +4624,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4690,8 +4690,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4864,8 +4864,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4965,8 +4965,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5041,8 +5041,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5153,8 +5153,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5227,8 +5227,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5322,8 +5322,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5376,8 +5376,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5477,8 +5477,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5569,8 +5569,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5619,8 +5619,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5711,8 +5711,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5753,8 +5753,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5848,8 +5848,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5890,8 +5890,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5985,8 +5985,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6047,8 +6047,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6139,8 +6139,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6192,8 +6192,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6284,8 +6284,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6337,8 +6337,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6440,8 +6440,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6502,8 +6502,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6594,8 +6594,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6642,8 +6642,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6739,8 +6739,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6787,8 +6787,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6884,8 +6884,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6932,8 +6932,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7077,8 +7077,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7174,8 +7174,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7228,8 +7228,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7331,8 +7331,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7397,8 +7397,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7495,8 +7495,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7556,8 +7556,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7648,8 +7648,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7716,8 +7716,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7825,8 +7825,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7887,8 +7887,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7979,8 +7979,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8049,8 +8049,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8147,8 +8147,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8209,8 +8209,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8301,8 +8301,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8362,8 +8362,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8913,87 +8913,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.10.5.md b/docs/security/agent/grype-25.10.5.md index 2be7740..554c6be 100644 --- a/docs/security/agent/grype-25.10.5.md +++ b/docs/security/agent/grype-25.10.5.md @@ -30,16 +30,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.10.6.json b/docs/security/agent/grype-25.10.6.json index 0a4f878..a2d3487 100644 --- a/docs/security/agent/grype-25.10.6.json +++ b/docs/security/agent/grype-25.10.6.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1803,8 +1803,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1878,20 +1878,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1899,27 +1899,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1930,92 +1924,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2033,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -2061,13 +2034,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2078,20 +2051,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -2099,21 +2072,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2124,71 +2103,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2206,21 +2206,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2234,13 +2234,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2274,8 +2274,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2316,8 +2316,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2411,8 +2411,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2548,8 +2548,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2607,8 +2607,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2699,8 +2699,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2861,8 +2861,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2911,8 +2911,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3003,8 +3003,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3051,8 +3051,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3143,8 +3143,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3191,8 +3191,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3294,8 +3294,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3337,8 +3337,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3432,8 +3432,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3475,8 +3475,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3570,8 +3570,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3619,8 +3619,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3711,8 +3711,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3772,8 +3772,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3869,8 +3869,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3930,8 +3930,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4027,8 +4027,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4100,8 +4100,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4206,8 +4206,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4254,8 +4254,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4349,8 +4349,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4441,8 +4441,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4518,8 +4518,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4624,8 +4624,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4690,8 +4690,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4864,8 +4864,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4965,8 +4965,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5041,8 +5041,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5153,8 +5153,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5227,8 +5227,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5322,8 +5322,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5376,8 +5376,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5477,8 +5477,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5569,8 +5569,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5619,8 +5619,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5711,8 +5711,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5753,8 +5753,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5848,8 +5848,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5890,8 +5890,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5985,8 +5985,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6047,8 +6047,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6139,8 +6139,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6192,8 +6192,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6284,8 +6284,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6337,8 +6337,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6440,8 +6440,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6502,8 +6502,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6594,8 +6594,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6642,8 +6642,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6739,8 +6739,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6787,8 +6787,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6884,8 +6884,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6932,8 +6932,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7077,8 +7077,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7174,8 +7174,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7228,8 +7228,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7331,8 +7331,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7397,8 +7397,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7495,8 +7495,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7556,8 +7556,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7648,8 +7648,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7716,8 +7716,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7825,8 +7825,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7887,8 +7887,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7979,8 +7979,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8049,8 +8049,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8147,8 +8147,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8209,8 +8209,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8301,8 +8301,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8362,8 +8362,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8913,87 +8913,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.10.6.md b/docs/security/agent/grype-25.10.6.md index d87606b..f4b6bc9 100644 --- a/docs/security/agent/grype-25.10.6.md +++ b/docs/security/agent/grype-25.10.6.md @@ -30,16 +30,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.10.7.json b/docs/security/agent/grype-25.10.7.json index 8e04f28..0558d17 100644 --- a/docs/security/agent/grype-25.10.7.json +++ b/docs/security/agent/grype-25.10.7.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1803,8 +1803,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1878,20 +1878,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1899,27 +1899,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1930,92 +1924,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2033,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -2061,13 +2034,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2078,20 +2051,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -2099,21 +2072,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2124,71 +2103,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2206,21 +2206,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2234,13 +2234,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2274,8 +2274,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2316,8 +2316,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2411,8 +2411,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2548,8 +2548,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2607,8 +2607,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2699,8 +2699,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2861,8 +2861,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2911,8 +2911,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3003,8 +3003,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3051,8 +3051,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3143,8 +3143,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3191,8 +3191,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3294,8 +3294,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3337,8 +3337,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3432,8 +3432,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3475,8 +3475,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3570,8 +3570,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3619,8 +3619,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3711,8 +3711,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3772,8 +3772,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3869,8 +3869,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3930,8 +3930,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4027,8 +4027,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4100,8 +4100,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4206,8 +4206,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4254,8 +4254,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4349,8 +4349,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4441,8 +4441,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4518,8 +4518,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4624,8 +4624,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4690,8 +4690,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4864,8 +4864,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4965,8 +4965,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5041,8 +5041,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5153,8 +5153,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5227,8 +5227,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5322,8 +5322,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5376,8 +5376,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5477,8 +5477,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5569,8 +5569,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5619,8 +5619,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5711,8 +5711,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5753,8 +5753,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5848,8 +5848,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5890,8 +5890,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5985,8 +5985,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6047,8 +6047,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6139,8 +6139,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6192,8 +6192,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6284,8 +6284,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6337,8 +6337,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6440,8 +6440,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6502,8 +6502,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6594,8 +6594,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6642,8 +6642,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6739,8 +6739,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6787,8 +6787,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6884,8 +6884,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6932,8 +6932,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7077,8 +7077,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7174,8 +7174,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7228,8 +7228,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7331,8 +7331,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7397,8 +7397,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7495,8 +7495,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7556,8 +7556,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7648,8 +7648,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7716,8 +7716,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7825,8 +7825,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7887,8 +7887,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7979,8 +7979,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8049,8 +8049,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8147,8 +8147,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8209,8 +8209,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8301,8 +8301,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8362,8 +8362,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8913,87 +8913,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.10.7.md b/docs/security/agent/grype-25.10.7.md index b46a7b6..d7bee4e 100644 --- a/docs/security/agent/grype-25.10.7.md +++ b/docs/security/agent/grype-25.10.7.md @@ -30,16 +30,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.10.8.json b/docs/security/agent/grype-25.10.8.json index 99eedd4..416101f 100644 --- a/docs/security/agent/grype-25.10.8.json +++ b/docs/security/agent/grype-25.10.8.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -340,39 +340,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -380,51 +380,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -432,25 +417,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -458,21 +443,21 @@ "version": "9.7" }, "package": { - "name": "curl", - "version": "7.76.1-34.el9" + "name": "libxml2", + "version": "0:2.9.13-14.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "eb5d2c76ed21fa8e", - "name": "curl-minimal", - "version": "7.76.1-34.el9", + "id": "79cdbcbd3d61afd9", + "name": "libxml2", + "version": "2.9.13-14.el9_7", "type": "rpm", "locations": [ { @@ -489,22 +474,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-34.el9" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -514,91 +488,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -606,25 +558,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -632,21 +584,21 @@ "version": "9.7" }, "package": { - "name": "curl", - "version": "7.76.1-34.el9" + "name": "openssl", + "version": "1:3.5.1-4.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "dbb58be7b5652cc7", - "name": "libcurl-minimal", - "version": "7.76.1-34.el9", + "id": "25e16a00909d33d5", + "name": "openssl", + "version": "1:3.5.1-4.el9_7", "type": "rpm", "locations": [ { @@ -660,48 +612,37 @@ ], "language": "", "licenses": [ - "MIT" + "Apache-2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-34.el9" - } + "cpe:2.3:a:openssl:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -709,52 +650,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -765,16 +699,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -783,7 +717,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -791,21 +725,21 @@ "version": "9.7" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-14.el9_7" + "name": "openssl", + "version": "3.5.1-4.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "79cdbcbd3d61afd9", - "name": "libxml2", - "version": "2.9.13-14.el9_7", + "id": "9620df42e45abf0c", + "name": "openssl-libs", + "version": "1:3.5.1-4.el9_7", "type": "rpm", "locations": [ { @@ -819,86 +753,119 @@ ], "language": "", "licenses": [ - "MIT" + "Apache-2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.5.1-4.el9_7" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -906,25 +873,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -932,21 +899,21 @@ "version": "9.7" }, "package": { - "name": "openssl", - "version": "1:3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "25e16a00909d33d5", - "name": "openssl", - "version": "1:3.5.1-4.el9_7", + "id": "eb5d2c76ed21fa8e", + "name": "curl-minimal", + "version": "7.76.1-34.el9", "type": "rpm", "locations": [ { @@ -960,86 +927,119 @@ ], "language": "", "licenses": [ - "Apache-2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-34.el9" + } ], - "purl": "pkg:rpm/redhat/openssl@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1047,18 +1047,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1073,21 +1073,21 @@ "version": "9.7" }, "package": { - "name": "openssl", - "version": "3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "9620df42e45abf0c", - "name": "openssl-libs", - "version": "1:3.5.1-4.el9_7", + "id": "dbb58be7b5652cc7", + "name": "libcurl-minimal", + "version": "7.76.1-34.el9", "type": "rpm", "locations": [ { @@ -1101,28 +1101,28 @@ ], "language": "", "licenses": [ - "Apache-2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1152,8 +1152,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1197,8 +1197,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1292,8 +1292,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1337,8 +1337,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1432,8 +1432,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1480,8 +1480,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1572,8 +1572,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1639,8 +1639,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1714,20 +1714,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1735,27 +1735,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1766,92 +1760,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1869,21 +1842,21 @@ "version": "9.7" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-14.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "79cdbcbd3d61afd9", + "name": "libxml2", + "version": "2.9.13-14.el9_7", "type": "rpm", "locations": [ { @@ -1897,13 +1870,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -1914,20 +1887,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1935,21 +1908,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1960,71 +1939,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2042,21 +2042,21 @@ "version": "9.7" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-14.el9_7" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "79cdbcbd3d61afd9", - "name": "libxml2", - "version": "2.9.13-14.el9_7", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2070,13 +2070,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2110,8 +2110,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2152,8 +2152,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2247,8 +2247,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2289,8 +2289,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2384,8 +2384,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2443,8 +2443,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2535,8 +2535,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2594,8 +2594,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2697,8 +2697,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2747,8 +2747,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2839,8 +2839,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -2887,8 +2887,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -2979,8 +2979,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3027,8 +3027,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3130,8 +3130,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3173,8 +3173,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3268,8 +3268,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3311,8 +3311,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3406,8 +3406,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3455,8 +3455,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3547,8 +3547,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3608,8 +3608,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3705,8 +3705,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3766,8 +3766,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3863,8 +3863,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -3911,8 +3911,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4006,8 +4006,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4098,8 +4098,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4164,8 +4164,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4262,8 +4262,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -4316,8 +4316,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -4417,8 +4417,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -4509,8 +4509,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -4559,8 +4559,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -4651,8 +4651,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -4693,8 +4693,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -4830,8 +4830,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -4925,8 +4925,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -4987,8 +4987,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -5079,8 +5079,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5132,8 +5132,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5224,8 +5224,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5277,8 +5277,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5380,8 +5380,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -5442,8 +5442,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -5534,8 +5534,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5582,8 +5582,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5679,8 +5679,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5727,8 +5727,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5824,8 +5824,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5872,8 +5872,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5969,8 +5969,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6017,8 +6017,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6114,8 +6114,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -6168,8 +6168,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -6271,8 +6271,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -6337,8 +6337,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -6435,8 +6435,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -6496,8 +6496,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -6588,8 +6588,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -6656,8 +6656,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -6765,8 +6765,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -6827,8 +6827,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -6919,8 +6919,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -6989,8 +6989,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -7087,8 +7087,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -7149,8 +7149,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -7241,8 +7241,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -7302,8 +7302,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -7853,87 +7853,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.10.8.md b/docs/security/agent/grype-25.10.8.md index 567b666..264307e 100644 --- a/docs/security/agent/grype-25.10.8.md +++ b/docs/security/agent/grype-25.10.8.md @@ -24,16 +24,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | sqlite-libs | 3.34.1-9.el9_7 | [CVE-2025-52099](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52099) | Medium | | curl-minimal | 7.76.1-34.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | -| curl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-14.el9_7 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.5.1-4.el9_7 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.5.1-4.el9_7 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-34.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-18.el9_7 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-14.el9_7 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.5.1-4.el9_7 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.5.1-4.el9_7 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-14.el9_7 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.10.9.json b/docs/security/agent/grype-25.10.9.json index 31e3d02..4f1e9c7 100644 --- a/docs/security/agent/grype-25.10.9.json +++ b/docs/security/agent/grype-25.10.9.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -340,39 +340,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -380,51 +380,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -432,25 +417,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -458,21 +443,21 @@ "version": "9.7" }, "package": { - "name": "curl", - "version": "7.76.1-34.el9" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "eb5d2c76ed21fa8e", - "name": "curl-minimal", - "version": "7.76.1-34.el9", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -489,22 +474,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-34.el9" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -514,91 +488,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -606,25 +558,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -632,21 +584,21 @@ "version": "9.7" }, "package": { - "name": "curl", - "version": "7.76.1-34.el9" + "name": "openssl", + "version": "1:3.5.1-4.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "dbb58be7b5652cc7", - "name": "libcurl-minimal", - "version": "7.76.1-34.el9", + "id": "25e16a00909d33d5", + "name": "openssl", + "version": "1:3.5.1-4.el9_7", "type": "rpm", "locations": [ { @@ -660,48 +612,37 @@ ], "language": "", "licenses": [ - "MIT" + "Apache-2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-34.el9" - } + "cpe:2.3:a:openssl:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -709,52 +650,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -765,16 +699,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -783,7 +717,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -791,21 +725,21 @@ "version": "9.7" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.5.1-4.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "9620df42e45abf0c", + "name": "openssl-libs", + "version": "1:3.5.1-4.el9_7", "type": "rpm", "locations": [ { @@ -819,86 +753,119 @@ ], "language": "", "licenses": [ - "MIT" + "Apache-2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.5.1-4.el9_7" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -906,25 +873,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -932,21 +899,21 @@ "version": "9.7" }, "package": { - "name": "openssl", - "version": "1:3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "25e16a00909d33d5", - "name": "openssl", - "version": "1:3.5.1-4.el9_7", + "id": "eb5d2c76ed21fa8e", + "name": "curl-minimal", + "version": "7.76.1-34.el9", "type": "rpm", "locations": [ { @@ -960,86 +927,119 @@ ], "language": "", "licenses": [ - "Apache-2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-34.el9" + } ], - "purl": "pkg:rpm/redhat/openssl@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1047,18 +1047,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1073,21 +1073,21 @@ "version": "9.7" }, "package": { - "name": "openssl", - "version": "3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "9620df42e45abf0c", - "name": "openssl-libs", - "version": "1:3.5.1-4.el9_7", + "id": "dbb58be7b5652cc7", + "name": "libcurl-minimal", + "version": "7.76.1-34.el9", "type": "rpm", "locations": [ { @@ -1101,28 +1101,28 @@ ], "language": "", "licenses": [ - "Apache-2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1152,8 +1152,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1197,8 +1197,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1292,8 +1292,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1337,8 +1337,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1432,8 +1432,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1480,8 +1480,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1572,8 +1572,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1639,8 +1639,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1714,20 +1714,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1735,27 +1735,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1766,92 +1760,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1869,21 +1842,21 @@ "version": "9.7" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -1897,13 +1870,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -1914,20 +1887,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1935,21 +1908,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1960,71 +1939,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2042,21 +2042,21 @@ "version": "9.7" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2070,13 +2070,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2110,8 +2110,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2152,8 +2152,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2247,8 +2247,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2289,8 +2289,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2384,8 +2384,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2443,8 +2443,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2535,8 +2535,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2594,8 +2594,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2697,8 +2697,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2747,8 +2747,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2839,8 +2839,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -2887,8 +2887,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -2979,8 +2979,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3027,8 +3027,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3130,8 +3130,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3173,8 +3173,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3268,8 +3268,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3311,8 +3311,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3406,8 +3406,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3455,8 +3455,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3547,8 +3547,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3608,8 +3608,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3705,8 +3705,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3766,8 +3766,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3863,8 +3863,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -3936,8 +3936,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4042,8 +4042,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4090,8 +4090,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4185,8 +4185,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4277,8 +4277,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4343,8 +4343,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4441,8 +4441,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -4515,8 +4515,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -4610,8 +4610,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -4664,8 +4664,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -4765,8 +4765,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -4857,8 +4857,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -4907,8 +4907,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -4999,8 +4999,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5041,8 +5041,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5136,8 +5136,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5178,8 +5178,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5273,8 +5273,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -5335,8 +5335,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -5427,8 +5427,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5480,8 +5480,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5572,8 +5572,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5625,8 +5625,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5728,8 +5728,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -5790,8 +5790,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -5882,8 +5882,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5930,8 +5930,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6027,8 +6027,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6075,8 +6075,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6172,8 +6172,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6220,8 +6220,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6317,8 +6317,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6365,8 +6365,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6462,8 +6462,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -6516,8 +6516,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -6619,8 +6619,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -6685,8 +6685,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -6783,8 +6783,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -6844,8 +6844,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -6936,8 +6936,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7004,8 +7004,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7113,8 +7113,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7175,8 +7175,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7267,8 +7267,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -7337,8 +7337,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -7435,8 +7435,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -7497,8 +7497,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -7589,8 +7589,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -7650,8 +7650,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8201,87 +8201,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.10.9.md b/docs/security/agent/grype-25.10.9.md index 24a6dc3..3dd2962 100644 --- a/docs/security/agent/grype-25.10.9.md +++ b/docs/security/agent/grype-25.10.9.md @@ -26,16 +26,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | sqlite-libs | 3.34.1-9.el9_7 | [CVE-2025-52099](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52099) | Medium | | curl-minimal | 7.76.1-34.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | -| curl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.5.1-4.el9_7 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.5.1-4.el9_7 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-34.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-18.el9_7 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.5.1-4.el9_7 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.5.1-4.el9_7 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.11.1.json b/docs/security/agent/grype-25.11.1.json index 7a46dcc..132b6f3 100644 --- a/docs/security/agent/grype-25.11.1.json +++ b/docs/security/agent/grype-25.11.1.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1803,8 +1803,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1878,20 +1878,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1899,27 +1899,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1930,92 +1924,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2033,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -2061,13 +2034,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2078,20 +2051,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -2099,21 +2072,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2124,71 +2103,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2206,21 +2206,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2234,13 +2234,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2274,8 +2274,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2316,8 +2316,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2411,8 +2411,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2548,8 +2548,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2607,8 +2607,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2699,8 +2699,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2861,8 +2861,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2911,8 +2911,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3003,8 +3003,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3051,8 +3051,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3143,8 +3143,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3191,8 +3191,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3294,8 +3294,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3337,8 +3337,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3432,8 +3432,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3475,8 +3475,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3570,8 +3570,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3619,8 +3619,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3711,8 +3711,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3772,8 +3772,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3869,8 +3869,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3930,8 +3930,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4027,8 +4027,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4100,8 +4100,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4206,8 +4206,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4254,8 +4254,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4349,8 +4349,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4441,8 +4441,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4518,8 +4518,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4624,8 +4624,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4690,8 +4690,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4864,8 +4864,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4965,8 +4965,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5041,8 +5041,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5153,8 +5153,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5227,8 +5227,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5322,8 +5322,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5376,8 +5376,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5477,8 +5477,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5569,8 +5569,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5619,8 +5619,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5711,8 +5711,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5753,8 +5753,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5848,8 +5848,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5890,8 +5890,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5985,8 +5985,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6047,8 +6047,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6139,8 +6139,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6192,8 +6192,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6284,8 +6284,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6337,8 +6337,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6440,8 +6440,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6502,8 +6502,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6594,8 +6594,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6642,8 +6642,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6739,8 +6739,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6787,8 +6787,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6884,8 +6884,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6932,8 +6932,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7077,8 +7077,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7174,8 +7174,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7228,8 +7228,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7331,8 +7331,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7397,8 +7397,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7495,8 +7495,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7556,8 +7556,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7648,8 +7648,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7716,8 +7716,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7825,8 +7825,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7887,8 +7887,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7979,8 +7979,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8049,8 +8049,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8147,8 +8147,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8209,8 +8209,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8301,8 +8301,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8362,8 +8362,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8913,87 +8913,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.11.1.md b/docs/security/agent/grype-25.11.1.md index 11ac2a4..1e6883c 100644 --- a/docs/security/agent/grype-25.11.1.md +++ b/docs/security/agent/grype-25.11.1.md @@ -30,16 +30,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.11.2.json b/docs/security/agent/grype-25.11.2.json index 0dbe22c..3ba977b 100644 --- a/docs/security/agent/grype-25.11.2.json +++ b/docs/security/agent/grype-25.11.2.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1803,8 +1803,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1878,20 +1878,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1899,27 +1899,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1930,92 +1924,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2033,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -2061,13 +2034,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2078,20 +2051,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -2099,21 +2072,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2124,71 +2103,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2206,21 +2206,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2234,13 +2234,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2274,8 +2274,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2316,8 +2316,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2411,8 +2411,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2548,8 +2548,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2607,8 +2607,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2699,8 +2699,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2861,8 +2861,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2911,8 +2911,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3003,8 +3003,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3051,8 +3051,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3143,8 +3143,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3191,8 +3191,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3294,8 +3294,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3337,8 +3337,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3432,8 +3432,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3475,8 +3475,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3570,8 +3570,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3619,8 +3619,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3711,8 +3711,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3772,8 +3772,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3869,8 +3869,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3930,8 +3930,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4027,8 +4027,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4100,8 +4100,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4206,8 +4206,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4254,8 +4254,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4349,8 +4349,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4441,8 +4441,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4518,8 +4518,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4624,8 +4624,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4690,8 +4690,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4864,8 +4864,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4965,8 +4965,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5041,8 +5041,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5153,8 +5153,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5227,8 +5227,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5322,8 +5322,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5376,8 +5376,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5477,8 +5477,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5569,8 +5569,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5619,8 +5619,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5711,8 +5711,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5753,8 +5753,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5848,8 +5848,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5890,8 +5890,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5985,8 +5985,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6047,8 +6047,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6139,8 +6139,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6192,8 +6192,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6284,8 +6284,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6337,8 +6337,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6440,8 +6440,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6502,8 +6502,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6594,8 +6594,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6642,8 +6642,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6739,8 +6739,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6787,8 +6787,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6884,8 +6884,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6932,8 +6932,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7077,8 +7077,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7174,8 +7174,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7228,8 +7228,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7331,8 +7331,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7397,8 +7397,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7495,8 +7495,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7556,8 +7556,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7648,8 +7648,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7716,8 +7716,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7825,8 +7825,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7887,8 +7887,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7979,8 +7979,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8049,8 +8049,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8147,8 +8147,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8209,8 +8209,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8301,8 +8301,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8362,8 +8362,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8913,87 +8913,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.11.2.md b/docs/security/agent/grype-25.11.2.md index ed5dab2..2cab146 100644 --- a/docs/security/agent/grype-25.11.2.md +++ b/docs/security/agent/grype-25.11.2.md @@ -30,16 +30,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.12.1.json b/docs/security/agent/grype-25.12.1.json index 3e81fb2..faef8a9 100644 --- a/docs/security/agent/grype-25.12.1.json +++ b/docs/security/agent/grype-25.12.1.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -340,39 +340,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -380,51 +380,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -432,25 +417,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -458,21 +443,21 @@ "version": "9.7" }, "package": { - "name": "curl", - "version": "7.76.1-34.el9" + "name": "libxml2", + "version": "0:2.9.13-14.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "211bc8dbb2d0cae8", - "name": "curl-minimal", - "version": "7.76.1-34.el9", + "id": "a840257087cebda4", + "name": "libxml2", + "version": "2.9.13-14.el9_7", "type": "rpm", "locations": [ { @@ -489,22 +474,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-34.el9" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -514,91 +488,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -606,25 +558,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -632,21 +584,21 @@ "version": "9.7" }, "package": { - "name": "curl", - "version": "7.76.1-34.el9" + "name": "openssl", + "version": "1:3.5.1-4.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "dbb58be7b5652cc7", - "name": "libcurl-minimal", - "version": "7.76.1-34.el9", + "id": "25e16a00909d33d5", + "name": "openssl", + "version": "1:3.5.1-4.el9_7", "type": "rpm", "locations": [ { @@ -660,48 +612,37 @@ ], "language": "", "licenses": [ - "MIT" + "Apache-2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-34.el9" - } + "cpe:2.3:a:openssl:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -709,52 +650,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -765,16 +699,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -783,7 +717,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -791,21 +725,21 @@ "version": "9.7" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-14.el9_7" + "name": "openssl", + "version": "3.5.1-4.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "a840257087cebda4", - "name": "libxml2", - "version": "2.9.13-14.el9_7", + "id": "9620df42e45abf0c", + "name": "openssl-libs", + "version": "1:3.5.1-4.el9_7", "type": "rpm", "locations": [ { @@ -819,86 +753,119 @@ ], "language": "", "licenses": [ - "MIT" + "Apache-2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.5.1-4.el9_7" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -906,25 +873,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -932,21 +899,21 @@ "version": "9.7" }, "package": { - "name": "openssl", - "version": "1:3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "25e16a00909d33d5", - "name": "openssl", - "version": "1:3.5.1-4.el9_7", + "id": "211bc8dbb2d0cae8", + "name": "curl-minimal", + "version": "7.76.1-34.el9", "type": "rpm", "locations": [ { @@ -960,86 +927,119 @@ ], "language": "", "licenses": [ - "Apache-2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-34.el9" + } ], - "purl": "pkg:rpm/redhat/openssl@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1047,18 +1047,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1073,21 +1073,21 @@ "version": "9.7" }, "package": { - "name": "openssl", - "version": "3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "9620df42e45abf0c", - "name": "openssl-libs", - "version": "1:3.5.1-4.el9_7", + "id": "dbb58be7b5652cc7", + "name": "libcurl-minimal", + "version": "7.76.1-34.el9", "type": "rpm", "locations": [ { @@ -1101,28 +1101,28 @@ ], "language": "", "licenses": [ - "Apache-2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1152,8 +1152,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1197,8 +1197,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1292,8 +1292,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1337,8 +1337,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1432,8 +1432,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1480,8 +1480,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1572,8 +1572,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1639,8 +1639,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1714,20 +1714,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1735,27 +1735,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1766,92 +1760,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1869,21 +1842,21 @@ "version": "9.7" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-14.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "df491715ef44a4eb", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "a840257087cebda4", + "name": "libxml2", + "version": "2.9.13-14.el9_7", "type": "rpm", "locations": [ { @@ -1897,13 +1870,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -1914,20 +1887,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1935,21 +1908,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1960,71 +1939,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2042,21 +2042,21 @@ "version": "9.7" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-14.el9_7" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "a840257087cebda4", - "name": "libxml2", - "version": "2.9.13-14.el9_7", + "id": "df491715ef44a4eb", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2070,13 +2070,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2110,8 +2110,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2152,8 +2152,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2247,8 +2247,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2289,8 +2289,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2384,8 +2384,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2443,8 +2443,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2535,8 +2535,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2594,8 +2594,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2697,8 +2697,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2747,8 +2747,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2839,8 +2839,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -2887,8 +2887,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -2979,8 +2979,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3027,8 +3027,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3130,8 +3130,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3173,8 +3173,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3268,8 +3268,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3311,8 +3311,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3406,8 +3406,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3455,8 +3455,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3547,8 +3547,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3608,8 +3608,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3705,8 +3705,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3766,8 +3766,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3863,8 +3863,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -3936,8 +3936,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4031,8 +4031,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4104,8 +4104,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4210,8 +4210,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4283,8 +4283,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4389,8 +4389,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4462,8 +4462,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4572,8 +4572,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4620,8 +4620,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4715,8 +4715,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4807,8 +4807,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4873,8 +4873,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4971,8 +4971,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5025,8 +5025,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5126,8 +5126,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5218,8 +5218,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5268,8 +5268,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5360,8 +5360,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5402,8 +5402,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5497,8 +5497,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5539,8 +5539,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5634,8 +5634,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -5696,8 +5696,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -5788,8 +5788,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5841,8 +5841,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5933,8 +5933,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5986,8 +5986,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6089,8 +6089,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6151,8 +6151,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6243,8 +6243,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6291,8 +6291,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6388,8 +6388,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6436,8 +6436,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6533,8 +6533,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6581,8 +6581,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6678,8 +6678,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6726,8 +6726,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6823,8 +6823,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6871,8 +6871,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6968,8 +6968,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7016,8 +7016,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7114,8 +7114,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7162,8 +7162,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7269,8 +7269,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7323,8 +7323,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7426,8 +7426,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7492,8 +7492,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7590,8 +7590,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7651,8 +7651,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7743,8 +7743,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7811,8 +7811,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7920,8 +7920,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7982,8 +7982,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -8074,8 +8074,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8144,8 +8144,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8242,8 +8242,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8304,8 +8304,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8396,8 +8396,8 @@ { "cve": "CVE-2025-66382", "epss": 0.00017, - "percentile": 0.03397, - "date": "2025-12-14" + "percentile": 0.03381, + "date": "2025-12-15" } ], "cwes": [ @@ -8444,8 +8444,8 @@ { "cve": "CVE-2025-66382", "epss": 0.00017, - "percentile": 0.03397, - "date": "2025-12-14" + "percentile": 0.03381, + "date": "2025-12-15" } ], "cwes": [ @@ -8536,8 +8536,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8597,8 +8597,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -9149,87 +9149,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.12.1.md b/docs/security/agent/grype-25.12.1.md index 589dd22..842d9a4 100644 --- a/docs/security/agent/grype-25.12.1.md +++ b/docs/security/agent/grype-25.12.1.md @@ -31,16 +31,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | sqlite-libs | 3.34.1-9.el9_7 | [CVE-2025-52099](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52099) | Medium | | curl-minimal | 7.76.1-34.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | -| curl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-14.el9_7 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.5.1-4.el9_7 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.5.1-4.el9_7 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-34.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-18.el9_7 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-14.el9_7 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.5.1-4.el9_7 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.5.1-4.el9_7 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-14.el9_7 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.12.2.json b/docs/security/agent/grype-25.12.2.json index 507bc3d..1c2e1cf 100644 --- a/docs/security/agent/grype-25.12.2.json +++ b/docs/security/agent/grype-25.12.2.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -340,39 +340,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -380,51 +380,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -432,25 +417,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -458,21 +443,21 @@ "version": "9.7" }, "package": { - "name": "curl", - "version": "7.76.1-34.el9" + "name": "libxml2", + "version": "0:2.9.13-14.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "211bc8dbb2d0cae8", - "name": "curl-minimal", - "version": "7.76.1-34.el9", + "id": "a840257087cebda4", + "name": "libxml2", + "version": "2.9.13-14.el9_7", "type": "rpm", "locations": [ { @@ -489,22 +474,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-34.el9" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -514,91 +488,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -606,25 +558,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -632,21 +584,21 @@ "version": "9.7" }, "package": { - "name": "curl", - "version": "7.76.1-34.el9" + "name": "openssl", + "version": "1:3.5.1-4.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "dbb58be7b5652cc7", - "name": "libcurl-minimal", - "version": "7.76.1-34.el9", + "id": "25e16a00909d33d5", + "name": "openssl", + "version": "1:3.5.1-4.el9_7", "type": "rpm", "locations": [ { @@ -660,48 +612,37 @@ ], "language": "", "licenses": [ - "MIT" + "Apache-2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-34.el9" - } + "cpe:2.3:a:openssl:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -709,52 +650,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -765,16 +699,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -783,7 +717,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -791,21 +725,21 @@ "version": "9.7" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-14.el9_7" + "name": "openssl", + "version": "3.5.1-4.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "a840257087cebda4", - "name": "libxml2", - "version": "2.9.13-14.el9_7", + "id": "9620df42e45abf0c", + "name": "openssl-libs", + "version": "1:3.5.1-4.el9_7", "type": "rpm", "locations": [ { @@ -819,86 +753,119 @@ ], "language": "", "licenses": [ - "MIT" + "Apache-2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.5.1-4.el9_7" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -906,25 +873,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -932,21 +899,21 @@ "version": "9.7" }, "package": { - "name": "openssl", - "version": "1:3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "25e16a00909d33d5", - "name": "openssl", - "version": "1:3.5.1-4.el9_7", + "id": "211bc8dbb2d0cae8", + "name": "curl-minimal", + "version": "7.76.1-34.el9", "type": "rpm", "locations": [ { @@ -960,86 +927,119 @@ ], "language": "", "licenses": [ - "Apache-2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-34.el9" + } ], - "purl": "pkg:rpm/redhat/openssl@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1047,18 +1047,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1073,21 +1073,21 @@ "version": "9.7" }, "package": { - "name": "openssl", - "version": "3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "9620df42e45abf0c", - "name": "openssl-libs", - "version": "1:3.5.1-4.el9_7", + "id": "dbb58be7b5652cc7", + "name": "libcurl-minimal", + "version": "7.76.1-34.el9", "type": "rpm", "locations": [ { @@ -1101,28 +1101,28 @@ ], "language": "", "licenses": [ - "Apache-2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1152,8 +1152,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1197,8 +1197,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1292,8 +1292,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1337,8 +1337,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1432,8 +1432,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1480,8 +1480,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1572,8 +1572,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1639,8 +1639,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1714,20 +1714,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1735,27 +1735,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1766,92 +1760,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1869,21 +1842,21 @@ "version": "9.7" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-14.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "df491715ef44a4eb", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "a840257087cebda4", + "name": "libxml2", + "version": "2.9.13-14.el9_7", "type": "rpm", "locations": [ { @@ -1897,13 +1870,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -1914,20 +1887,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1935,21 +1908,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1960,71 +1939,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2042,21 +2042,21 @@ "version": "9.7" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-14.el9_7" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "a840257087cebda4", - "name": "libxml2", - "version": "2.9.13-14.el9_7", + "id": "df491715ef44a4eb", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2070,13 +2070,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2110,8 +2110,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2152,8 +2152,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2247,8 +2247,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2289,8 +2289,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2384,8 +2384,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2443,8 +2443,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2535,8 +2535,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2594,8 +2594,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2697,8 +2697,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2747,8 +2747,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2839,8 +2839,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -2887,8 +2887,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -2979,8 +2979,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3027,8 +3027,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3130,8 +3130,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3173,8 +3173,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3268,8 +3268,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3311,8 +3311,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3406,8 +3406,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3455,8 +3455,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3547,8 +3547,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3608,8 +3608,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3705,8 +3705,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3766,8 +3766,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3863,8 +3863,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -3911,8 +3911,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4006,8 +4006,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4098,8 +4098,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4164,8 +4164,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4262,8 +4262,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -4316,8 +4316,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -4417,8 +4417,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -4509,8 +4509,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -4559,8 +4559,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -4651,8 +4651,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -4693,8 +4693,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -4830,8 +4830,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -4925,8 +4925,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -4987,8 +4987,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -5079,8 +5079,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5132,8 +5132,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5224,8 +5224,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5277,8 +5277,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5380,8 +5380,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -5442,8 +5442,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -5534,8 +5534,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5582,8 +5582,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5679,8 +5679,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5727,8 +5727,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5824,8 +5824,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5872,8 +5872,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5969,8 +5969,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6017,8 +6017,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6114,8 +6114,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6162,8 +6162,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6259,8 +6259,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6307,8 +6307,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6405,8 +6405,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6453,8 +6453,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6560,8 +6560,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -6614,8 +6614,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -6717,8 +6717,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -6783,8 +6783,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -6881,8 +6881,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -6942,8 +6942,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7034,8 +7034,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7102,8 +7102,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7211,8 +7211,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7273,8 +7273,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7365,8 +7365,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -7435,8 +7435,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -7533,8 +7533,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -7595,8 +7595,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -7687,8 +7687,8 @@ { "cve": "CVE-2025-66382", "epss": 0.00017, - "percentile": 0.03397, - "date": "2025-12-14" + "percentile": 0.03381, + "date": "2025-12-15" } ], "cwes": [ @@ -7735,8 +7735,8 @@ { "cve": "CVE-2025-66382", "epss": 0.00017, - "percentile": 0.03397, - "date": "2025-12-14" + "percentile": 0.03381, + "date": "2025-12-15" } ], "cwes": [ @@ -7827,8 +7827,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -7888,8 +7888,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8440,87 +8440,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.12.2.md b/docs/security/agent/grype-25.12.2.md index c1edb6e..9a0a16c 100644 --- a/docs/security/agent/grype-25.12.2.md +++ b/docs/security/agent/grype-25.12.2.md @@ -27,16 +27,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | sqlite-libs | 3.34.1-9.el9_7 | [CVE-2025-52099](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52099) | Medium | | curl-minimal | 7.76.1-34.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | -| curl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-14.el9_7 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.5.1-4.el9_7 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.5.1-4.el9_7 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-34.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-18.el9_7 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-14.el9_7 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.5.1-4.el9_7 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.5.1-4.el9_7 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-14.el9_7 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.12.3.json b/docs/security/agent/grype-25.12.3.json index ee8b1d3..f1ea6eb 100644 --- a/docs/security/agent/grype-25.12.3.json +++ b/docs/security/agent/grype-25.12.3.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -340,39 +340,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -380,51 +380,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -432,25 +417,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -458,21 +443,21 @@ "version": "9.7" }, "package": { - "name": "curl", - "version": "7.76.1-34.el9" + "name": "libxml2", + "version": "0:2.9.13-14.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "211bc8dbb2d0cae8", - "name": "curl-minimal", - "version": "7.76.1-34.el9", + "id": "a840257087cebda4", + "name": "libxml2", + "version": "2.9.13-14.el9_7", "type": "rpm", "locations": [ { @@ -489,22 +474,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-34.el9" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -514,91 +488,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -606,25 +558,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -632,21 +584,21 @@ "version": "9.7" }, "package": { - "name": "curl", - "version": "7.76.1-34.el9" + "name": "openssl", + "version": "1:3.5.1-4.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "dbb58be7b5652cc7", - "name": "libcurl-minimal", - "version": "7.76.1-34.el9", + "id": "25e16a00909d33d5", + "name": "openssl", + "version": "1:3.5.1-4.el9_7", "type": "rpm", "locations": [ { @@ -660,48 +612,37 @@ ], "language": "", "licenses": [ - "MIT" + "Apache-2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-34.el9" - } + "cpe:2.3:a:openssl:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -709,52 +650,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -765,16 +699,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -783,7 +717,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -791,21 +725,21 @@ "version": "9.7" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-14.el9_7" + "name": "openssl", + "version": "3.5.1-4.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "a840257087cebda4", - "name": "libxml2", - "version": "2.9.13-14.el9_7", + "id": "9620df42e45abf0c", + "name": "openssl-libs", + "version": "1:3.5.1-4.el9_7", "type": "rpm", "locations": [ { @@ -819,86 +753,119 @@ ], "language": "", "licenses": [ - "MIT" + "Apache-2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.5.1-4.el9_7" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -906,25 +873,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -932,21 +899,21 @@ "version": "9.7" }, "package": { - "name": "openssl", - "version": "1:3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "25e16a00909d33d5", - "name": "openssl", - "version": "1:3.5.1-4.el9_7", + "id": "211bc8dbb2d0cae8", + "name": "curl-minimal", + "version": "7.76.1-34.el9", "type": "rpm", "locations": [ { @@ -960,86 +927,119 @@ ], "language": "", "licenses": [ - "Apache-2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-34.el9" + } ], - "purl": "pkg:rpm/redhat/openssl@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1047,18 +1047,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1073,21 +1073,21 @@ "version": "9.7" }, "package": { - "name": "openssl", - "version": "3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "9620df42e45abf0c", - "name": "openssl-libs", - "version": "1:3.5.1-4.el9_7", + "id": "dbb58be7b5652cc7", + "name": "libcurl-minimal", + "version": "7.76.1-34.el9", "type": "rpm", "locations": [ { @@ -1101,28 +1101,28 @@ ], "language": "", "licenses": [ - "Apache-2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.5.1-4.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-34.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-34.el9:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.5.1-4.el9_7?arch=x86_64&distro=rhel-9.7&epoch=1&upstream=openssl-3.5.1-4.el9_7.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-34.el9?arch=x86_64&distro=rhel-9.7&upstream=curl-7.76.1-34.el9.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.5.1-4.el9_7" + "name": "curl", + "version": "7.76.1-34.el9" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1152,8 +1152,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1197,8 +1197,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1292,8 +1292,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1337,8 +1337,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1432,8 +1432,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1480,8 +1480,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1572,8 +1572,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1639,8 +1639,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1714,20 +1714,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1735,27 +1735,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1766,92 +1760,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1869,21 +1842,21 @@ "version": "9.7" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-14.el9_7" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "df491715ef44a4eb", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "a840257087cebda4", + "name": "libxml2", + "version": "2.9.13-14.el9_7", "type": "rpm", "locations": [ { @@ -1897,13 +1870,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -1914,20 +1887,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1935,21 +1908,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1960,71 +1939,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2042,21 +2042,21 @@ "version": "9.7" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-14.el9_7" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "a840257087cebda4", - "name": "libxml2", - "version": "2.9.13-14.el9_7", + "id": "df491715ef44a4eb", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2070,13 +2070,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-14.el9_7:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-14.el9_7?arch=x86_64&distro=rhel-9.7&upstream=libxml2-2.9.13-14.el9_7.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.7&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2110,8 +2110,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2152,8 +2152,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2247,8 +2247,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2289,8 +2289,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2384,8 +2384,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2443,8 +2443,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2535,8 +2535,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2594,8 +2594,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2697,8 +2697,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2747,8 +2747,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2839,8 +2839,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -2887,8 +2887,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -2979,8 +2979,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3027,8 +3027,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3130,8 +3130,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3173,8 +3173,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3268,8 +3268,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3311,8 +3311,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3406,8 +3406,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3455,8 +3455,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3547,8 +3547,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3608,8 +3608,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3705,8 +3705,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3766,8 +3766,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3863,8 +3863,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -3911,8 +3911,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4006,8 +4006,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4098,8 +4098,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4164,8 +4164,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4262,8 +4262,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -4316,8 +4316,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -4417,8 +4417,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -4509,8 +4509,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -4559,8 +4559,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -4651,8 +4651,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -4693,8 +4693,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -4830,8 +4830,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -4925,8 +4925,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -4987,8 +4987,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -5079,8 +5079,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5132,8 +5132,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5224,8 +5224,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5277,8 +5277,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5380,8 +5380,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -5442,8 +5442,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -5534,8 +5534,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5582,8 +5582,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5679,8 +5679,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5727,8 +5727,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5824,8 +5824,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5872,8 +5872,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -5969,8 +5969,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6017,8 +6017,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6114,8 +6114,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6162,8 +6162,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6259,8 +6259,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6307,8 +6307,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6405,8 +6405,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6453,8 +6453,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6560,8 +6560,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -6614,8 +6614,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -6717,8 +6717,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -6783,8 +6783,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -6881,8 +6881,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -6942,8 +6942,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7034,8 +7034,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7102,8 +7102,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7211,8 +7211,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7273,8 +7273,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7365,8 +7365,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -7435,8 +7435,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -7533,8 +7533,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -7595,8 +7595,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -7687,8 +7687,8 @@ { "cve": "CVE-2025-66382", "epss": 0.00017, - "percentile": 0.03397, - "date": "2025-12-14" + "percentile": 0.03381, + "date": "2025-12-15" } ], "cwes": [ @@ -7735,8 +7735,8 @@ { "cve": "CVE-2025-66382", "epss": 0.00017, - "percentile": 0.03397, - "date": "2025-12-14" + "percentile": 0.03381, + "date": "2025-12-15" } ], "cwes": [ @@ -7827,8 +7827,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -7888,8 +7888,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8440,87 +8440,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.12.3.md b/docs/security/agent/grype-25.12.3.md index a6a01f8..c9b0d52 100644 --- a/docs/security/agent/grype-25.12.3.md +++ b/docs/security/agent/grype-25.12.3.md @@ -27,16 +27,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | sqlite-libs | 3.34.1-9.el9_7 | [CVE-2025-52099](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52099) | Medium | | curl-minimal | 7.76.1-34.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | -| curl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-14.el9_7 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.5.1-4.el9_7 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.5.1-4.el9_7 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-34.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-34.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-18.el9_7 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-14.el9_7 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.5.1-4.el9_7 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.5.1-4.el9_7 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-14.el9_7 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.7.1.json b/docs/security/agent/grype-25.7.1.json index a44be7a..af0cfd2 100644 --- a/docs/security/agent/grype-25.7.1.json +++ b/docs/security/agent/grype-25.7.1.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -527,8 +527,8 @@ { "cve": "CVE-2024-52533", "epss": 0.02455, - "percentile": 0.8475, - "date": "2025-12-14" + "percentile": 0.84749, + "date": "2025-12-15" } ], "cwes": [ @@ -593,8 +593,8 @@ { "cve": "CVE-2024-52533", "epss": 0.02455, - "percentile": 0.8475, - "date": "2025-12-14" + "percentile": 0.84749, + "date": "2025-12-15" } ], "cwes": [ @@ -665,39 +665,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -705,51 +705,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -757,25 +742,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -783,21 +768,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9" + "name": "libxml2", + "version": "0:2.9.13-10.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "6b7ebba723f3d1d6", - "name": "curl-minimal", - "version": "7.76.1-31.el9", + "id": "cad7c140298c7fa1", + "name": "libxml2", + "version": "2.9.13-10.el9_6", "type": "rpm", "locations": [ { @@ -814,22 +799,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-10.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -839,91 +813,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -931,25 +883,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -957,21 +909,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "b20b4850f0fa0e54", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -985,48 +937,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1034,52 +975,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -1090,16 +1024,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -1108,7 +1042,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1116,21 +1050,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-10.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "cad7c140298c7fa1", - "name": "libxml2", - "version": "2.9.13-10.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -1144,86 +1078,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-10.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1231,25 +1198,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1257,21 +1224,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "6b7ebba723f3d1d6", + "name": "curl-minimal", + "version": "7.76.1-31.el9", "type": "rpm", "locations": [ { @@ -1285,86 +1252,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1372,18 +1372,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1398,21 +1398,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "b20b4850f0fa0e54", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9", "type": "rpm", "locations": [ { @@ -1426,28 +1426,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1477,8 +1477,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1522,8 +1522,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1617,8 +1617,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1662,8 +1662,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1757,8 +1757,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1805,8 +1805,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1895,22 +1895,187 @@ ], "epss": [ { - "cve": "CVE-2023-32636", - "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "cve": "CVE-2023-32636", + "epss": 0.00165, + "percentile": 0.38035, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2023-32636", + "cwe": "CWE-400", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [], + "risk": 0.0759 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-32636", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", + "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", + "https://security.netapp.com/advisory/ntap-20231110-0002/" + ], + "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1.1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2023-32636", + "epss": 0.00165, + "percentile": 0.38035, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2023-32636", + "cwe": "CWE-400", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "redhat", + "version": "9.6" + }, + "package": { + "name": "glib2", + "version": "0:2.68.4-16.el9" + }, + "namespace": "redhat:distro:redhat:9" + }, + "found": { + "vulnerabilityID": "CVE-2023-32636", + "versionConstraint": "none (unknown)" + } + } + ], + "artifact": { + "id": "04574712e6ead30e", + "name": "glib2", + "version": "2.68.4-16.el9", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/rpmdb.sqlite", + "layerID": "sha256:9f0b79be8c39d3327229ddefe91179edad3699b9049708d43623f4203b3b67fb", + "accessPath": "/var/lib/rpm/rpmdb.sqlite", + "annotations": { + "evidence": "primary" + } + } + ], + "language": "", + "licenses": [ + "LGPLv2+" + ], + "cpes": [ + "cpe:2.3:a:redhat:glib2:2.68.4-16.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:glib2:glib2:2.68.4-16.el9:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9.src.rpm", + "upstreams": [], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "namespace": "redhat:distro:redhat:9", + "severity": "Low", + "urls": [], + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "cvss": [ + { + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.1, + "exploitabilityScore": 1.7, + "impactScore": 1.5 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2023-32636", - "cwe": "CWE-400", - "source": "secalert@redhat.com", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1920,20 +2085,28 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.0759 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2023-32636", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", - "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", - "https://security.netapp.com/advisory/ntap-20231110-0002/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", @@ -1948,36 +2121,36 @@ "vendorMetadata": {} }, { - "source": "secalert@redhat.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 4.7, - "exploitabilityScore": 1.1, - "impactScore": 3.6 + "baseScore": 2.9, + "exploitabilityScore": 1.5, + "impactScore": 1.5 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2023-32636", - "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2023-32636", - "cwe": "CWE-400", - "source": "secalert@redhat.com", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1994,21 +2167,21 @@ "version": "9.6" }, "package": { - "name": "glib2", - "version": "0:2.68.4-16.el9" + "name": "libxml2", + "version": "0:2.9.13-10.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2023-32636", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "04574712e6ead30e", - "name": "glib2", - "version": "2.68.4-16.el9", + "id": "cad7c140298c7fa1", + "name": "libxml2", + "version": "2.9.13-10.el9_6", "type": "rpm", "locations": [ { @@ -2022,13 +2195,13 @@ ], "language": "", "licenses": [ - "LGPLv2+" + "MIT" ], "cpes": [ - "cpe:2.3:a:redhat:glib2:2.68.4-16.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:glib2:glib2:2.68.4-16.el9:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-10.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2062,8 +2235,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -2146,8 +2319,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -2241,8 +2414,8 @@ { "cve": "CVE-2025-1632", "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ @@ -2337,8 +2510,8 @@ { "cve": "CVE-2025-1632", "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ @@ -2441,8 +2614,8 @@ { "cve": "CVE-2025-4373", "epss": 0.00119, - "percentile": 0.31646, - "date": "2025-12-14" + "percentile": 0.31597, + "date": "2025-12-15" } ], "cwes": [ @@ -2472,236 +2645,60 @@ "link": "https://access.redhat.com/errata/RHSA-2025:11140" } ], - "risk": 0.05831 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-4373", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-4373", - "namespace": "nvd:cpe", - "severity": "Medium", - "urls": [ - "https://access.redhat.com/errata/RHSA-2025:10855", - "https://access.redhat.com/errata/RHSA-2025:11140", - "https://access.redhat.com/errata/RHSA-2025:11327", - "https://access.redhat.com/errata/RHSA-2025:11373", - "https://access.redhat.com/errata/RHSA-2025:11374", - "https://access.redhat.com/errata/RHSA-2025:11662", - "https://access.redhat.com/errata/RHSA-2025:12275", - "https://access.redhat.com/errata/RHSA-2025:13335", - "https://access.redhat.com/errata/RHSA-2025:14988", - "https://access.redhat.com/errata/RHSA-2025:14989", - "https://access.redhat.com/errata/RHSA-2025:14990", - "https://access.redhat.com/errata/RHSA-2025:14991", - "https://access.redhat.com/security/cve/CVE-2025-4373", - "https://bugzilla.redhat.com/show_bug.cgi?id=2364265", - "https://gitlab.gnome.org/GNOME/glib/-/issues/3677" - ], - "description": "A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.", - "cvss": [ - { - "source": "secalert@redhat.com", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", - "metrics": { - "baseScore": 4.8, - "exploitabilityScore": 2.3, - "impactScore": 2.6 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-4373", - "epss": 0.00119, - "percentile": 0.31646, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-4373", - "cwe": "CWE-124", - "source": "secalert@redhat.com", - "type": "Secondary" - } - ] - } - ], - "matchDetails": [ - { - "type": "exact-direct-match", - "matcher": "rpm-matcher", - "searchedBy": { - "distro": { - "type": "redhat", - "version": "9.6" - }, - "package": { - "name": "glib2", - "version": "0:2.68.4-16.el9" - }, - "namespace": "redhat:distro:redhat:9" - }, - "found": { - "vulnerabilityID": "CVE-2025-4373", - "versionConstraint": "< 0:2.68.4-16.el9_6.2 (rpm)" - }, - "fix": { - "suggestedVersion": "0:2.68.4-16.el9_6.2" - } - } - ], - "artifact": { - "id": "04574712e6ead30e", - "name": "glib2", - "version": "2.68.4-16.el9", - "type": "rpm", - "locations": [ - { - "path": "/var/lib/rpm/rpmdb.sqlite", - "layerID": "sha256:9f0b79be8c39d3327229ddefe91179edad3699b9049708d43623f4203b3b67fb", - "accessPath": "/var/lib/rpm/rpmdb.sqlite", - "annotations": { - "evidence": "primary" - } - } - ], - "language": "", - "licenses": [ - "LGPLv2+" - ], - "cpes": [ - "cpe:2.3:a:redhat:glib2:2.68.4-16.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:glib2:glib2:2.68.4-16.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9.src.rpm", - "upstreams": [], - "metadataType": "RpmMetadata", - "metadata": { - "epoch": null, - "modularityLabel": "" - } - } - }, - { - "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", - "namespace": "redhat:distro:redhat:9", - "severity": "Low", - "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", - "cvss": [ - { - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, - "impactScore": 1.5 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "cve@mitre.org", - "type": "Secondary" - }, - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "fix": { - "versions": [], - "state": "not-fixed" - }, - "advisories": [], - "risk": 0.056119999999999996 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", - "namespace": "nvd:cpe", - "severity": "High", - "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "risk": 0.05831 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2025-4373", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-4373", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2025:10855", + "https://access.redhat.com/errata/RHSA-2025:11140", + "https://access.redhat.com/errata/RHSA-2025:11327", + "https://access.redhat.com/errata/RHSA-2025:11373", + "https://access.redhat.com/errata/RHSA-2025:11374", + "https://access.redhat.com/errata/RHSA-2025:11662", + "https://access.redhat.com/errata/RHSA-2025:12275", + "https://access.redhat.com/errata/RHSA-2025:13335", + "https://access.redhat.com/errata/RHSA-2025:14988", + "https://access.redhat.com/errata/RHSA-2025:14989", + "https://access.redhat.com/errata/RHSA-2025:14990", + "https://access.redhat.com/errata/RHSA-2025:14991", + "https://access.redhat.com/security/cve/CVE-2025-4373", + "https://bugzilla.redhat.com/show_bug.cgi?id=2364265", + "https://gitlab.gnome.org/GNOME/glib/-/issues/3677" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, - "impactScore": 3.6 - }, - "vendorMetadata": {} - }, - { - "source": "cve@mitre.org", + "source": "secalert@redhat.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, - "impactScore": 1.5 + "baseScore": 4.8, + "exploitabilityScore": 2.3, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-4373", + "epss": 0.00119, + "percentile": 0.31597, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "cve@mitre.org", + "cve": "CVE-2025-4373", + "cwe": "CWE-124", + "source": "secalert@redhat.com", "type": "Secondary" - }, - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" } ] } @@ -2716,21 +2713,24 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-10.el9_6" + "name": "glib2", + "version": "0:2.68.4-16.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", - "versionConstraint": "none (unknown)" + "vulnerabilityID": "CVE-2025-4373", + "versionConstraint": "< 0:2.68.4-16.el9_6.2 (rpm)" + }, + "fix": { + "suggestedVersion": "0:2.68.4-16.el9_6.2" } } ], "artifact": { - "id": "cad7c140298c7fa1", - "name": "libxml2", - "version": "2.9.13-10.el9_6", + "id": "04574712e6ead30e", + "name": "glib2", + "version": "2.68.4-16.el9", "type": "rpm", "locations": [ { @@ -2744,13 +2744,13 @@ ], "language": "", "licenses": [ - "MIT" + "LGPLv2+" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:redhat:glib2:2.68.4-16.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:glib2:glib2:2.68.4-16.el9:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-10.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2784,8 +2784,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2826,8 +2826,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2921,8 +2921,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2963,8 +2963,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -3058,8 +3058,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -3142,8 +3142,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -3237,8 +3237,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3296,8 +3296,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3388,8 +3388,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3447,8 +3447,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3550,8 +3550,8 @@ { "cve": "CVE-2025-5914", "epss": 0.00054, - "percentile": 0.17051, - "date": "2025-12-14" + "percentile": 0.17023, + "date": "2025-12-15" } ], "cwes": [ @@ -3651,8 +3651,8 @@ { "cve": "CVE-2025-5914", "epss": 0.00054, - "percentile": 0.17051, - "date": "2025-12-14" + "percentile": 0.17023, + "date": "2025-12-15" } ], "cwes": [ @@ -3746,8 +3746,8 @@ { "cve": "CVE-2025-4207", "epss": 0.00067, - "percentile": 0.2082, - "date": "2025-12-14" + "percentile": 0.20798, + "date": "2025-12-15" } ], "cwes": [ @@ -3795,8 +3795,8 @@ { "cve": "CVE-2025-4207", "epss": 0.00067, - "percentile": 0.2082, - "date": "2025-12-14" + "percentile": 0.20798, + "date": "2025-12-15" } ], "cwes": [ @@ -3887,8 +3887,8 @@ { "cve": "CVE-2022-29458", "epss": 0.00079, - "percentile": 0.23835, - "date": "2025-12-14" + "percentile": 0.23812, + "date": "2025-12-15" } ], "cwes": [ @@ -3983,8 +3983,8 @@ { "cve": "CVE-2022-29458", "epss": 0.00079, - "percentile": 0.23835, - "date": "2025-12-14" + "percentile": 0.23812, + "date": "2025-12-15" } ], "cwes": [ @@ -4095,8 +4095,8 @@ { "cve": "CVE-2022-29458", "epss": 0.00079, - "percentile": 0.23835, - "date": "2025-12-14" + "percentile": 0.23812, + "date": "2025-12-15" } ], "cwes": [ @@ -4128,84 +4128,237 @@ }, "advisories": [ { - "id": "RHSA-2025:12876", - "link": "https://access.redhat.com/errata/RHSA-2025:12876" + "id": "RHSA-2025:12876", + "link": "https://access.redhat.com/errata/RHSA-2025:12876" + } + ], + "risk": 0.035945 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-29458", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://seclists.org/fulldisclosure/2022/Oct/28", + "http://seclists.org/fulldisclosure/2022/Oct/41", + "https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html", + "https://support.apple.com/kb/HT213488" + ], + "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 5 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2022-29458", + "epss": 0.00079, + "percentile": 0.23812, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2022-29458", + "cwe": "CWE-125", + "source": "nvd@nist.gov", + "type": "Primary" + }, + { + "cve": "CVE-2022-29458", + "cwe": "CWE-125", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "redhat", + "version": "9.6" + }, + "package": { + "name": "ncurses", + "version": "6.2-10.20210508.el9" + }, + "namespace": "redhat:distro:redhat:9" + }, + "found": { + "vulnerabilityID": "CVE-2022-29458", + "versionConstraint": "< 0:6.2-10.20210508.el9_6.2 (rpm)" + }, + "fix": { + "suggestedVersion": "0:6.2-10.20210508.el9_6.2" + } + } + ], + "artifact": { + "id": "f3ef10418ec3cca6", + "name": "ncurses-libs", + "version": "6.2-10.20210508.el9", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/rpmdb.sqlite", + "layerID": "sha256:9f0b79be8c39d3327229ddefe91179edad3699b9049708d43623f4203b3b67fb", + "accessPath": "/var/lib/rpm/rpmdb.sqlite", + "annotations": { + "evidence": "primary" + } + } + ], + "language": "", + "licenses": [ + "MIT" + ], + "cpes": [ + "cpe:2.3:a:ncurses-libs:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses-libs:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_libs:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_libs:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/ncurses-libs@6.2-10.20210508.el9?arch=x86_64&distro=rhel-9.6&upstream=ncurses-6.2-10.20210508.el9.src.rpm", + "upstreams": [ + { + "name": "ncurses", + "version": "6.2-10.20210508.el9" + } + ], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "CVE-2025-12818", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-12818", + "namespace": "redhat:distro:redhat:9", + "severity": "Medium", + "urls": [], + "description": "A vulnerability has been identified in PostgreSQL’s libpq client library, where integer wraparound in several allocation-size calculations allows a peer or input provider to cause an undersized buffer and then write out-of-bounds by hundreds of megabytes. This can lead to a client application segmentation fault or crash when using libpq to connect to a PostgreSQL server.", + "cvss": [ + { + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], - "risk": 0.035945 + "cwes": [ + { + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" + } + ], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [], + "risk": 0.035625000000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2022-29458", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "http://seclists.org/fulldisclosure/2022/Oct/28", - "http://seclists.org/fulldisclosure/2022/Oct/41", - "https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html", - "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html", - "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html", - "https://support.apple.com/kb/HT213488" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", - "metrics": { - "baseScore": 7.1, - "exploitabilityScore": 1.9, - "impactScore": 5.2 - }, - "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", - "metrics": { - "baseScore": 5.8, - "exploitabilityScore": 8.6, - "impactScore": 5 - }, - "vendorMetadata": {} - }, - { - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.1, - "exploitabilityScore": 1.9, - "impactScore": 5.2 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2022-29458", - "epss": 0.00079, - "percentile": 0.23835, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2022-29458", - "cwe": "CWE-125", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-29458", - "cwe": "CWE-125", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary" } ] @@ -4213,7 +4366,7 @@ ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -4221,24 +4374,21 @@ "version": "9.6" }, "package": { - "name": "ncurses", - "version": "6.2-10.20210508.el9" + "name": "libpq", + "version": "0:13.20-1.el9_5" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2022-29458", - "versionConstraint": "< 0:6.2-10.20210508.el9_6.2 (rpm)" - }, - "fix": { - "suggestedVersion": "0:6.2-10.20210508.el9_6.2" + "vulnerabilityID": "CVE-2025-12818", + "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "f3ef10418ec3cca6", - "name": "ncurses-libs", - "version": "6.2-10.20210508.el9", + "id": "9e9440b1f6d978f7", + "name": "libpq", + "version": "13.20-1.el9_5", "type": "rpm", "locations": [ { @@ -4252,25 +4402,14 @@ ], "language": "", "licenses": [ - "MIT" + "PostgreSQL" ], "cpes": [ - "cpe:2.3:a:ncurses-libs:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses-libs:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses_libs:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses_libs:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/ncurses-libs@6.2-10.20210508.el9?arch=x86_64&distro=rhel-9.6&upstream=ncurses-6.2-10.20210508.el9.src.rpm", - "upstreams": [ - { - "name": "ncurses", - "version": "6.2-10.20210508.el9" - } + "cpe:2.3:a:redhat:libpq:13.20-1.el9_5:*:*:*:*:*:*:*", + "cpe:2.3:a:libpq:libpq:13.20-1.el9_5:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libpq@13.20-1.el9_5?arch=x86_64&distro=rhel-9.6&upstream=libpq-13.20-1.el9_5.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -4303,8 +4442,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -4375,8 +4514,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -4470,8 +4609,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -4520,8 +4659,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -4587,145 +4726,6 @@ } } }, - { - "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-12818", - "namespace": "redhat:distro:redhat:9", - "severity": "Medium", - "urls": [], - "description": "A vulnerability has been identified in PostgreSQL’s libpq client library, where integer wraparound in several allocation-size calculations allows a peer or input provider to cause an undersized buffer and then write out-of-bounds by hundreds of megabytes. This can lead to a client application segmentation fault or crash when using libpq to connect to a PostgreSQL server.", - "cvss": [ - { - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" - } - ], - "fix": { - "versions": [], - "state": "not-fixed" - }, - "advisories": [], - "risk": 0.0325 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", - "namespace": "nvd:cpe", - "severity": "Medium", - "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" - ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" - } - ] - } - ], - "matchDetails": [ - { - "type": "exact-direct-match", - "matcher": "rpm-matcher", - "searchedBy": { - "distro": { - "type": "redhat", - "version": "9.6" - }, - "package": { - "name": "libpq", - "version": "0:13.20-1.el9_5" - }, - "namespace": "redhat:distro:redhat:9" - }, - "found": { - "vulnerabilityID": "CVE-2025-12818", - "versionConstraint": "none (unknown)" - } - } - ], - "artifact": { - "id": "9e9440b1f6d978f7", - "name": "libpq", - "version": "13.20-1.el9_5", - "type": "rpm", - "locations": [ - { - "path": "/var/lib/rpm/rpmdb.sqlite", - "layerID": "sha256:9f0b79be8c39d3327229ddefe91179edad3699b9049708d43623f4203b3b67fb", - "accessPath": "/var/lib/rpm/rpmdb.sqlite", - "annotations": { - "evidence": "primary" - } - } - ], - "language": "", - "licenses": [ - "PostgreSQL" - ], - "cpes": [ - "cpe:2.3:a:redhat:libpq:13.20-1.el9_5:*:*:*:*:*:*:*", - "cpe:2.3:a:libpq:libpq:13.20-1.el9_5:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libpq@13.20-1.el9_5?arch=x86_64&distro=rhel-9.6&upstream=libpq-13.20-1.el9_5.src.rpm", - "upstreams": [], - "metadataType": "RpmMetadata", - "metadata": { - "epoch": null, - "modularityLabel": "" - } - } - }, { "vulnerability": { "id": "CVE-2025-32989", @@ -4751,8 +4751,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -4821,8 +4821,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -4916,8 +4916,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4964,8 +4964,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -5056,8 +5056,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -5104,8 +5104,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -5207,8 +5207,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -5250,8 +5250,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -5345,8 +5345,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -5388,8 +5388,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -5483,8 +5483,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -5532,8 +5532,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -5624,8 +5624,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5685,8 +5685,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5782,8 +5782,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5843,8 +5843,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5940,8 +5940,8 @@ { "cve": "CVE-2025-32414", "epss": 0.0004, - "percentile": 0.12023, - "date": "2025-12-14" + "percentile": 0.1197, + "date": "2025-12-15" } ], "cwes": [ @@ -6020,8 +6020,8 @@ { "cve": "CVE-2025-32414", "epss": 0.0004, - "percentile": 0.12023, - "date": "2025-12-14" + "percentile": 0.1197, + "date": "2025-12-15" } ], "cwes": [ @@ -6121,8 +6121,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -6194,8 +6194,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -6300,8 +6300,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -6348,8 +6348,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -6443,8 +6443,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -6535,8 +6535,8 @@ { "cve": "CVE-2025-7425", "epss": 0.00022, - "percentile": 0.05026, - "date": "2025-12-14" + "percentile": 0.04984, + "date": "2025-12-15" } ], "cwes": [ @@ -6631,8 +6631,8 @@ { "cve": "CVE-2025-7425", "epss": 0.00022, - "percentile": 0.05026, - "date": "2025-12-14" + "percentile": 0.04984, + "date": "2025-12-15" } ], "cwes": [ @@ -6726,8 +6726,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -6803,8 +6803,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -6909,8 +6909,8 @@ { "cve": "CVE-2025-32415", "epss": 0.00024, - "percentile": 0.05699, - "date": "2025-12-14" + "percentile": 0.05692, + "date": "2025-12-15" } ], "cwes": [ @@ -6989,8 +6989,8 @@ { "cve": "CVE-2025-32415", "epss": 0.00024, - "percentile": 0.05699, - "date": "2025-12-14" + "percentile": 0.05692, + "date": "2025-12-15" } ], "cwes": [ @@ -7090,8 +7090,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7151,8 +7151,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7246,8 +7246,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7307,8 +7307,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7413,8 +7413,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7474,8 +7474,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7584,8 +7584,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7645,8 +7645,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7755,8 +7755,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -7821,8 +7821,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -7919,8 +7919,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -7995,8 +7995,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -8096,8 +8096,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -8172,8 +8172,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -8284,8 +8284,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -8358,8 +8358,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -8453,8 +8453,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -8507,8 +8507,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -8608,8 +8608,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -8700,8 +8700,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -8750,8 +8750,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -8842,8 +8842,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -8884,8 +8884,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -8979,8 +8979,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -9021,8 +9021,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -9116,8 +9116,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -9178,8 +9178,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -9270,8 +9270,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -9323,8 +9323,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -9415,8 +9415,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -9468,8 +9468,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -9571,8 +9571,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -9633,8 +9633,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -9725,8 +9725,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9773,8 +9773,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9870,8 +9870,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9918,8 +9918,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -10015,8 +10015,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -10063,8 +10063,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -10160,8 +10160,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -10208,8 +10208,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -10305,8 +10305,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -10359,8 +10359,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -10462,8 +10462,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -10528,8 +10528,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -10626,8 +10626,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -10687,8 +10687,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -10779,8 +10779,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -10847,8 +10847,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -10956,8 +10956,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -11018,8 +11018,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -11110,8 +11110,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -11180,8 +11180,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -11278,8 +11278,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -11340,8 +11340,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -11432,8 +11432,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -11493,8 +11493,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -12016,87 +12016,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.7.1.md b/docs/security/agent/grype-25.7.1.md index df9a8ea..a7ce025 100644 --- a/docs/security/agent/grype-25.7.1.md +++ b/docs/security/agent/grype-25.7.1.md @@ -16,8 +16,8 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | libcurl-minimal | 7.76.1-31.el9 | [CVE-2025-9086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9086) | Medium | | gnutls | 3.8.3-6.el9 | [CVE-2025-32988](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32988) | Medium | | libpq | 13.20-1.el9_5 | [CVE-2025-4207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4207) | Medium | -| gnutls | 3.8.3-6.el9 | [CVE-2025-6395](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6395) | Medium | | libpq | 13.20-1.el9_5 | [CVE-2025-12818](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12818) | Medium | +| gnutls | 3.8.3-6.el9 | [CVE-2025-6395](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6395) | Medium | | gnutls | 3.8.3-6.el9 | [CVE-2025-32989](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32989) | Medium | | libxml2 | 2.9.13-10.el9_6 | [CVE-2025-32414](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32414) | Medium | | systemd-libs | 252-51.el9_6.1 | [CVE-2025-4598](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4598) | Medium | @@ -46,16 +46,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-10.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-5.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-10.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-5.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | ncurses-base | 6.2-10.20210508.el9 | [CVE-2022-29458](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29458) | Low | diff --git a/docs/security/agent/grype-25.7.2.json b/docs/security/agent/grype-25.7.2.json index 64ab4e4..4198a90 100644 --- a/docs/security/agent/grype-25.7.2.json +++ b/docs/security/agent/grype-25.7.2.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -527,8 +527,8 @@ { "cve": "CVE-2024-52533", "epss": 0.02455, - "percentile": 0.8475, - "date": "2025-12-14" + "percentile": 0.84749, + "date": "2025-12-15" } ], "cwes": [ @@ -593,8 +593,8 @@ { "cve": "CVE-2024-52533", "epss": 0.02455, - "percentile": 0.8475, - "date": "2025-12-14" + "percentile": 0.84749, + "date": "2025-12-15" } ], "cwes": [ @@ -665,39 +665,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -705,51 +705,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -757,25 +742,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -783,21 +768,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9" + "name": "libxml2", + "version": "0:2.9.13-10.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "6b7ebba723f3d1d6", - "name": "curl-minimal", - "version": "7.76.1-31.el9", + "id": "cad7c140298c7fa1", + "name": "libxml2", + "version": "2.9.13-10.el9_6", "type": "rpm", "locations": [ { @@ -814,22 +799,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-10.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -839,91 +813,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -931,25 +883,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -957,21 +909,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "b20b4850f0fa0e54", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -985,48 +937,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1034,52 +975,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -1090,16 +1024,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -1108,7 +1042,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1116,21 +1050,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-10.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "cad7c140298c7fa1", - "name": "libxml2", - "version": "2.9.13-10.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -1144,86 +1078,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-10.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1231,25 +1198,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1257,21 +1224,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "6b7ebba723f3d1d6", + "name": "curl-minimal", + "version": "7.76.1-31.el9", "type": "rpm", "locations": [ { @@ -1285,86 +1252,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1372,18 +1372,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1398,21 +1398,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "b20b4850f0fa0e54", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9", "type": "rpm", "locations": [ { @@ -1426,28 +1426,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1477,8 +1477,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1522,8 +1522,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1617,8 +1617,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1662,8 +1662,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1757,8 +1757,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1805,8 +1805,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1895,22 +1895,187 @@ ], "epss": [ { - "cve": "CVE-2023-32636", - "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "cve": "CVE-2023-32636", + "epss": 0.00165, + "percentile": 0.38035, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2023-32636", + "cwe": "CWE-400", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [], + "risk": 0.0759 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-32636", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", + "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", + "https://security.netapp.com/advisory/ntap-20231110-0002/" + ], + "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1.1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2023-32636", + "epss": 0.00165, + "percentile": 0.38035, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2023-32636", + "cwe": "CWE-400", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "redhat", + "version": "9.6" + }, + "package": { + "name": "glib2", + "version": "0:2.68.4-16.el9" + }, + "namespace": "redhat:distro:redhat:9" + }, + "found": { + "vulnerabilityID": "CVE-2023-32636", + "versionConstraint": "none (unknown)" + } + } + ], + "artifact": { + "id": "04574712e6ead30e", + "name": "glib2", + "version": "2.68.4-16.el9", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/rpmdb.sqlite", + "layerID": "sha256:ae5872a20ea86e6a5ad9645ef9a8b10c3a72f912eda3ccbf7db35c7bfa34be38", + "accessPath": "/var/lib/rpm/rpmdb.sqlite", + "annotations": { + "evidence": "primary" + } + } + ], + "language": "", + "licenses": [ + "LGPLv2+" + ], + "cpes": [ + "cpe:2.3:a:redhat:glib2:2.68.4-16.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:glib2:glib2:2.68.4-16.el9:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9.src.rpm", + "upstreams": [], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "namespace": "redhat:distro:redhat:9", + "severity": "Low", + "urls": [], + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "cvss": [ + { + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.1, + "exploitabilityScore": 1.7, + "impactScore": 1.5 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2023-32636", - "cwe": "CWE-400", - "source": "secalert@redhat.com", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1920,20 +2085,28 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.0759 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2023-32636", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", - "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", - "https://security.netapp.com/advisory/ntap-20231110-0002/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", @@ -1948,36 +2121,36 @@ "vendorMetadata": {} }, { - "source": "secalert@redhat.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 4.7, - "exploitabilityScore": 1.1, - "impactScore": 3.6 + "baseScore": 2.9, + "exploitabilityScore": 1.5, + "impactScore": 1.5 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2023-32636", - "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2023-32636", - "cwe": "CWE-400", - "source": "secalert@redhat.com", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1994,21 +2167,21 @@ "version": "9.6" }, "package": { - "name": "glib2", - "version": "0:2.68.4-16.el9" + "name": "libxml2", + "version": "0:2.9.13-10.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2023-32636", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "04574712e6ead30e", - "name": "glib2", - "version": "2.68.4-16.el9", + "id": "cad7c140298c7fa1", + "name": "libxml2", + "version": "2.9.13-10.el9_6", "type": "rpm", "locations": [ { @@ -2022,13 +2195,13 @@ ], "language": "", "licenses": [ - "LGPLv2+" + "MIT" ], "cpes": [ - "cpe:2.3:a:redhat:glib2:2.68.4-16.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:glib2:glib2:2.68.4-16.el9:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-10.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2062,8 +2235,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -2146,8 +2319,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -2241,8 +2414,8 @@ { "cve": "CVE-2025-1632", "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ @@ -2337,8 +2510,8 @@ { "cve": "CVE-2025-1632", "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ @@ -2441,8 +2614,8 @@ { "cve": "CVE-2025-4373", "epss": 0.00119, - "percentile": 0.31646, - "date": "2025-12-14" + "percentile": 0.31597, + "date": "2025-12-15" } ], "cwes": [ @@ -2472,236 +2645,60 @@ "link": "https://access.redhat.com/errata/RHSA-2025:11140" } ], - "risk": 0.05831 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-4373", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-4373", - "namespace": "nvd:cpe", - "severity": "Medium", - "urls": [ - "https://access.redhat.com/errata/RHSA-2025:10855", - "https://access.redhat.com/errata/RHSA-2025:11140", - "https://access.redhat.com/errata/RHSA-2025:11327", - "https://access.redhat.com/errata/RHSA-2025:11373", - "https://access.redhat.com/errata/RHSA-2025:11374", - "https://access.redhat.com/errata/RHSA-2025:11662", - "https://access.redhat.com/errata/RHSA-2025:12275", - "https://access.redhat.com/errata/RHSA-2025:13335", - "https://access.redhat.com/errata/RHSA-2025:14988", - "https://access.redhat.com/errata/RHSA-2025:14989", - "https://access.redhat.com/errata/RHSA-2025:14990", - "https://access.redhat.com/errata/RHSA-2025:14991", - "https://access.redhat.com/security/cve/CVE-2025-4373", - "https://bugzilla.redhat.com/show_bug.cgi?id=2364265", - "https://gitlab.gnome.org/GNOME/glib/-/issues/3677" - ], - "description": "A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.", - "cvss": [ - { - "source": "secalert@redhat.com", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", - "metrics": { - "baseScore": 4.8, - "exploitabilityScore": 2.3, - "impactScore": 2.6 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-4373", - "epss": 0.00119, - "percentile": 0.31646, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-4373", - "cwe": "CWE-124", - "source": "secalert@redhat.com", - "type": "Secondary" - } - ] - } - ], - "matchDetails": [ - { - "type": "exact-direct-match", - "matcher": "rpm-matcher", - "searchedBy": { - "distro": { - "type": "redhat", - "version": "9.6" - }, - "package": { - "name": "glib2", - "version": "0:2.68.4-16.el9" - }, - "namespace": "redhat:distro:redhat:9" - }, - "found": { - "vulnerabilityID": "CVE-2025-4373", - "versionConstraint": "< 0:2.68.4-16.el9_6.2 (rpm)" - }, - "fix": { - "suggestedVersion": "0:2.68.4-16.el9_6.2" - } - } - ], - "artifact": { - "id": "04574712e6ead30e", - "name": "glib2", - "version": "2.68.4-16.el9", - "type": "rpm", - "locations": [ - { - "path": "/var/lib/rpm/rpmdb.sqlite", - "layerID": "sha256:ae5872a20ea86e6a5ad9645ef9a8b10c3a72f912eda3ccbf7db35c7bfa34be38", - "accessPath": "/var/lib/rpm/rpmdb.sqlite", - "annotations": { - "evidence": "primary" - } - } - ], - "language": "", - "licenses": [ - "LGPLv2+" - ], - "cpes": [ - "cpe:2.3:a:redhat:glib2:2.68.4-16.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:glib2:glib2:2.68.4-16.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9.src.rpm", - "upstreams": [], - "metadataType": "RpmMetadata", - "metadata": { - "epoch": null, - "modularityLabel": "" - } - } - }, - { - "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", - "namespace": "redhat:distro:redhat:9", - "severity": "Low", - "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", - "cvss": [ - { - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, - "impactScore": 1.5 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "cve@mitre.org", - "type": "Secondary" - }, - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "fix": { - "versions": [], - "state": "not-fixed" - }, - "advisories": [], - "risk": 0.056119999999999996 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", - "namespace": "nvd:cpe", - "severity": "High", - "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "risk": 0.05831 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2025-4373", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-4373", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://access.redhat.com/errata/RHSA-2025:10855", + "https://access.redhat.com/errata/RHSA-2025:11140", + "https://access.redhat.com/errata/RHSA-2025:11327", + "https://access.redhat.com/errata/RHSA-2025:11373", + "https://access.redhat.com/errata/RHSA-2025:11374", + "https://access.redhat.com/errata/RHSA-2025:11662", + "https://access.redhat.com/errata/RHSA-2025:12275", + "https://access.redhat.com/errata/RHSA-2025:13335", + "https://access.redhat.com/errata/RHSA-2025:14988", + "https://access.redhat.com/errata/RHSA-2025:14989", + "https://access.redhat.com/errata/RHSA-2025:14990", + "https://access.redhat.com/errata/RHSA-2025:14991", + "https://access.redhat.com/security/cve/CVE-2025-4373", + "https://bugzilla.redhat.com/show_bug.cgi?id=2364265", + "https://gitlab.gnome.org/GNOME/glib/-/issues/3677" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, - "impactScore": 3.6 - }, - "vendorMetadata": {} - }, - { - "source": "cve@mitre.org", + "source": "secalert@redhat.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, - "impactScore": 1.5 + "baseScore": 4.8, + "exploitabilityScore": 2.3, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-4373", + "epss": 0.00119, + "percentile": 0.31597, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "cve@mitre.org", + "cve": "CVE-2025-4373", + "cwe": "CWE-124", + "source": "secalert@redhat.com", "type": "Secondary" - }, - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" } ] } @@ -2716,21 +2713,24 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-10.el9_6" + "name": "glib2", + "version": "0:2.68.4-16.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", - "versionConstraint": "none (unknown)" + "vulnerabilityID": "CVE-2025-4373", + "versionConstraint": "< 0:2.68.4-16.el9_6.2 (rpm)" + }, + "fix": { + "suggestedVersion": "0:2.68.4-16.el9_6.2" } } ], "artifact": { - "id": "cad7c140298c7fa1", - "name": "libxml2", - "version": "2.9.13-10.el9_6", + "id": "04574712e6ead30e", + "name": "glib2", + "version": "2.68.4-16.el9", "type": "rpm", "locations": [ { @@ -2744,13 +2744,13 @@ ], "language": "", "licenses": [ - "MIT" + "LGPLv2+" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:redhat:glib2:2.68.4-16.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:glib2:glib2:2.68.4-16.el9:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-10.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2784,8 +2784,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2826,8 +2826,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2921,8 +2921,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2963,8 +2963,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -3058,8 +3058,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -3142,8 +3142,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -3237,8 +3237,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3296,8 +3296,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3388,8 +3388,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3447,8 +3447,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3550,8 +3550,8 @@ { "cve": "CVE-2025-5914", "epss": 0.00054, - "percentile": 0.17051, - "date": "2025-12-14" + "percentile": 0.17023, + "date": "2025-12-15" } ], "cwes": [ @@ -3651,8 +3651,8 @@ { "cve": "CVE-2025-5914", "epss": 0.00054, - "percentile": 0.17051, - "date": "2025-12-14" + "percentile": 0.17023, + "date": "2025-12-15" } ], "cwes": [ @@ -3746,8 +3746,8 @@ { "cve": "CVE-2025-4207", "epss": 0.00067, - "percentile": 0.2082, - "date": "2025-12-14" + "percentile": 0.20798, + "date": "2025-12-15" } ], "cwes": [ @@ -3795,8 +3795,8 @@ { "cve": "CVE-2025-4207", "epss": 0.00067, - "percentile": 0.2082, - "date": "2025-12-14" + "percentile": 0.20798, + "date": "2025-12-15" } ], "cwes": [ @@ -3887,8 +3887,8 @@ { "cve": "CVE-2022-29458", "epss": 0.00079, - "percentile": 0.23835, - "date": "2025-12-14" + "percentile": 0.23812, + "date": "2025-12-15" } ], "cwes": [ @@ -3983,8 +3983,8 @@ { "cve": "CVE-2022-29458", "epss": 0.00079, - "percentile": 0.23835, - "date": "2025-12-14" + "percentile": 0.23812, + "date": "2025-12-15" } ], "cwes": [ @@ -4095,8 +4095,8 @@ { "cve": "CVE-2022-29458", "epss": 0.00079, - "percentile": 0.23835, - "date": "2025-12-14" + "percentile": 0.23812, + "date": "2025-12-15" } ], "cwes": [ @@ -4128,84 +4128,237 @@ }, "advisories": [ { - "id": "RHSA-2025:12876", - "link": "https://access.redhat.com/errata/RHSA-2025:12876" + "id": "RHSA-2025:12876", + "link": "https://access.redhat.com/errata/RHSA-2025:12876" + } + ], + "risk": 0.035945 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-29458", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://seclists.org/fulldisclosure/2022/Oct/28", + "http://seclists.org/fulldisclosure/2022/Oct/41", + "https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html", + "https://support.apple.com/kb/HT213488" + ], + "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 5 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2022-29458", + "epss": 0.00079, + "percentile": 0.23812, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2022-29458", + "cwe": "CWE-125", + "source": "nvd@nist.gov", + "type": "Primary" + }, + { + "cve": "CVE-2022-29458", + "cwe": "CWE-125", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "redhat", + "version": "9.6" + }, + "package": { + "name": "ncurses", + "version": "6.2-10.20210508.el9" + }, + "namespace": "redhat:distro:redhat:9" + }, + "found": { + "vulnerabilityID": "CVE-2022-29458", + "versionConstraint": "< 0:6.2-10.20210508.el9_6.2 (rpm)" + }, + "fix": { + "suggestedVersion": "0:6.2-10.20210508.el9_6.2" + } + } + ], + "artifact": { + "id": "f3ef10418ec3cca6", + "name": "ncurses-libs", + "version": "6.2-10.20210508.el9", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/rpmdb.sqlite", + "layerID": "sha256:ae5872a20ea86e6a5ad9645ef9a8b10c3a72f912eda3ccbf7db35c7bfa34be38", + "accessPath": "/var/lib/rpm/rpmdb.sqlite", + "annotations": { + "evidence": "primary" + } + } + ], + "language": "", + "licenses": [ + "MIT" + ], + "cpes": [ + "cpe:2.3:a:ncurses-libs:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses-libs:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_libs:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_libs:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/ncurses-libs@6.2-10.20210508.el9?arch=x86_64&distro=rhel-9.6&upstream=ncurses-6.2-10.20210508.el9.src.rpm", + "upstreams": [ + { + "name": "ncurses", + "version": "6.2-10.20210508.el9" + } + ], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "CVE-2025-12818", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-12818", + "namespace": "redhat:distro:redhat:9", + "severity": "Medium", + "urls": [], + "description": "A vulnerability has been identified in PostgreSQL’s libpq client library, where integer wraparound in several allocation-size calculations allows a peer or input provider to cause an undersized buffer and then write out-of-bounds by hundreds of megabytes. This can lead to a client application segmentation fault or crash when using libpq to connect to a PostgreSQL server.", + "cvss": [ + { + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], - "risk": 0.035945 + "cwes": [ + { + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" + } + ], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [], + "risk": 0.035625000000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2022-29458", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "http://seclists.org/fulldisclosure/2022/Oct/28", - "http://seclists.org/fulldisclosure/2022/Oct/41", - "https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html", - "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html", - "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html", - "https://support.apple.com/kb/HT213488" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", - "metrics": { - "baseScore": 7.1, - "exploitabilityScore": 1.9, - "impactScore": 5.2 - }, - "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", - "metrics": { - "baseScore": 5.8, - "exploitabilityScore": 8.6, - "impactScore": 5 - }, - "vendorMetadata": {} - }, - { - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.1, - "exploitabilityScore": 1.9, - "impactScore": 5.2 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2022-29458", - "epss": 0.00079, - "percentile": 0.23835, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2022-29458", - "cwe": "CWE-125", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-29458", - "cwe": "CWE-125", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary" } ] @@ -4213,7 +4366,7 @@ ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -4221,24 +4374,21 @@ "version": "9.6" }, "package": { - "name": "ncurses", - "version": "6.2-10.20210508.el9" + "name": "libpq", + "version": "0:13.20-1.el9_5" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2022-29458", - "versionConstraint": "< 0:6.2-10.20210508.el9_6.2 (rpm)" - }, - "fix": { - "suggestedVersion": "0:6.2-10.20210508.el9_6.2" + "vulnerabilityID": "CVE-2025-12818", + "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "f3ef10418ec3cca6", - "name": "ncurses-libs", - "version": "6.2-10.20210508.el9", + "id": "9e9440b1f6d978f7", + "name": "libpq", + "version": "13.20-1.el9_5", "type": "rpm", "locations": [ { @@ -4252,25 +4402,14 @@ ], "language": "", "licenses": [ - "MIT" + "PostgreSQL" ], "cpes": [ - "cpe:2.3:a:ncurses-libs:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses-libs:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses_libs:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses_libs:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/ncurses-libs@6.2-10.20210508.el9?arch=x86_64&distro=rhel-9.6&upstream=ncurses-6.2-10.20210508.el9.src.rpm", - "upstreams": [ - { - "name": "ncurses", - "version": "6.2-10.20210508.el9" - } + "cpe:2.3:a:redhat:libpq:13.20-1.el9_5:*:*:*:*:*:*:*", + "cpe:2.3:a:libpq:libpq:13.20-1.el9_5:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libpq@13.20-1.el9_5?arch=x86_64&distro=rhel-9.6&upstream=libpq-13.20-1.el9_5.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -4303,8 +4442,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -4375,8 +4514,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -4470,8 +4609,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -4520,8 +4659,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -4587,145 +4726,6 @@ } } }, - { - "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-12818", - "namespace": "redhat:distro:redhat:9", - "severity": "Medium", - "urls": [], - "description": "A vulnerability has been identified in PostgreSQL’s libpq client library, where integer wraparound in several allocation-size calculations allows a peer or input provider to cause an undersized buffer and then write out-of-bounds by hundreds of megabytes. This can lead to a client application segmentation fault or crash when using libpq to connect to a PostgreSQL server.", - "cvss": [ - { - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" - } - ], - "fix": { - "versions": [], - "state": "not-fixed" - }, - "advisories": [], - "risk": 0.0325 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", - "namespace": "nvd:cpe", - "severity": "Medium", - "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" - ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" - } - ] - } - ], - "matchDetails": [ - { - "type": "exact-direct-match", - "matcher": "rpm-matcher", - "searchedBy": { - "distro": { - "type": "redhat", - "version": "9.6" - }, - "package": { - "name": "libpq", - "version": "0:13.20-1.el9_5" - }, - "namespace": "redhat:distro:redhat:9" - }, - "found": { - "vulnerabilityID": "CVE-2025-12818", - "versionConstraint": "none (unknown)" - } - } - ], - "artifact": { - "id": "9e9440b1f6d978f7", - "name": "libpq", - "version": "13.20-1.el9_5", - "type": "rpm", - "locations": [ - { - "path": "/var/lib/rpm/rpmdb.sqlite", - "layerID": "sha256:ae5872a20ea86e6a5ad9645ef9a8b10c3a72f912eda3ccbf7db35c7bfa34be38", - "accessPath": "/var/lib/rpm/rpmdb.sqlite", - "annotations": { - "evidence": "primary" - } - } - ], - "language": "", - "licenses": [ - "PostgreSQL" - ], - "cpes": [ - "cpe:2.3:a:redhat:libpq:13.20-1.el9_5:*:*:*:*:*:*:*", - "cpe:2.3:a:libpq:libpq:13.20-1.el9_5:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libpq@13.20-1.el9_5?arch=x86_64&distro=rhel-9.6&upstream=libpq-13.20-1.el9_5.src.rpm", - "upstreams": [], - "metadataType": "RpmMetadata", - "metadata": { - "epoch": null, - "modularityLabel": "" - } - } - }, { "vulnerability": { "id": "CVE-2025-32989", @@ -4751,8 +4751,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -4821,8 +4821,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -4916,8 +4916,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4964,8 +4964,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -5056,8 +5056,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -5104,8 +5104,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -5207,8 +5207,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -5250,8 +5250,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -5345,8 +5345,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -5388,8 +5388,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -5483,8 +5483,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -5532,8 +5532,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -5624,8 +5624,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5685,8 +5685,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5782,8 +5782,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5843,8 +5843,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5940,8 +5940,8 @@ { "cve": "CVE-2025-32414", "epss": 0.0004, - "percentile": 0.12023, - "date": "2025-12-14" + "percentile": 0.1197, + "date": "2025-12-15" } ], "cwes": [ @@ -6020,8 +6020,8 @@ { "cve": "CVE-2025-32414", "epss": 0.0004, - "percentile": 0.12023, - "date": "2025-12-14" + "percentile": 0.1197, + "date": "2025-12-15" } ], "cwes": [ @@ -6121,8 +6121,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -6194,8 +6194,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -6300,8 +6300,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -6348,8 +6348,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -6443,8 +6443,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -6535,8 +6535,8 @@ { "cve": "CVE-2025-7425", "epss": 0.00022, - "percentile": 0.05026, - "date": "2025-12-14" + "percentile": 0.04984, + "date": "2025-12-15" } ], "cwes": [ @@ -6631,8 +6631,8 @@ { "cve": "CVE-2025-7425", "epss": 0.00022, - "percentile": 0.05026, - "date": "2025-12-14" + "percentile": 0.04984, + "date": "2025-12-15" } ], "cwes": [ @@ -6726,8 +6726,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -6803,8 +6803,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -6909,8 +6909,8 @@ { "cve": "CVE-2025-32415", "epss": 0.00024, - "percentile": 0.05699, - "date": "2025-12-14" + "percentile": 0.05692, + "date": "2025-12-15" } ], "cwes": [ @@ -6989,8 +6989,8 @@ { "cve": "CVE-2025-32415", "epss": 0.00024, - "percentile": 0.05699, - "date": "2025-12-14" + "percentile": 0.05692, + "date": "2025-12-15" } ], "cwes": [ @@ -7090,8 +7090,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7151,8 +7151,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7246,8 +7246,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7307,8 +7307,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7413,8 +7413,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7474,8 +7474,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7584,8 +7584,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7645,8 +7645,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7755,8 +7755,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -7821,8 +7821,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -7919,8 +7919,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -7995,8 +7995,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -8096,8 +8096,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -8172,8 +8172,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -8284,8 +8284,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -8358,8 +8358,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -8453,8 +8453,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -8507,8 +8507,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -8608,8 +8608,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -8700,8 +8700,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -8750,8 +8750,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -8842,8 +8842,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -8884,8 +8884,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -8979,8 +8979,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -9021,8 +9021,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -9116,8 +9116,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -9178,8 +9178,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -9270,8 +9270,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -9323,8 +9323,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -9415,8 +9415,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -9468,8 +9468,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -9571,8 +9571,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -9633,8 +9633,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -9725,8 +9725,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9773,8 +9773,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9870,8 +9870,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9918,8 +9918,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -10015,8 +10015,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -10063,8 +10063,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -10160,8 +10160,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -10208,8 +10208,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -10305,8 +10305,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -10359,8 +10359,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -10462,8 +10462,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -10528,8 +10528,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -10626,8 +10626,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -10687,8 +10687,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -10779,8 +10779,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -10847,8 +10847,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -10956,8 +10956,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -11018,8 +11018,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -11110,8 +11110,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -11180,8 +11180,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -11278,8 +11278,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -11340,8 +11340,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -11432,8 +11432,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -11493,8 +11493,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -12016,87 +12016,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.7.2.md b/docs/security/agent/grype-25.7.2.md index aa1deea..1b1b302 100644 --- a/docs/security/agent/grype-25.7.2.md +++ b/docs/security/agent/grype-25.7.2.md @@ -16,8 +16,8 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | libcurl-minimal | 7.76.1-31.el9 | [CVE-2025-9086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9086) | Medium | | gnutls | 3.8.3-6.el9 | [CVE-2025-32988](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32988) | Medium | | libpq | 13.20-1.el9_5 | [CVE-2025-4207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4207) | Medium | -| gnutls | 3.8.3-6.el9 | [CVE-2025-6395](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6395) | Medium | | libpq | 13.20-1.el9_5 | [CVE-2025-12818](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12818) | Medium | +| gnutls | 3.8.3-6.el9 | [CVE-2025-6395](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6395) | Medium | | gnutls | 3.8.3-6.el9 | [CVE-2025-32989](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32989) | Medium | | libxml2 | 2.9.13-10.el9_6 | [CVE-2025-32414](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32414) | Medium | | systemd-libs | 252-51.el9_6.1 | [CVE-2025-4598](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4598) | Medium | @@ -46,16 +46,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-10.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-5.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-10.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-5.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | ncurses-base | 6.2-10.20210508.el9 | [CVE-2022-29458](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29458) | Low | diff --git a/docs/security/agent/grype-25.7.4.json b/docs/security/agent/grype-25.7.4.json index 27329be..67eec9e 100644 --- a/docs/security/agent/grype-25.7.4.json +++ b/docs/security/agent/grype-25.7.4.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9" + "name": "libxml2", + "version": "0:2.9.13-10.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "6b7ebba723f3d1d6", - "name": "curl-minimal", - "version": "7.76.1-31.el9", + "id": "cad7c140298c7fa1", + "name": "libxml2", + "version": "2.9.13-10.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-10.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "b20b4850f0fa0e54", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-10.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "cad7c140298c7fa1", - "name": "libxml2", - "version": "2.9.13-10.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-10.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "6b7ebba723f3d1d6", + "name": "curl-minimal", + "version": "7.76.1-31.el9", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "b20b4850f0fa0e54", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1748,8 +1748,173 @@ "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [], + "risk": 0.0759 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-32636", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", + "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", + "https://security.netapp.com/advisory/ntap-20231110-0002/" + ], + "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1.1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2023-32636", + "epss": 0.00165, + "percentile": 0.38035, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2023-32636", + "cwe": "CWE-400", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "redhat", + "version": "9.6" + }, + "package": { + "name": "glib2", + "version": "0:2.68.4-16.el9_6.2" + }, + "namespace": "redhat:distro:redhat:9" + }, + "found": { + "vulnerabilityID": "CVE-2023-32636", + "versionConstraint": "none (unknown)" + } + } + ], + "artifact": { + "id": "35f4edf399bccea5", + "name": "glib2", + "version": "2.68.4-16.el9_6.2", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/rpmdb.sqlite", + "layerID": "sha256:7365a3a0db69d7f481720be6d2cc54794d0f7e1c94fbfe59d74c106a561a7537", + "accessPath": "/var/lib/rpm/rpmdb.sqlite", + "annotations": { + "evidence": "primary" + } + } + ], + "language": "", + "licenses": [ + "LGPLv2+" + ], + "cpes": [ + "cpe:2.3:a:redhat:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*", + "cpe:2.3:a:glib2:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9_6.2?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9_6.2.src.rpm", + "upstreams": [], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "namespace": "redhat:distro:redhat:9", + "severity": "Low", + "urls": [], + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "cvss": [ + { + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.1, + "exploitabilityScore": 1.7, + "impactScore": 1.5 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", + "type": "Secondary" + }, + { + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1759,20 +1924,28 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.0759 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2023-32636", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", - "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", - "https://security.netapp.com/advisory/ntap-20231110-0002/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", @@ -1787,36 +1960,36 @@ "vendorMetadata": {} }, { - "source": "secalert@redhat.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 4.7, - "exploitabilityScore": 1.1, - "impactScore": 3.6 + "baseScore": 2.9, + "exploitabilityScore": 1.5, + "impactScore": 1.5 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2023-32636", - "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2023-32636", - "cwe": "CWE-400", - "source": "secalert@redhat.com", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1833,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "glib2", - "version": "0:2.68.4-16.el9_6.2" + "name": "libxml2", + "version": "0:2.9.13-10.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2023-32636", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "35f4edf399bccea5", - "name": "glib2", - "version": "2.68.4-16.el9_6.2", + "id": "cad7c140298c7fa1", + "name": "libxml2", + "version": "2.9.13-10.el9_6", "type": "rpm", "locations": [ { @@ -1861,13 +2034,13 @@ ], "language": "", "licenses": [ - "LGPLv2+" + "MIT" ], "cpes": [ - "cpe:2.3:a:redhat:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*", - "cpe:2.3:a:glib2:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9_6.2?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9_6.2.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-10.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -1901,8 +2074,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -1985,8 +2158,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -2080,8 +2253,8 @@ { "cve": "CVE-2025-1632", "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ @@ -2118,256 +2291,83 @@ "namespace": "nvd:cpe", "severity": "Medium", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" - ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", - "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, - "impactScore": 3.6 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, - "impactScore": 1.5 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", - "cwe": "CWE-476", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ] - } - ], - "matchDetails": [ - { - "type": "exact-direct-match", - "matcher": "rpm-matcher", - "searchedBy": { - "distro": { - "type": "redhat", - "version": "9.6" - }, - "package": { - "name": "libarchive", - "version": "0:3.5.3-5.el9_6" - }, - "namespace": "redhat:distro:redhat:9" - }, - "found": { - "vulnerabilityID": "CVE-2025-1632", - "versionConstraint": "none (unknown)" - } - } - ], - "artifact": { - "id": "026da1974d66f84e", - "name": "libarchive", - "version": "3.5.3-5.el9_6", - "type": "rpm", - "locations": [ - { - "path": "/var/lib/rpm/rpmdb.sqlite", - "layerID": "sha256:7365a3a0db69d7f481720be6d2cc54794d0f7e1c94fbfe59d74c106a561a7537", - "accessPath": "/var/lib/rpm/rpmdb.sqlite", - "annotations": { - "evidence": "primary" - } - } - ], - "language": "", - "licenses": [ - "BSD" - ], - "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-5.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-5.el9_6:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-5.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-5.el9_6.src.rpm", - "upstreams": [], - "metadataType": "RpmMetadata", - "metadata": { - "epoch": null, - "modularityLabel": "" - } - } - }, - { - "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", - "namespace": "redhat:distro:redhat:9", - "severity": "Low", - "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", - "cvss": [ - { - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, - "impactScore": 1.5 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "cve@mitre.org", - "type": "Secondary" - }, - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "fix": { - "versions": [], - "state": "not-fixed" - }, - "advisories": [], - "risk": 0.056119999999999996 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", - "namespace": "nvd:cpe", - "severity": "High", - "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2385,21 +2385,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-10.el9_6" + "name": "libarchive", + "version": "0:3.5.3-5.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "cad7c140298c7fa1", - "name": "libxml2", - "version": "2.9.13-10.el9_6", + "id": "026da1974d66f84e", + "name": "libarchive", + "version": "3.5.3-5.el9_6", "type": "rpm", "locations": [ { @@ -2413,13 +2413,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-10.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-5.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-5.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-10.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-10.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-5.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-5.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2495,8 +2495,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2590,8 +2590,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2632,8 +2632,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2727,8 +2727,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -2811,8 +2811,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -2906,8 +2906,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2965,8 +2965,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3057,8 +3057,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3116,8 +3116,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3219,8 +3219,8 @@ { "cve": "CVE-2025-5914", "epss": 0.00054, - "percentile": 0.17051, - "date": "2025-12-14" + "percentile": 0.17023, + "date": "2025-12-15" } ], "cwes": [ @@ -3320,8 +3320,8 @@ { "cve": "CVE-2025-5914", "epss": 0.00054, - "percentile": 0.17051, - "date": "2025-12-14" + "percentile": 0.17023, + "date": "2025-12-15" } ], "cwes": [ @@ -3415,8 +3415,8 @@ { "cve": "CVE-2025-4207", "epss": 0.00067, - "percentile": 0.2082, - "date": "2025-12-14" + "percentile": 0.20798, + "date": "2025-12-15" } ], "cwes": [ @@ -3464,8 +3464,8 @@ { "cve": "CVE-2025-4207", "epss": 0.00067, - "percentile": 0.2082, - "date": "2025-12-14" + "percentile": 0.20798, + "date": "2025-12-15" } ], "cwes": [ @@ -3556,8 +3556,8 @@ { "cve": "CVE-2022-29458", "epss": 0.00079, - "percentile": 0.23835, - "date": "2025-12-14" + "percentile": 0.23812, + "date": "2025-12-15" } ], "cwes": [ @@ -3652,8 +3652,8 @@ { "cve": "CVE-2022-29458", "epss": 0.00079, - "percentile": 0.23835, - "date": "2025-12-14" + "percentile": 0.23812, + "date": "2025-12-15" } ], "cwes": [ @@ -3764,8 +3764,8 @@ { "cve": "CVE-2022-29458", "epss": 0.00079, - "percentile": 0.23835, - "date": "2025-12-14" + "percentile": 0.23812, + "date": "2025-12-15" } ], "cwes": [ @@ -3797,84 +3797,237 @@ }, "advisories": [ { - "id": "RHSA-2025:12876", - "link": "https://access.redhat.com/errata/RHSA-2025:12876" + "id": "RHSA-2025:12876", + "link": "https://access.redhat.com/errata/RHSA-2025:12876" + } + ], + "risk": 0.035945 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-29458", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://seclists.org/fulldisclosure/2022/Oct/28", + "http://seclists.org/fulldisclosure/2022/Oct/41", + "https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html", + "https://support.apple.com/kb/HT213488" + ], + "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 5 + }, + "vendorMetadata": {} + }, + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "metrics": { + "baseScore": 7.1, + "exploitabilityScore": 1.9, + "impactScore": 5.2 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2022-29458", + "epss": 0.00079, + "percentile": 0.23812, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2022-29458", + "cwe": "CWE-125", + "source": "nvd@nist.gov", + "type": "Primary" + }, + { + "cve": "CVE-2022-29458", + "cwe": "CWE-125", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "redhat", + "version": "9.6" + }, + "package": { + "name": "ncurses", + "version": "6.2-10.20210508.el9" + }, + "namespace": "redhat:distro:redhat:9" + }, + "found": { + "vulnerabilityID": "CVE-2022-29458", + "versionConstraint": "< 0:6.2-10.20210508.el9_6.2 (rpm)" + }, + "fix": { + "suggestedVersion": "0:6.2-10.20210508.el9_6.2" + } + } + ], + "artifact": { + "id": "f3ef10418ec3cca6", + "name": "ncurses-libs", + "version": "6.2-10.20210508.el9", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/rpmdb.sqlite", + "layerID": "sha256:7365a3a0db69d7f481720be6d2cc54794d0f7e1c94fbfe59d74c106a561a7537", + "accessPath": "/var/lib/rpm/rpmdb.sqlite", + "annotations": { + "evidence": "primary" + } + } + ], + "language": "", + "licenses": [ + "MIT" + ], + "cpes": [ + "cpe:2.3:a:ncurses-libs:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses-libs:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_libs:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses_libs:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:ncurses:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/ncurses-libs@6.2-10.20210508.el9?arch=x86_64&distro=rhel-9.6&upstream=ncurses-6.2-10.20210508.el9.src.rpm", + "upstreams": [ + { + "name": "ncurses", + "version": "6.2-10.20210508.el9" + } + ], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "CVE-2025-12818", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-12818", + "namespace": "redhat:distro:redhat:9", + "severity": "Medium", + "urls": [], + "description": "A vulnerability has been identified in PostgreSQL’s libpq client library, where integer wraparound in several allocation-size calculations allows a peer or input provider to cause an undersized buffer and then write out-of-bounds by hundreds of megabytes. This can lead to a client application segmentation fault or crash when using libpq to connect to a PostgreSQL server.", + "cvss": [ + { + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], - "risk": 0.035945 + "cwes": [ + { + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" + } + ], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [], + "risk": 0.035625000000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2022-29458", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "http://seclists.org/fulldisclosure/2022/Oct/28", - "http://seclists.org/fulldisclosure/2022/Oct/41", - "https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html", - "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html", - "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html", - "https://support.apple.com/kb/HT213488" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", - "metrics": { - "baseScore": 7.1, - "exploitabilityScore": 1.9, - "impactScore": 5.2 - }, - "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", - "metrics": { - "baseScore": 5.8, - "exploitabilityScore": 8.6, - "impactScore": 5 - }, - "vendorMetadata": {} - }, - { - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.1, - "exploitabilityScore": 1.9, - "impactScore": 5.2 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2022-29458", - "epss": 0.00079, - "percentile": 0.23835, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2022-29458", - "cwe": "CWE-125", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-29458", - "cwe": "CWE-125", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary" } ] @@ -3882,7 +4035,7 @@ ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -3890,24 +4043,21 @@ "version": "9.6" }, "package": { - "name": "ncurses", - "version": "6.2-10.20210508.el9" + "name": "libpq", + "version": "0:13.20-1.el9_5" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2022-29458", - "versionConstraint": "< 0:6.2-10.20210508.el9_6.2 (rpm)" - }, - "fix": { - "suggestedVersion": "0:6.2-10.20210508.el9_6.2" + "vulnerabilityID": "CVE-2025-12818", + "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "f3ef10418ec3cca6", - "name": "ncurses-libs", - "version": "6.2-10.20210508.el9", + "id": "9e9440b1f6d978f7", + "name": "libpq", + "version": "13.20-1.el9_5", "type": "rpm", "locations": [ { @@ -3921,25 +4071,14 @@ ], "language": "", "licenses": [ - "MIT" + "PostgreSQL" ], "cpes": [ - "cpe:2.3:a:ncurses-libs:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses-libs:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses_libs:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses_libs:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:ncurses:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:ncurses-libs:6.2-10.20210508.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:ncurses_libs:6.2-10.20210508.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/ncurses-libs@6.2-10.20210508.el9?arch=x86_64&distro=rhel-9.6&upstream=ncurses-6.2-10.20210508.el9.src.rpm", - "upstreams": [ - { - "name": "ncurses", - "version": "6.2-10.20210508.el9" - } + "cpe:2.3:a:redhat:libpq:13.20-1.el9_5:*:*:*:*:*:*:*", + "cpe:2.3:a:libpq:libpq:13.20-1.el9_5:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libpq@13.20-1.el9_5?arch=x86_64&distro=rhel-9.6&upstream=libpq-13.20-1.el9_5.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -3972,8 +4111,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -4044,8 +4183,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -4139,8 +4278,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -4189,8 +4328,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -4256,145 +4395,6 @@ } } }, - { - "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-12818", - "namespace": "redhat:distro:redhat:9", - "severity": "Medium", - "urls": [], - "description": "A vulnerability has been identified in PostgreSQL’s libpq client library, where integer wraparound in several allocation-size calculations allows a peer or input provider to cause an undersized buffer and then write out-of-bounds by hundreds of megabytes. This can lead to a client application segmentation fault or crash when using libpq to connect to a PostgreSQL server.", - "cvss": [ - { - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" - } - ], - "fix": { - "versions": [], - "state": "not-fixed" - }, - "advisories": [], - "risk": 0.0325 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", - "namespace": "nvd:cpe", - "severity": "Medium", - "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" - ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" - } - ] - } - ], - "matchDetails": [ - { - "type": "exact-direct-match", - "matcher": "rpm-matcher", - "searchedBy": { - "distro": { - "type": "redhat", - "version": "9.6" - }, - "package": { - "name": "libpq", - "version": "0:13.20-1.el9_5" - }, - "namespace": "redhat:distro:redhat:9" - }, - "found": { - "vulnerabilityID": "CVE-2025-12818", - "versionConstraint": "none (unknown)" - } - } - ], - "artifact": { - "id": "9e9440b1f6d978f7", - "name": "libpq", - "version": "13.20-1.el9_5", - "type": "rpm", - "locations": [ - { - "path": "/var/lib/rpm/rpmdb.sqlite", - "layerID": "sha256:7365a3a0db69d7f481720be6d2cc54794d0f7e1c94fbfe59d74c106a561a7537", - "accessPath": "/var/lib/rpm/rpmdb.sqlite", - "annotations": { - "evidence": "primary" - } - } - ], - "language": "", - "licenses": [ - "PostgreSQL" - ], - "cpes": [ - "cpe:2.3:a:redhat:libpq:13.20-1.el9_5:*:*:*:*:*:*:*", - "cpe:2.3:a:libpq:libpq:13.20-1.el9_5:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libpq@13.20-1.el9_5?arch=x86_64&distro=rhel-9.6&upstream=libpq-13.20-1.el9_5.src.rpm", - "upstreams": [], - "metadataType": "RpmMetadata", - "metadata": { - "epoch": null, - "modularityLabel": "" - } - } - }, { "vulnerability": { "id": "CVE-2025-32989", @@ -4420,8 +4420,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -4490,8 +4490,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -4585,8 +4585,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4633,8 +4633,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4725,8 +4725,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4773,8 +4773,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4876,8 +4876,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -4919,8 +4919,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -5014,8 +5014,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -5057,8 +5057,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -5152,8 +5152,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -5201,8 +5201,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -5293,8 +5293,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5354,8 +5354,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5451,8 +5451,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5512,8 +5512,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5609,8 +5609,8 @@ { "cve": "CVE-2025-32414", "epss": 0.0004, - "percentile": 0.12023, - "date": "2025-12-14" + "percentile": 0.1197, + "date": "2025-12-15" } ], "cwes": [ @@ -5689,8 +5689,8 @@ { "cve": "CVE-2025-32414", "epss": 0.0004, - "percentile": 0.12023, - "date": "2025-12-14" + "percentile": 0.1197, + "date": "2025-12-15" } ], "cwes": [ @@ -5790,8 +5790,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -5863,8 +5863,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -5969,8 +5969,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -6017,8 +6017,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -6112,8 +6112,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -6204,8 +6204,8 @@ { "cve": "CVE-2025-7425", "epss": 0.00022, - "percentile": 0.05026, - "date": "2025-12-14" + "percentile": 0.04984, + "date": "2025-12-15" } ], "cwes": [ @@ -6300,8 +6300,8 @@ { "cve": "CVE-2025-7425", "epss": 0.00022, - "percentile": 0.05026, - "date": "2025-12-14" + "percentile": 0.04984, + "date": "2025-12-15" } ], "cwes": [ @@ -6395,8 +6395,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -6472,8 +6472,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -6578,8 +6578,8 @@ { "cve": "CVE-2025-32415", "epss": 0.00024, - "percentile": 0.05699, - "date": "2025-12-14" + "percentile": 0.05692, + "date": "2025-12-15" } ], "cwes": [ @@ -6658,8 +6658,8 @@ { "cve": "CVE-2025-32415", "epss": 0.00024, - "percentile": 0.05699, - "date": "2025-12-14" + "percentile": 0.05692, + "date": "2025-12-15" } ], "cwes": [ @@ -6759,8 +6759,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -6820,8 +6820,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -6915,8 +6915,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -6976,8 +6976,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7082,8 +7082,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7143,8 +7143,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7253,8 +7253,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7314,8 +7314,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -7424,8 +7424,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -7490,8 +7490,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -7588,8 +7588,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -7664,8 +7664,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -7765,8 +7765,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -7841,8 +7841,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -7953,8 +7953,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -8027,8 +8027,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -8122,8 +8122,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -8176,8 +8176,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -8277,8 +8277,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -8369,8 +8369,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -8419,8 +8419,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -8511,8 +8511,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -8553,8 +8553,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -8648,8 +8648,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -8690,8 +8690,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -8785,8 +8785,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -8847,8 +8847,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -8939,8 +8939,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -8992,8 +8992,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -9084,8 +9084,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -9137,8 +9137,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -9240,8 +9240,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -9302,8 +9302,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -9394,8 +9394,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9442,8 +9442,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9539,8 +9539,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9587,8 +9587,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9684,8 +9684,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9732,8 +9732,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9829,8 +9829,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9877,8 +9877,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -9974,8 +9974,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -10028,8 +10028,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -10131,8 +10131,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -10197,8 +10197,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -10295,8 +10295,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -10356,8 +10356,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -10448,8 +10448,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -10516,8 +10516,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -10625,8 +10625,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -10687,8 +10687,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -10779,8 +10779,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -10849,8 +10849,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -10947,8 +10947,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -11009,8 +11009,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -11101,8 +11101,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -11162,8 +11162,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -11685,87 +11685,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.7.4.md b/docs/security/agent/grype-25.7.4.md index 6cf8bbe..a808e7b 100644 --- a/docs/security/agent/grype-25.7.4.md +++ b/docs/security/agent/grype-25.7.4.md @@ -14,8 +14,8 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | libcurl-minimal | 7.76.1-31.el9 | [CVE-2025-9086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9086) | Medium | | gnutls | 3.8.3-6.el9 | [CVE-2025-32988](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32988) | Medium | | libpq | 13.20-1.el9_5 | [CVE-2025-4207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4207) | Medium | -| gnutls | 3.8.3-6.el9 | [CVE-2025-6395](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6395) | Medium | | libpq | 13.20-1.el9_5 | [CVE-2025-12818](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12818) | Medium | +| gnutls | 3.8.3-6.el9 | [CVE-2025-6395](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6395) | Medium | | gnutls | 3.8.3-6.el9 | [CVE-2025-32989](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32989) | Medium | | libxml2 | 2.9.13-10.el9_6 | [CVE-2025-32414](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32414) | Medium | | systemd-libs | 252-51.el9_6.1 | [CVE-2025-4598](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4598) | Medium | @@ -44,16 +44,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-10.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-5.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-10.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-5.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | ncurses-base | 6.2-10.20210508.el9 | [CVE-2022-29458](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29458) | Low | diff --git a/docs/security/agent/grype-25.8.2.json b/docs/security/agent/grype-25.8.2.json index b8cf155..9607942 100644 --- a/docs/security/agent/grype-25.8.2.json +++ b/docs/security/agent/grype-25.8.2.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1768,11 +1768,184 @@ "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", - "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", - "https://security.netapp.com/advisory/ntap-20231110-0002/" + "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", + "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", + "https://security.netapp.com/advisory/ntap-20231110-0002/" + ], + "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1.1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2023-32636", + "epss": 0.00165, + "percentile": 0.38035, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2023-32636", + "cwe": "CWE-400", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "redhat", + "version": "9.6" + }, + "package": { + "name": "glib2", + "version": "0:2.68.4-16.el9_6.2" + }, + "namespace": "redhat:distro:redhat:9" + }, + "found": { + "vulnerabilityID": "CVE-2023-32636", + "versionConstraint": "none (unknown)" + } + } + ], + "artifact": { + "id": "35f4edf399bccea5", + "name": "glib2", + "version": "2.68.4-16.el9_6.2", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/rpmdb.sqlite", + "layerID": "sha256:780001ea1a42e8b21b6f25c2a7ec8f0383247d69089019c716e7a7c0993ba62c", + "accessPath": "/var/lib/rpm/rpmdb.sqlite", + "annotations": { + "evidence": "primary" + } + } + ], + "language": "", + "licenses": [ + "LGPLv2+" + ], + "cpes": [ + "cpe:2.3:a:redhat:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*", + "cpe:2.3:a:glib2:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9_6.2?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9_6.2.src.rpm", + "upstreams": [], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "namespace": "redhat:distro:redhat:9", + "severity": "Low", + "urls": [], + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "cvss": [ + { + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.1, + "exploitabilityScore": 1.7, + "impactScore": 1.5 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", + "type": "Secondary" + }, + { + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "nvd@nist.gov", + "type": "Primary" + } + ], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [], + "risk": 0.066185 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", @@ -1787,36 +1960,36 @@ "vendorMetadata": {} }, { - "source": "secalert@redhat.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 4.7, - "exploitabilityScore": 1.1, - "impactScore": 3.6 + "baseScore": 2.9, + "exploitabilityScore": 1.5, + "impactScore": 1.5 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2023-32636", - "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2023-32636", - "cwe": "CWE-400", - "source": "secalert@redhat.com", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1833,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "glib2", - "version": "0:2.68.4-16.el9_6.2" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2023-32636", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "35f4edf399bccea5", - "name": "glib2", - "version": "2.68.4-16.el9_6.2", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -1861,13 +2034,13 @@ ], "language": "", "licenses": [ - "LGPLv2+" + "MIT" ], "cpes": [ - "cpe:2.3:a:redhat:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*", - "cpe:2.3:a:glib2:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9_6.2?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9_6.2.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -1901,8 +2074,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -1985,8 +2158,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -2040,213 +2213,13 @@ ], "language": "", "licenses": [ - "GPLv3+ and LGPLv2+" - ], - "cpes": [ - "cpe:2.3:a:gnutls:gnutls:3.8.3-6.el9:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:gnutls:3.8.3-6.el9:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/gnutls@3.8.3-6.el9?arch=x86_64&distro=rhel-9.6&upstream=gnutls-3.8.3-6.el9.src.rpm", - "upstreams": [], - "metadataType": "RpmMetadata", - "metadata": { - "epoch": null, - "modularityLabel": "" - } - } - }, - { - "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", - "namespace": "redhat:distro:redhat:9", - "severity": "Low", - "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", - "cvss": [ - { - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, - "impactScore": 1.5 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", - "cwe": "CWE-476", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "fix": { - "versions": [], - "state": "not-fixed" - }, - "advisories": [], - "risk": 0.05921999999999999 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", - "namespace": "nvd:cpe", - "severity": "Medium", - "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" - ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", - "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, - "impactScore": 3.6 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, - "impactScore": 1.5 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", - "cwe": "CWE-476", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ] - } - ], - "matchDetails": [ - { - "type": "exact-direct-match", - "matcher": "rpm-matcher", - "searchedBy": { - "distro": { - "type": "redhat", - "version": "9.6" - }, - "package": { - "name": "libarchive", - "version": "0:3.5.3-5.el9_6" - }, - "namespace": "redhat:distro:redhat:9" - }, - "found": { - "vulnerabilityID": "CVE-2025-1632", - "versionConstraint": "none (unknown)" - } - } - ], - "artifact": { - "id": "026da1974d66f84e", - "name": "libarchive", - "version": "3.5.3-5.el9_6", - "type": "rpm", - "locations": [ - { - "path": "/var/lib/rpm/rpmdb.sqlite", - "layerID": "sha256:780001ea1a42e8b21b6f25c2a7ec8f0383247d69089019c716e7a7c0993ba62c", - "accessPath": "/var/lib/rpm/rpmdb.sqlite", - "annotations": { - "evidence": "primary" - } - } - ], - "language": "", - "licenses": [ - "BSD" + "GPLv3+ and LGPLv2+" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-5.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-5.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:gnutls:gnutls:3.8.3-6.el9:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:gnutls:3.8.3-6.el9:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-5.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-5.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/gnutls@3.8.3-6.el9?arch=x86_64&distro=rhel-9.6&upstream=gnutls-3.8.3-6.el9.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2257,20 +2230,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -2278,21 +2251,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2303,71 +2282,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2385,21 +2385,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-5.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "026da1974d66f84e", + "name": "libarchive", + "version": "3.5.3-5.el9_6", "type": "rpm", "locations": [ { @@ -2413,13 +2413,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-5.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-5.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-5.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-5.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2495,8 +2495,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2590,8 +2590,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2632,8 +2632,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2727,8 +2727,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -2811,8 +2811,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -2906,8 +2906,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2965,8 +2965,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3057,8 +3057,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3116,8 +3116,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3219,8 +3219,8 @@ { "cve": "CVE-2025-5914", "epss": 0.00054, - "percentile": 0.17051, - "date": "2025-12-14" + "percentile": 0.17023, + "date": "2025-12-15" } ], "cwes": [ @@ -3289,46 +3289,190 @@ "https://github.com/libarchive/libarchive/pull/2598", "https://github.com/libarchive/libarchive/releases/tag/v3.8.0" ], - "description": "A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.", + "description": "A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.3, + "exploitabilityScore": 1.4, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2025-5914", + "epss": 0.00054, + "percentile": 0.17023, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2025-5914", + "cwe": "CWE-415", + "source": "secalert@redhat.com", + "type": "Secondary" + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "redhat", + "version": "9.6" + }, + "package": { + "name": "libarchive", + "version": "0:3.5.3-5.el9_6" + }, + "namespace": "redhat:distro:redhat:9" + }, + "found": { + "vulnerabilityID": "CVE-2025-5914", + "versionConstraint": "< 0:3.5.3-6.el9_6 (rpm)" + }, + "fix": { + "suggestedVersion": "0:3.5.3-6.el9_6" + } + } + ], + "artifact": { + "id": "026da1974d66f84e", + "name": "libarchive", + "version": "3.5.3-5.el9_6", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/rpmdb.sqlite", + "layerID": "sha256:780001ea1a42e8b21b6f25c2a7ec8f0383247d69089019c716e7a7c0993ba62c", + "accessPath": "/var/lib/rpm/rpmdb.sqlite", + "annotations": { + "evidence": "primary" + } + } + ], + "language": "", + "licenses": [ + "BSD" + ], + "cpes": [ + "cpe:2.3:a:libarchive:libarchive:3.5.3-5.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-5.el9_6:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/libarchive@3.5.3-5.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-5.el9_6.src.rpm", + "upstreams": [], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "CVE-2025-4207", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-4207", + "namespace": "redhat:distro:redhat:9", + "severity": "Medium", + "urls": [], + "description": "A flaw was found in PostgreSQL. A buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can lead to process termination.", + "cvss": [ + { + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2025-4207", + "epss": 0.00067, + "percentile": 0.20798, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2025-4207", + "cwe": "CWE-126", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" + } + ], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [], + "risk": 0.036515 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2025-4207", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-4207", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://www.postgresql.org/support/security/CVE-2025-4207/", + "http://www.openwall.com/lists/oss-security/2025/05/09/3", + "https://lists.debian.org/debian-lts-announce/2025/05/msg00011.html" + ], + "description": "Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "metrics": { - "baseScore": 9.8, - "exploitabilityScore": 3.9, - "impactScore": 5.9 - }, - "vendorMetadata": {} - }, - { - "source": "secalert@redhat.com", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.3, - "exploitabilityScore": 1.4, - "impactScore": 5.9 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-5914", - "epss": 0.00054, - "percentile": 0.17051, - "date": "2025-12-14" + "cve": "CVE-2025-4207", + "epss": 0.00067, + "percentile": 0.20798, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-5914", - "cwe": "CWE-415", - "source": "secalert@redhat.com", + "cve": "CVE-2025-4207", + "cwe": "CWE-126", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary" } ] @@ -3344,24 +3488,21 @@ "version": "9.6" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-5.el9_6" + "name": "libpq", + "version": "0:13.20-1.el9_5" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-5914", - "versionConstraint": "< 0:3.5.3-6.el9_6 (rpm)" - }, - "fix": { - "suggestedVersion": "0:3.5.3-6.el9_6" + "vulnerabilityID": "CVE-2025-4207", + "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "026da1974d66f84e", - "name": "libarchive", - "version": "3.5.3-5.el9_6", + "id": "9e9440b1f6d978f7", + "name": "libpq", + "version": "13.20-1.el9_5", "type": "rpm", "locations": [ { @@ -3375,13 +3516,13 @@ ], "language": "", "licenses": [ - "BSD" + "PostgreSQL" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-5.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-5.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:redhat:libpq:13.20-1.el9_5:*:*:*:*:*:*:*", + "cpe:2.3:a:libpq:libpq:13.20-1.el9_5:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-5.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-5.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libpq@13.20-1.el9_5?arch=x86_64&distro=rhel-9.6&upstream=libpq-13.20-1.el9_5.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -3392,20 +3533,20 @@ }, { "vulnerability": { - "id": "CVE-2025-4207", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-4207", + "id": "CVE-2025-12818", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-12818", "namespace": "redhat:distro:redhat:9", "severity": "Medium", "urls": [], - "description": "A flaw was found in PostgreSQL. A buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can lead to process termination.", + "description": "A vulnerability has been identified in PostgreSQL’s libpq client library, where integer wraparound in several allocation-size calculations allows a peer or input provider to cause an undersized buffer and then write out-of-bounds by hundreds of megabytes. This can lead to a client application segmentation fault or crash when using libpq to connect to a PostgreSQL server.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -3413,16 +3554,16 @@ ], "epss": [ { - "cve": "CVE-2025-4207", - "epss": 0.00067, - "percentile": 0.2082, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-4207", - "cwe": "CWE-126", + "cve": "CVE-2025-12818", + "cwe": "CWE-190", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary" } @@ -3432,20 +3573,18 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.036515 + "risk": 0.035625000000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-4207", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-4207", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-4207/", - "http://www.openwall.com/lists/oss-security/2025/05/09/3", - "https://lists.debian.org/debian-lts-announce/2025/05/msg00011.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", @@ -3462,16 +3601,16 @@ ], "epss": [ { - "cve": "CVE-2025-4207", - "epss": 0.00067, - "percentile": 0.2082, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-4207", - "cwe": "CWE-126", + "cve": "CVE-2025-12818", + "cwe": "CWE-190", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary" } @@ -3494,7 +3633,7 @@ "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-4207", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } @@ -3556,8 +3695,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -3628,8 +3767,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -3723,8 +3862,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3773,8 +3912,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3840,145 +3979,6 @@ } } }, - { - "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-12818", - "namespace": "redhat:distro:redhat:9", - "severity": "Medium", - "urls": [], - "description": "A vulnerability has been identified in PostgreSQL’s libpq client library, where integer wraparound in several allocation-size calculations allows a peer or input provider to cause an undersized buffer and then write out-of-bounds by hundreds of megabytes. This can lead to a client application segmentation fault or crash when using libpq to connect to a PostgreSQL server.", - "cvss": [ - { - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" - } - ], - "fix": { - "versions": [], - "state": "not-fixed" - }, - "advisories": [], - "risk": 0.0325 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", - "namespace": "nvd:cpe", - "severity": "Medium", - "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" - ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" - } - ] - } - ], - "matchDetails": [ - { - "type": "exact-direct-match", - "matcher": "rpm-matcher", - "searchedBy": { - "distro": { - "type": "redhat", - "version": "9.6" - }, - "package": { - "name": "libpq", - "version": "0:13.20-1.el9_5" - }, - "namespace": "redhat:distro:redhat:9" - }, - "found": { - "vulnerabilityID": "CVE-2025-12818", - "versionConstraint": "none (unknown)" - } - } - ], - "artifact": { - "id": "9e9440b1f6d978f7", - "name": "libpq", - "version": "13.20-1.el9_5", - "type": "rpm", - "locations": [ - { - "path": "/var/lib/rpm/rpmdb.sqlite", - "layerID": "sha256:780001ea1a42e8b21b6f25c2a7ec8f0383247d69089019c716e7a7c0993ba62c", - "accessPath": "/var/lib/rpm/rpmdb.sqlite", - "annotations": { - "evidence": "primary" - } - } - ], - "language": "", - "licenses": [ - "PostgreSQL" - ], - "cpes": [ - "cpe:2.3:a:redhat:libpq:13.20-1.el9_5:*:*:*:*:*:*:*", - "cpe:2.3:a:libpq:libpq:13.20-1.el9_5:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libpq@13.20-1.el9_5?arch=x86_64&distro=rhel-9.6&upstream=libpq-13.20-1.el9_5.src.rpm", - "upstreams": [], - "metadataType": "RpmMetadata", - "metadata": { - "epoch": null, - "modularityLabel": "" - } - } - }, { "vulnerability": { "id": "CVE-2025-32989", @@ -4004,8 +4004,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -4074,8 +4074,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -4169,8 +4169,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4217,8 +4217,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4309,8 +4309,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4357,8 +4357,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4460,8 +4460,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -4503,8 +4503,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -4598,8 +4598,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -4641,8 +4641,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -4736,8 +4736,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -4785,8 +4785,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -4877,8 +4877,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4938,8 +4938,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5035,8 +5035,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5096,8 +5096,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -5193,8 +5193,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -5266,8 +5266,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -5372,8 +5372,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -5420,8 +5420,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -5515,8 +5515,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -5607,8 +5607,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -5684,8 +5684,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -5790,8 +5790,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -5856,8 +5856,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -5954,8 +5954,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -6030,8 +6030,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -6131,8 +6131,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -6207,8 +6207,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -6319,8 +6319,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -6393,8 +6393,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -6488,8 +6488,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -6542,8 +6542,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -6643,8 +6643,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -6735,8 +6735,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -6785,8 +6785,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -6877,8 +6877,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -6919,8 +6919,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -7014,8 +7014,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -7056,8 +7056,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -7151,8 +7151,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -7213,8 +7213,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -7305,8 +7305,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7358,8 +7358,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7450,8 +7450,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7503,8 +7503,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7606,8 +7606,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -7668,8 +7668,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -7760,8 +7760,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7808,8 +7808,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7905,8 +7905,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7953,8 +7953,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -8050,8 +8050,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -8098,8 +8098,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -8195,8 +8195,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -8243,8 +8243,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -8340,8 +8340,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -8394,8 +8394,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -8497,8 +8497,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -8563,8 +8563,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -8661,8 +8661,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -8722,8 +8722,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -8814,8 +8814,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -8882,8 +8882,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -8991,8 +8991,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -9053,8 +9053,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -9145,8 +9145,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -9215,8 +9215,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -9313,8 +9313,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -9375,8 +9375,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -9467,8 +9467,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -9528,8 +9528,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -10051,87 +10051,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.8.2.md b/docs/security/agent/grype-25.8.2.md index 7395bae..5675b9d 100644 --- a/docs/security/agent/grype-25.8.2.md +++ b/docs/security/agent/grype-25.8.2.md @@ -13,8 +13,8 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2025-9086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9086) | Medium | | gnutls | 3.8.3-6.el9 | [CVE-2025-32988](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32988) | Medium | | libpq | 13.20-1.el9_5 | [CVE-2025-4207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4207) | Medium | -| gnutls | 3.8.3-6.el9 | [CVE-2025-6395](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6395) | Medium | | libpq | 13.20-1.el9_5 | [CVE-2025-12818](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12818) | Medium | +| gnutls | 3.8.3-6.el9 | [CVE-2025-6395](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6395) | Medium | | gnutls | 3.8.3-6.el9 | [CVE-2025-32989](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32989) | Medium | | systemd-libs | 252-51.el9_6.1 | [CVE-2025-4598](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4598) | Medium | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2025-14512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14512) | Medium | @@ -37,16 +37,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-5.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-5.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.8.4.json b/docs/security/agent/grype-25.8.4.json index 6f41b5d..0152cb4 100644 --- a/docs/security/agent/grype-25.8.4.json +++ b/docs/security/agent/grype-25.8.4.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1759,20 +1759,193 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.0759 + "risk": 0.0759 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-32636", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", + "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", + "https://security.netapp.com/advisory/ntap-20231110-0002/" + ], + "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1.1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2023-32636", + "epss": 0.00165, + "percentile": 0.38035, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2023-32636", + "cwe": "CWE-400", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "redhat", + "version": "9.6" + }, + "package": { + "name": "glib2", + "version": "0:2.68.4-16.el9_6.2" + }, + "namespace": "redhat:distro:redhat:9" + }, + "found": { + "vulnerabilityID": "CVE-2023-32636", + "versionConstraint": "none (unknown)" + } + } + ], + "artifact": { + "id": "35f4edf399bccea5", + "name": "glib2", + "version": "2.68.4-16.el9_6.2", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/rpmdb.sqlite", + "layerID": "sha256:0eb5d20b2dd38818489a79d48a0bb6d5c357f22db3ba9ae973ab798676877b5b", + "accessPath": "/var/lib/rpm/rpmdb.sqlite", + "annotations": { + "evidence": "primary" + } + } + ], + "language": "", + "licenses": [ + "LGPLv2+" + ], + "cpes": [ + "cpe:2.3:a:redhat:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*", + "cpe:2.3:a:glib2:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9_6.2?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9_6.2.src.rpm", + "upstreams": [], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "namespace": "redhat:distro:redhat:9", + "severity": "Low", + "urls": [], + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "cvss": [ + { + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "metrics": { + "baseScore": 3.1, + "exploitabilityScore": 1.7, + "impactScore": 1.5 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", + "type": "Secondary" + }, + { + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "nvd@nist.gov", + "type": "Primary" + } + ], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [], + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2023-32636", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", - "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", - "https://security.netapp.com/advisory/ntap-20231110-0002/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", @@ -1787,36 +1960,36 @@ "vendorMetadata": {} }, { - "source": "secalert@redhat.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 4.7, - "exploitabilityScore": 1.1, - "impactScore": 3.6 + "baseScore": 2.9, + "exploitabilityScore": 1.5, + "impactScore": 1.5 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2023-32636", - "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2023-32636", - "cwe": "CWE-400", - "source": "secalert@redhat.com", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1833,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "glib2", - "version": "0:2.68.4-16.el9_6.2" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2023-32636", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "35f4edf399bccea5", - "name": "glib2", - "version": "2.68.4-16.el9_6.2", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -1861,13 +2034,13 @@ ], "language": "", "licenses": [ - "LGPLv2+" + "MIT" ], "cpes": [ - "cpe:2.3:a:redhat:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*", - "cpe:2.3:a:glib2:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9_6.2?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9_6.2.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -1901,8 +2074,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -1985,8 +2158,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -2080,8 +2253,8 @@ { "cve": "CVE-2025-1632", "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ @@ -2090,209 +2263,15 @@ "cwe": "CWE-404", "source": "cna@vuldb.com", "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", - "cwe": "CWE-476", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "fix": { - "versions": [], - "state": "not-fixed" - }, - "advisories": [], - "risk": 0.05921999999999999 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", - "namespace": "nvd:cpe", - "severity": "Medium", - "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" - ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", - "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, - "impactScore": 3.6 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, - "impactScore": 1.5 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", - "cwe": "CWE-476", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ] - } - ], - "matchDetails": [ - { - "type": "exact-direct-match", - "matcher": "rpm-matcher", - "searchedBy": { - "distro": { - "type": "redhat", - "version": "9.6" - }, - "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" - }, - "namespace": "redhat:distro:redhat:9" - }, - "found": { - "vulnerabilityID": "CVE-2025-1632", - "versionConstraint": "none (unknown)" - } - } - ], - "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", - "type": "rpm", - "locations": [ - { - "path": "/var/lib/rpm/rpmdb.sqlite", - "layerID": "sha256:0eb5d20b2dd38818489a79d48a0bb6d5c357f22db3ba9ae973ab798676877b5b", - "accessPath": "/var/lib/rpm/rpmdb.sqlite", - "annotations": { - "evidence": "primary" - } - } - ], - "language": "", - "licenses": [ - "BSD" - ], - "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", - "upstreams": [], - "metadataType": "RpmMetadata", - "metadata": { - "epoch": null, - "modularityLabel": "" - } - } - }, - { - "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", - "namespace": "redhat:distro:redhat:9", - "severity": "Low", - "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", - "cvss": [ - { - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, - "impactScore": 1.5 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" - } - ], - "cwes": [ + }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2303,71 +2282,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2385,21 +2385,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2413,13 +2413,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2495,8 +2495,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2590,8 +2590,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2632,8 +2632,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2727,8 +2727,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -2811,8 +2811,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -2906,8 +2906,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2965,8 +2965,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3057,8 +3057,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3074,57 +3074,209 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.047355 + "risk": 0.047355 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2024-13176", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-13176", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844", + "https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467", + "https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902", + "https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65", + "https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f", + "https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded", + "https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86", + "https://openssl-library.org/news/secadv/20250120.txt", + "http://www.openwall.com/lists/oss-security/2025/01/20/2", + "https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250124-0005/", + "https://security.netapp.com/advisory/ntap-20250418-0010/", + "https://security.netapp.com/advisory/ntap-20250502-0006/" + ], + "description": "Issue summary: A timing side-channel which could potentially allow recovering\nthe private key exists in the ECDSA signature computation.\n\nImpact summary: A timing side-channel in ECDSA signature computations\ncould allow recovering the private key by an attacker. However, measuring\nthe timing would require either local access to the signing application or\na very fast network connection with low latency.\n\nThere is a timing signal of around 300 nanoseconds when the top word of\nthe inverted ECDSA nonce value is zero. This can happen with significant\nprobability only for some of the supported elliptic curves. In particular\nthe NIST P-521 curve is affected. To be able to measure this leak, the attacker\nprocess must either be located in the same physical computer or must\nhave a very fast network connection with low latency. For that reason\nthe severity of this vulnerability is Low.\n\nThe FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.", + "cvss": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "metrics": { + "baseScore": 4.1, + "exploitabilityScore": 0.7, + "impactScore": 3.4 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2024-13176", + "epss": 0.00123, + "percentile": 0.3226, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2024-13176", + "cwe": "CWE-385", + "source": "openssl-security@openssl.org", + "type": "Secondary" + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-indirect-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "redhat", + "version": "9.6" + }, + "package": { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + }, + "namespace": "redhat:distro:redhat:9" + }, + "found": { + "vulnerabilityID": "CVE-2024-13176", + "versionConstraint": "none (unknown)" + } + } + ], + "artifact": { + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/rpmdb.sqlite", + "layerID": "sha256:0eb5d20b2dd38818489a79d48a0bb6d5c357f22db3ba9ae973ab798676877b5b", + "accessPath": "/var/lib/rpm/rpmdb.sqlite", + "annotations": { + "evidence": "primary" + } + } + ], + "language": "", + "licenses": [ + "ASL 2.0" + ], + "cpes": [ + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } + ], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": 1, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "CVE-2025-4207", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-4207", + "namespace": "redhat:distro:redhat:9", + "severity": "Medium", + "urls": [], + "description": "A flaw was found in PostgreSQL. A buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can lead to process termination.", + "cvss": [ + { + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2025-4207", + "epss": 0.00067, + "percentile": 0.20798, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2025-4207", + "cwe": "CWE-126", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" + } + ], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [], + "risk": 0.036515 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-13176", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-13176", + "id": "CVE-2025-4207", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-4207", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ - "https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844", - "https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467", - "https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902", - "https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65", - "https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f", - "https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded", - "https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86", - "https://openssl-library.org/news/secadv/20250120.txt", - "http://www.openwall.com/lists/oss-security/2025/01/20/2", - "https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250124-0005/", - "https://security.netapp.com/advisory/ntap-20250418-0010/", - "https://security.netapp.com/advisory/ntap-20250502-0006/" + "https://www.postgresql.org/support/security/CVE-2025-4207/", + "http://www.openwall.com/lists/oss-security/2025/05/09/3", + "https://lists.debian.org/debian-lts-announce/2025/05/msg00011.html" ], - "description": "Issue summary: A timing side-channel which could potentially allow recovering\nthe private key exists in the ECDSA signature computation.\n\nImpact summary: A timing side-channel in ECDSA signature computations\ncould allow recovering the private key by an attacker. However, measuring\nthe timing would require either local access to the signing application or\na very fast network connection with low latency.\n\nThere is a timing signal of around 300 nanoseconds when the top word of\nthe inverted ECDSA nonce value is zero. This can happen with significant\nprobability only for some of the supported elliptic curves. In particular\nthe NIST P-521 curve is affected. To be able to measure this leak, the attacker\nprocess must either be located in the same physical computer or must\nhave a very fast network connection with low latency. For that reason\nthe severity of this vulnerability is Low.\n\nThe FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.", + "description": "Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.", "cvss": [ { - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 4.1, - "exploitabilityScore": 0.7, - "impactScore": 3.4 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-13176", - "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "cve": "CVE-2025-4207", + "epss": 0.00067, + "percentile": 0.20798, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-13176", - "cwe": "CWE-385", - "source": "openssl-security@openssl.org", + "cve": "CVE-2025-4207", + "cwe": "CWE-126", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary" } ] @@ -3132,7 +3284,7 @@ ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -3140,21 +3292,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "libpq", + "version": "0:13.20-1.el9_5" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-13176", + "vulnerabilityID": "CVE-2025-4207", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "9e9440b1f6d978f7", + "name": "libpq", + "version": "13.20-1.el9_5", "type": "rpm", "locations": [ { @@ -3168,48 +3320,37 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "PostgreSQL" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [ - { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" - } + "cpe:2.3:a:redhat:libpq:13.20-1.el9_5:*:*:*:*:*:*:*", + "cpe:2.3:a:libpq:libpq:13.20-1.el9_5:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libpq@13.20-1.el9_5?arch=x86_64&distro=rhel-9.6&upstream=libpq-13.20-1.el9_5.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2025-4207", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-4207", + "id": "CVE-2025-12818", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-12818", "namespace": "redhat:distro:redhat:9", "severity": "Medium", "urls": [], - "description": "A flaw was found in PostgreSQL. A buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can lead to process termination.", + "description": "A vulnerability has been identified in PostgreSQL’s libpq client library, where integer wraparound in several allocation-size calculations allows a peer or input provider to cause an undersized buffer and then write out-of-bounds by hundreds of megabytes. This can lead to a client application segmentation fault or crash when using libpq to connect to a PostgreSQL server.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -3217,16 +3358,16 @@ ], "epss": [ { - "cve": "CVE-2025-4207", - "epss": 0.00067, - "percentile": 0.2082, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-4207", - "cwe": "CWE-126", + "cve": "CVE-2025-12818", + "cwe": "CWE-190", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary" } @@ -3236,20 +3377,18 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.036515 + "risk": 0.035625000000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-4207", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-4207", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-4207/", - "http://www.openwall.com/lists/oss-security/2025/05/09/3", - "https://lists.debian.org/debian-lts-announce/2025/05/msg00011.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", @@ -3266,16 +3405,16 @@ ], "epss": [ { - "cve": "CVE-2025-4207", - "epss": 0.00067, - "percentile": 0.2082, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-4207", - "cwe": "CWE-126", + "cve": "CVE-2025-12818", + "cwe": "CWE-190", "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary" } @@ -3298,7 +3437,7 @@ "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-4207", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } @@ -3360,8 +3499,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -3432,8 +3571,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -3527,8 +3666,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3577,8 +3716,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3644,145 +3783,6 @@ } } }, - { - "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-12818", - "namespace": "redhat:distro:redhat:9", - "severity": "Medium", - "urls": [], - "description": "A vulnerability has been identified in PostgreSQL’s libpq client library, where integer wraparound in several allocation-size calculations allows a peer or input provider to cause an undersized buffer and then write out-of-bounds by hundreds of megabytes. This can lead to a client application segmentation fault or crash when using libpq to connect to a PostgreSQL server.", - "cvss": [ - { - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" - } - ], - "fix": { - "versions": [], - "state": "not-fixed" - }, - "advisories": [], - "risk": 0.0325 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", - "namespace": "nvd:cpe", - "severity": "Medium", - "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" - ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" - } - ] - } - ], - "matchDetails": [ - { - "type": "exact-direct-match", - "matcher": "rpm-matcher", - "searchedBy": { - "distro": { - "type": "redhat", - "version": "9.6" - }, - "package": { - "name": "libpq", - "version": "0:13.20-1.el9_5" - }, - "namespace": "redhat:distro:redhat:9" - }, - "found": { - "vulnerabilityID": "CVE-2025-12818", - "versionConstraint": "none (unknown)" - } - } - ], - "artifact": { - "id": "9e9440b1f6d978f7", - "name": "libpq", - "version": "13.20-1.el9_5", - "type": "rpm", - "locations": [ - { - "path": "/var/lib/rpm/rpmdb.sqlite", - "layerID": "sha256:0eb5d20b2dd38818489a79d48a0bb6d5c357f22db3ba9ae973ab798676877b5b", - "accessPath": "/var/lib/rpm/rpmdb.sqlite", - "annotations": { - "evidence": "primary" - } - } - ], - "language": "", - "licenses": [ - "PostgreSQL" - ], - "cpes": [ - "cpe:2.3:a:redhat:libpq:13.20-1.el9_5:*:*:*:*:*:*:*", - "cpe:2.3:a:libpq:libpq:13.20-1.el9_5:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libpq@13.20-1.el9_5?arch=x86_64&distro=rhel-9.6&upstream=libpq-13.20-1.el9_5.src.rpm", - "upstreams": [], - "metadataType": "RpmMetadata", - "metadata": { - "epoch": null, - "modularityLabel": "" - } - } - }, { "vulnerability": { "id": "CVE-2025-32989", @@ -3808,8 +3808,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -3878,8 +3878,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -3973,8 +3973,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4021,8 +4021,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4113,8 +4113,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4161,8 +4161,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -4264,8 +4264,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -4307,8 +4307,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -4402,8 +4402,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -4445,8 +4445,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -4540,8 +4540,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -4589,8 +4589,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -4681,8 +4681,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4742,8 +4742,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4839,8 +4839,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4900,8 +4900,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4997,8 +4997,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -5070,8 +5070,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -5176,8 +5176,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -5224,8 +5224,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -5319,8 +5319,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -5411,8 +5411,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -5488,8 +5488,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -5594,8 +5594,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -5660,8 +5660,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -5758,8 +5758,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5834,8 +5834,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5935,8 +5935,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -6011,8 +6011,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -6123,8 +6123,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -6197,8 +6197,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -6292,8 +6292,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -6346,8 +6346,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -6447,8 +6447,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -6539,8 +6539,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -6589,8 +6589,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -6681,8 +6681,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -6723,8 +6723,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -6818,8 +6818,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -6860,8 +6860,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -6955,8 +6955,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -7017,8 +7017,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -7109,8 +7109,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7162,8 +7162,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7254,8 +7254,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7307,8 +7307,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7410,8 +7410,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -7472,8 +7472,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -7564,8 +7564,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7612,8 +7612,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7709,8 +7709,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7757,8 +7757,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7854,8 +7854,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7902,8 +7902,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7999,8 +7999,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -8047,8 +8047,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -8144,8 +8144,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -8198,8 +8198,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -8301,8 +8301,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -8367,8 +8367,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -8465,8 +8465,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -8526,8 +8526,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -8618,8 +8618,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -8686,8 +8686,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -8795,8 +8795,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -8857,8 +8857,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -8949,8 +8949,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -9019,8 +9019,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -9117,8 +9117,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -9179,8 +9179,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -9271,8 +9271,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -9332,8 +9332,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -9855,87 +9855,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.8.4.md b/docs/security/agent/grype-25.8.4.md index 2a5f41e..f85faae 100644 --- a/docs/security/agent/grype-25.8.4.md +++ b/docs/security/agent/grype-25.8.4.md @@ -12,8 +12,8 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2025-9086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9086) | Medium | | gnutls | 3.8.3-6.el9 | [CVE-2025-32988](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32988) | Medium | | libpq | 13.20-1.el9_5 | [CVE-2025-4207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4207) | Medium | -| gnutls | 3.8.3-6.el9 | [CVE-2025-6395](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6395) | Medium | | libpq | 13.20-1.el9_5 | [CVE-2025-12818](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12818) | Medium | +| gnutls | 3.8.3-6.el9 | [CVE-2025-6395](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6395) | Medium | | gnutls | 3.8.3-6.el9 | [CVE-2025-32989](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32989) | Medium | | systemd-libs | 252-51.el9_6.1 | [CVE-2025-4598](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4598) | Medium | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2025-14512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14512) | Medium | @@ -36,16 +36,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.9.1.json b/docs/security/agent/grype-25.9.1.json index 6211e89..7a18ff5 100644 --- a/docs/security/agent/grype-25.9.1.json +++ b/docs/security/agent/grype-25.9.1.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1718,38 +1718,203 @@ "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "cvss": [ + { + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2023-32636", + "epss": 0.00165, + "percentile": 0.38035, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2023-32636", + "cwe": "CWE-400", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [], + "risk": 0.0759 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-32636", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", + "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", + "https://security.netapp.com/advisory/ntap-20231110-0002/" + ], + "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1.1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2023-32636", + "epss": 0.00165, + "percentile": 0.38035, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2023-32636", + "cwe": "CWE-400", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "redhat", + "version": "9.6" + }, + "package": { + "name": "glib2", + "version": "0:2.68.4-16.el9_6.2" + }, + "namespace": "redhat:distro:redhat:9" + }, + "found": { + "vulnerabilityID": "CVE-2023-32636", + "versionConstraint": "none (unknown)" + } + } + ], + "artifact": { + "id": "35f4edf399bccea5", + "name": "glib2", + "version": "2.68.4-16.el9_6.2", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/rpmdb.sqlite", + "layerID": "sha256:edd45c7762182a07027035e2eb9b73574f64ed728decb7abff3b667f77c65985", + "accessPath": "/var/lib/rpm/rpmdb.sqlite", + "annotations": { + "evidence": "primary" + } + } + ], + "language": "", + "licenses": [ + "LGPLv2+" + ], + "cpes": [ + "cpe:2.3:a:redhat:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*", + "cpe:2.3:a:glib2:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9_6.2?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9_6.2.src.rpm", + "upstreams": [], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "namespace": "redhat:distro:redhat:9", + "severity": "Low", + "urls": [], + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 6.2, - "exploitabilityScore": 2.6, - "impactScore": 3.6 + "baseScore": 3.1, + "exploitabilityScore": 1.7, + "impactScore": 1.5 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2023-32636", - "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2023-32636", - "cwe": "CWE-400", - "source": "secalert@redhat.com", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1759,20 +1924,28 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.0759 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2023-32636", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", - "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", - "https://security.netapp.com/advisory/ntap-20231110-0002/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", @@ -1787,36 +1960,36 @@ "vendorMetadata": {} }, { - "source": "secalert@redhat.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 4.7, - "exploitabilityScore": 1.1, - "impactScore": 3.6 + "baseScore": 2.9, + "exploitabilityScore": 1.5, + "impactScore": 1.5 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2023-32636", - "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2023-32636", - "cwe": "CWE-400", - "source": "secalert@redhat.com", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1833,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "glib2", - "version": "0:2.68.4-16.el9_6.2" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2023-32636", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "35f4edf399bccea5", - "name": "glib2", - "version": "2.68.4-16.el9_6.2", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -1861,13 +2034,13 @@ ], "language": "", "licenses": [ - "LGPLv2+" + "MIT" ], "cpes": [ - "cpe:2.3:a:redhat:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*", - "cpe:2.3:a:glib2:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9_6.2?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9_6.2.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -1901,8 +2074,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -1985,8 +2158,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -2080,8 +2253,8 @@ { "cve": "CVE-2025-1632", "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ @@ -2176,8 +2349,8 @@ { "cve": "CVE-2025-1632", "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ @@ -2255,179 +2428,6 @@ } } }, - { - "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", - "namespace": "redhat:distro:redhat:9", - "severity": "Low", - "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", - "cvss": [ - { - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, - "impactScore": 1.5 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "cve@mitre.org", - "type": "Secondary" - }, - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "fix": { - "versions": [], - "state": "not-fixed" - }, - "advisories": [], - "risk": 0.056119999999999996 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", - "namespace": "nvd:cpe", - "severity": "High", - "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" - ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", - "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, - "impactScore": 3.6 - }, - "vendorMetadata": {} - }, - { - "source": "cve@mitre.org", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, - "impactScore": 1.5 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "cve@mitre.org", - "type": "Secondary" - }, - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ] - } - ], - "matchDetails": [ - { - "type": "exact-direct-match", - "matcher": "rpm-matcher", - "searchedBy": { - "distro": { - "type": "redhat", - "version": "9.6" - }, - "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" - }, - "namespace": "redhat:distro:redhat:9" - }, - "found": { - "vulnerabilityID": "CVE-2025-27113", - "versionConstraint": "none (unknown)" - } - } - ], - "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", - "type": "rpm", - "locations": [ - { - "path": "/var/lib/rpm/rpmdb.sqlite", - "layerID": "sha256:edd45c7762182a07027035e2eb9b73574f64ed728decb7abff3b667f77c65985", - "accessPath": "/var/lib/rpm/rpmdb.sqlite", - "annotations": { - "evidence": "primary" - } - } - ], - "language": "", - "licenses": [ - "MIT" - ], - "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], - "metadataType": "RpmMetadata", - "metadata": { - "epoch": null, - "modularityLabel": "" - } - } - }, { "vulnerability": { "id": "CVE-2025-9086", @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2495,8 +2495,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2590,8 +2590,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2632,8 +2632,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2727,8 +2727,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -2811,8 +2811,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -2906,8 +2906,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2965,8 +2965,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3057,8 +3057,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3116,8 +3116,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3219,8 +3219,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -3291,8 +3291,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -3386,8 +3386,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3436,8 +3436,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3528,8 +3528,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -3598,8 +3598,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -3693,8 +3693,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3741,8 +3741,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3833,8 +3833,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3881,8 +3881,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3984,8 +3984,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -4027,8 +4027,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -4122,8 +4122,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -4165,8 +4165,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -4260,8 +4260,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -4309,8 +4309,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -4401,8 +4401,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4462,8 +4462,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4559,8 +4559,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4620,8 +4620,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4717,8 +4717,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4790,8 +4790,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4896,8 +4896,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4944,8 +4944,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -5039,8 +5039,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -5131,8 +5131,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -5208,8 +5208,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -5314,8 +5314,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -5380,8 +5380,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -5478,8 +5478,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5554,8 +5554,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5655,8 +5655,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5731,8 +5731,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5843,8 +5843,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5917,8 +5917,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -6012,8 +6012,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -6066,8 +6066,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -6167,8 +6167,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -6259,8 +6259,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -6309,8 +6309,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -6401,8 +6401,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -6443,8 +6443,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -6538,8 +6538,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -6580,8 +6580,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -6675,8 +6675,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6737,8 +6737,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6829,8 +6829,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6882,8 +6882,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6974,8 +6974,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7027,8 +7027,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7130,8 +7130,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -7192,8 +7192,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -7284,8 +7284,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7332,8 +7332,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7429,8 +7429,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7477,8 +7477,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7574,8 +7574,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7622,8 +7622,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7719,8 +7719,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7767,8 +7767,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7864,8 +7864,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7918,8 +7918,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -8021,8 +8021,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -8087,8 +8087,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -8185,8 +8185,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -8246,8 +8246,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -8338,8 +8338,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -8406,8 +8406,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -8515,8 +8515,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -8577,8 +8577,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -8669,8 +8669,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8739,8 +8739,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8837,8 +8837,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8899,8 +8899,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8991,8 +8991,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -9052,8 +9052,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -9575,87 +9575,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.9.1.md b/docs/security/agent/grype-25.9.1.md index b596c53..469b2f5 100644 --- a/docs/security/agent/grype-25.9.1.md +++ b/docs/security/agent/grype-25.9.1.md @@ -34,16 +34,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.9.2.json b/docs/security/agent/grype-25.9.2.json index 2a04794..a6d2b5f 100644 --- a/docs/security/agent/grype-25.9.2.json +++ b/docs/security/agent/grype-25.9.2.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1718,38 +1718,203 @@ "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "cvss": [ + { + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2023-32636", + "epss": 0.00165, + "percentile": 0.38035, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2023-32636", + "cwe": "CWE-400", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [], + "risk": 0.0759 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-32636", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", + "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", + "https://security.netapp.com/advisory/ntap-20231110-0002/" + ], + "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1.1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2023-32636", + "epss": 0.00165, + "percentile": 0.38035, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2023-32636", + "cwe": "CWE-400", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "redhat", + "version": "9.6" + }, + "package": { + "name": "glib2", + "version": "0:2.68.4-16.el9_6.2" + }, + "namespace": "redhat:distro:redhat:9" + }, + "found": { + "vulnerabilityID": "CVE-2023-32636", + "versionConstraint": "none (unknown)" + } + } + ], + "artifact": { + "id": "35f4edf399bccea5", + "name": "glib2", + "version": "2.68.4-16.el9_6.2", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/rpmdb.sqlite", + "layerID": "sha256:31a5b734e9d4104fb0b3d7e1a5c0073993812555c6fb7ab75c73300346a1cc7e", + "accessPath": "/var/lib/rpm/rpmdb.sqlite", + "annotations": { + "evidence": "primary" + } + } + ], + "language": "", + "licenses": [ + "LGPLv2+" + ], + "cpes": [ + "cpe:2.3:a:redhat:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*", + "cpe:2.3:a:glib2:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9_6.2?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9_6.2.src.rpm", + "upstreams": [], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "namespace": "redhat:distro:redhat:9", + "severity": "Low", + "urls": [], + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 6.2, - "exploitabilityScore": 2.6, - "impactScore": 3.6 + "baseScore": 3.1, + "exploitabilityScore": 1.7, + "impactScore": 1.5 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2023-32636", - "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2023-32636", - "cwe": "CWE-400", - "source": "secalert@redhat.com", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1759,20 +1924,28 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.0759 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2023-32636", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", - "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", - "https://security.netapp.com/advisory/ntap-20231110-0002/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", @@ -1787,36 +1960,36 @@ "vendorMetadata": {} }, { - "source": "secalert@redhat.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 4.7, - "exploitabilityScore": 1.1, - "impactScore": 3.6 + "baseScore": 2.9, + "exploitabilityScore": 1.5, + "impactScore": 1.5 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2023-32636", - "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2023-32636", - "cwe": "CWE-400", - "source": "secalert@redhat.com", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1833,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "glib2", - "version": "0:2.68.4-16.el9_6.2" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2023-32636", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "35f4edf399bccea5", - "name": "glib2", - "version": "2.68.4-16.el9_6.2", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -1861,13 +2034,13 @@ ], "language": "", "licenses": [ - "LGPLv2+" + "MIT" ], "cpes": [ - "cpe:2.3:a:redhat:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*", - "cpe:2.3:a:glib2:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9_6.2?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9_6.2.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -1901,8 +2074,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -1985,8 +2158,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -2080,8 +2253,8 @@ { "cve": "CVE-2025-1632", "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ @@ -2176,8 +2349,8 @@ { "cve": "CVE-2025-1632", "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ @@ -2255,179 +2428,6 @@ } } }, - { - "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", - "namespace": "redhat:distro:redhat:9", - "severity": "Low", - "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", - "cvss": [ - { - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, - "impactScore": 1.5 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "cve@mitre.org", - "type": "Secondary" - }, - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "fix": { - "versions": [], - "state": "not-fixed" - }, - "advisories": [], - "risk": 0.056119999999999996 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", - "namespace": "nvd:cpe", - "severity": "High", - "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" - ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", - "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, - "impactScore": 3.6 - }, - "vendorMetadata": {} - }, - { - "source": "cve@mitre.org", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, - "impactScore": 1.5 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "cve@mitre.org", - "type": "Secondary" - }, - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ] - } - ], - "matchDetails": [ - { - "type": "exact-direct-match", - "matcher": "rpm-matcher", - "searchedBy": { - "distro": { - "type": "redhat", - "version": "9.6" - }, - "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" - }, - "namespace": "redhat:distro:redhat:9" - }, - "found": { - "vulnerabilityID": "CVE-2025-27113", - "versionConstraint": "none (unknown)" - } - } - ], - "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", - "type": "rpm", - "locations": [ - { - "path": "/var/lib/rpm/rpmdb.sqlite", - "layerID": "sha256:31a5b734e9d4104fb0b3d7e1a5c0073993812555c6fb7ab75c73300346a1cc7e", - "accessPath": "/var/lib/rpm/rpmdb.sqlite", - "annotations": { - "evidence": "primary" - } - } - ], - "language": "", - "licenses": [ - "MIT" - ], - "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], - "metadataType": "RpmMetadata", - "metadata": { - "epoch": null, - "modularityLabel": "" - } - } - }, { "vulnerability": { "id": "CVE-2025-9086", @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2495,8 +2495,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2590,8 +2590,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2632,8 +2632,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2727,8 +2727,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -2811,8 +2811,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -2906,8 +2906,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2965,8 +2965,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3057,8 +3057,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3116,8 +3116,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3219,8 +3219,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -3291,8 +3291,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -3386,8 +3386,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3436,8 +3436,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3528,8 +3528,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -3598,8 +3598,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -3693,8 +3693,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3741,8 +3741,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3833,8 +3833,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3881,8 +3881,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3984,8 +3984,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -4027,8 +4027,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -4122,8 +4122,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -4165,8 +4165,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -4260,8 +4260,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -4309,8 +4309,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -4401,8 +4401,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4462,8 +4462,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4559,8 +4559,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4620,8 +4620,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4717,8 +4717,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4790,8 +4790,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4896,8 +4896,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4944,8 +4944,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -5039,8 +5039,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -5131,8 +5131,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -5208,8 +5208,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -5314,8 +5314,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -5380,8 +5380,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -5478,8 +5478,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5554,8 +5554,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5655,8 +5655,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5731,8 +5731,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5843,8 +5843,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5917,8 +5917,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -6012,8 +6012,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -6066,8 +6066,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -6167,8 +6167,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -6259,8 +6259,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -6309,8 +6309,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -6401,8 +6401,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -6443,8 +6443,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -6538,8 +6538,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -6580,8 +6580,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -6675,8 +6675,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6737,8 +6737,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6829,8 +6829,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6882,8 +6882,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6974,8 +6974,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7027,8 +7027,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7130,8 +7130,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -7192,8 +7192,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -7284,8 +7284,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7332,8 +7332,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7429,8 +7429,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7477,8 +7477,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7574,8 +7574,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7622,8 +7622,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7719,8 +7719,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7767,8 +7767,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7864,8 +7864,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7918,8 +7918,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -8021,8 +8021,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -8087,8 +8087,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -8185,8 +8185,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -8246,8 +8246,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -8338,8 +8338,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -8406,8 +8406,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -8515,8 +8515,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -8577,8 +8577,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -8669,8 +8669,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8739,8 +8739,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8837,8 +8837,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8899,8 +8899,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8991,8 +8991,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -9052,8 +9052,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -9575,87 +9575,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.9.2.md b/docs/security/agent/grype-25.9.2.md index 8b412d3..bb765d3 100644 --- a/docs/security/agent/grype-25.9.2.md +++ b/docs/security/agent/grype-25.9.2.md @@ -34,16 +34,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.9.3.json b/docs/security/agent/grype-25.9.3.json index 222e4ee..8b78611 100644 --- a/docs/security/agent/grype-25.9.3.json +++ b/docs/security/agent/grype-25.9.3.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1718,38 +1718,203 @@ "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "cvss": [ + { + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 6.2, + "exploitabilityScore": 2.6, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2023-32636", + "epss": 0.00165, + "percentile": 0.38035, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2023-32636", + "cwe": "CWE-400", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ], + "fix": { + "versions": [], + "state": "not-fixed" + }, + "advisories": [], + "risk": 0.0759 + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-32636", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", + "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", + "https://security.netapp.com/advisory/ntap-20231110-0002/" + ], + "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + }, + { + "source": "secalert@redhat.com", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 4.7, + "exploitabilityScore": 1.1, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], + "epss": [ + { + "cve": "CVE-2023-32636", + "epss": 0.00165, + "percentile": 0.38035, + "date": "2025-12-15" + } + ], + "cwes": [ + { + "cve": "CVE-2023-32636", + "cwe": "CWE-400", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2023-32636", + "cwe": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "rpm-matcher", + "searchedBy": { + "distro": { + "type": "redhat", + "version": "9.6" + }, + "package": { + "name": "glib2", + "version": "0:2.68.4-16.el9_6.2" + }, + "namespace": "redhat:distro:redhat:9" + }, + "found": { + "vulnerabilityID": "CVE-2023-32636", + "versionConstraint": "none (unknown)" + } + } + ], + "artifact": { + "id": "35f4edf399bccea5", + "name": "glib2", + "version": "2.68.4-16.el9_6.2", + "type": "rpm", + "locations": [ + { + "path": "/var/lib/rpm/rpmdb.sqlite", + "layerID": "sha256:de18c09dd5fcfc989af528cd3e121a5e6b07cce0fbd4d56e9fe657c716887cd6", + "accessPath": "/var/lib/rpm/rpmdb.sqlite", + "annotations": { + "evidence": "primary" + } + } + ], + "language": "", + "licenses": [ + "LGPLv2+" + ], + "cpes": [ + "cpe:2.3:a:redhat:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*", + "cpe:2.3:a:glib2:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9_6.2?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9_6.2.src.rpm", + "upstreams": [], + "metadataType": "RpmMetadata", + "metadata": { + "epoch": null, + "modularityLabel": "" + } + } + }, + { + "vulnerability": { + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "namespace": "redhat:distro:redhat:9", + "severity": "Low", + "urls": [], + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 6.2, - "exploitabilityScore": 2.6, - "impactScore": 3.6 + "baseScore": 3.1, + "exploitabilityScore": 1.7, + "impactScore": 1.5 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2023-32636", - "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2023-32636", - "cwe": "CWE-400", - "source": "secalert@redhat.com", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1759,20 +1924,28 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.0759 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2023-32636", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-32636", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/glib/-/issues/2841", - "https://https://discourse.gnome.org/t/multiple-fixes-for-gvariant-normalisation-issues-in-glib/12835", - "https://security.netapp.com/advisory/ntap-20231110-0002/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", @@ -1787,36 +1960,36 @@ "vendorMetadata": {} }, { - "source": "secalert@redhat.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 4.7, - "exploitabilityScore": 1.1, - "impactScore": 3.6 + "baseScore": 2.9, + "exploitabilityScore": 1.5, + "impactScore": 1.5 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2023-32636", - "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2023-32636", - "cwe": "CWE-400", - "source": "secalert@redhat.com", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2023-32636", - "cwe": "CWE-502", + "cve": "CVE-2025-27113", + "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" } @@ -1833,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "glib2", - "version": "0:2.68.4-16.el9_6.2" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2023-32636", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "35f4edf399bccea5", - "name": "glib2", - "version": "2.68.4-16.el9_6.2", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -1861,13 +2034,13 @@ ], "language": "", "licenses": [ - "LGPLv2+" + "MIT" ], "cpes": [ - "cpe:2.3:a:redhat:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*", - "cpe:2.3:a:glib2:glib2:2.68.4-16.el9_6.2:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/glib2@2.68.4-16.el9_6.2?arch=x86_64&distro=rhel-9.6&upstream=glib2-2.68.4-16.el9_6.2.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -1901,8 +2074,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -1985,8 +2158,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -2080,8 +2253,8 @@ { "cve": "CVE-2025-1632", "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ @@ -2176,8 +2349,8 @@ { "cve": "CVE-2025-1632", "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ @@ -2255,179 +2428,6 @@ } } }, - { - "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", - "namespace": "redhat:distro:redhat:9", - "severity": "Low", - "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", - "cvss": [ - { - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, - "impactScore": 1.5 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "cve@mitre.org", - "type": "Secondary" - }, - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "fix": { - "versions": [], - "state": "not-fixed" - }, - "advisories": [], - "risk": 0.056119999999999996 - }, - "relatedVulnerabilities": [ - { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", - "namespace": "nvd:cpe", - "severity": "High", - "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" - ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", - "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, - "impactScore": 3.6 - }, - "vendorMetadata": {} - }, - { - "source": "cve@mitre.org", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", - "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, - "impactScore": 1.5 - }, - "vendorMetadata": {} - } - ], - "epss": [ - { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" - } - ], - "cwes": [ - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "cve@mitre.org", - "type": "Secondary" - }, - { - "cve": "CVE-2025-27113", - "cwe": "CWE-476", - "source": "nvd@nist.gov", - "type": "Primary" - } - ] - } - ], - "matchDetails": [ - { - "type": "exact-direct-match", - "matcher": "rpm-matcher", - "searchedBy": { - "distro": { - "type": "redhat", - "version": "9.6" - }, - "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" - }, - "namespace": "redhat:distro:redhat:9" - }, - "found": { - "vulnerabilityID": "CVE-2025-27113", - "versionConstraint": "none (unknown)" - } - } - ], - "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", - "type": "rpm", - "locations": [ - { - "path": "/var/lib/rpm/rpmdb.sqlite", - "layerID": "sha256:de18c09dd5fcfc989af528cd3e121a5e6b07cce0fbd4d56e9fe657c716887cd6", - "accessPath": "/var/lib/rpm/rpmdb.sqlite", - "annotations": { - "evidence": "primary" - } - } - ], - "language": "", - "licenses": [ - "MIT" - ], - "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], - "metadataType": "RpmMetadata", - "metadata": { - "epoch": null, - "modularityLabel": "" - } - } - }, { "vulnerability": { "id": "CVE-2025-9086", @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2495,8 +2495,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2590,8 +2590,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2632,8 +2632,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2727,8 +2727,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -2811,8 +2811,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -2906,8 +2906,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2965,8 +2965,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3057,8 +3057,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3116,8 +3116,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -3219,8 +3219,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -3291,8 +3291,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -3386,8 +3386,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3436,8 +3436,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3528,8 +3528,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -3598,8 +3598,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -3693,8 +3693,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3741,8 +3741,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3833,8 +3833,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3881,8 +3881,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3984,8 +3984,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -4027,8 +4027,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -4122,8 +4122,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -4165,8 +4165,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -4260,8 +4260,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -4309,8 +4309,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -4401,8 +4401,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4462,8 +4462,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4559,8 +4559,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4620,8 +4620,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4717,8 +4717,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4790,8 +4790,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4896,8 +4896,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4944,8 +4944,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -5039,8 +5039,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -5131,8 +5131,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -5208,8 +5208,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -5314,8 +5314,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -5380,8 +5380,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -5478,8 +5478,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5554,8 +5554,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5655,8 +5655,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5731,8 +5731,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5843,8 +5843,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5917,8 +5917,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -6012,8 +6012,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -6066,8 +6066,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -6167,8 +6167,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -6259,8 +6259,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -6309,8 +6309,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -6401,8 +6401,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -6443,8 +6443,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -6538,8 +6538,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -6580,8 +6580,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -6675,8 +6675,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6737,8 +6737,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6829,8 +6829,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6882,8 +6882,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6974,8 +6974,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7027,8 +7027,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -7130,8 +7130,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -7192,8 +7192,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -7284,8 +7284,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7332,8 +7332,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7429,8 +7429,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7477,8 +7477,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7574,8 +7574,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7622,8 +7622,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7719,8 +7719,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7767,8 +7767,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7864,8 +7864,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7918,8 +7918,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -8021,8 +8021,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -8087,8 +8087,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -8185,8 +8185,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -8246,8 +8246,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -8338,8 +8338,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -8406,8 +8406,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -8515,8 +8515,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -8577,8 +8577,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -8669,8 +8669,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8739,8 +8739,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8837,8 +8837,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8899,8 +8899,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8991,8 +8991,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -9052,8 +9052,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -9580,87 +9580,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.9.3.md b/docs/security/agent/grype-25.9.3.md index 58a9341..f61d563 100644 --- a/docs/security/agent/grype-25.9.3.md +++ b/docs/security/agent/grype-25.9.3.md @@ -34,16 +34,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.9.4.json b/docs/security/agent/grype-25.9.4.json index 5133a5d..2199b0b 100644 --- a/docs/security/agent/grype-25.9.4.json +++ b/docs/security/agent/grype-25.9.4.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1803,8 +1803,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1878,20 +1878,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1899,27 +1899,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1930,92 +1924,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2033,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -2061,13 +2034,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2078,20 +2051,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -2099,21 +2072,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2124,71 +2103,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2206,21 +2206,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2234,13 +2234,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2274,8 +2274,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2316,8 +2316,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2411,8 +2411,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2548,8 +2548,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2607,8 +2607,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2699,8 +2699,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2861,8 +2861,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2911,8 +2911,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3003,8 +3003,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3051,8 +3051,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3143,8 +3143,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3191,8 +3191,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3294,8 +3294,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3337,8 +3337,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3432,8 +3432,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3475,8 +3475,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3570,8 +3570,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3619,8 +3619,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3711,8 +3711,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3772,8 +3772,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3869,8 +3869,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3930,8 +3930,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4027,8 +4027,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4100,8 +4100,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4206,8 +4206,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4254,8 +4254,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4349,8 +4349,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4441,8 +4441,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4518,8 +4518,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4624,8 +4624,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4690,8 +4690,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4864,8 +4864,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4965,8 +4965,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5041,8 +5041,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5153,8 +5153,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5227,8 +5227,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5322,8 +5322,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5376,8 +5376,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5477,8 +5477,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5569,8 +5569,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5619,8 +5619,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5711,8 +5711,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5753,8 +5753,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5848,8 +5848,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5890,8 +5890,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5985,8 +5985,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6047,8 +6047,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6139,8 +6139,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6192,8 +6192,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6284,8 +6284,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6337,8 +6337,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6440,8 +6440,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6502,8 +6502,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6594,8 +6594,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6642,8 +6642,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6739,8 +6739,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6787,8 +6787,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6884,8 +6884,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6932,8 +6932,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7077,8 +7077,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7174,8 +7174,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7228,8 +7228,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7331,8 +7331,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7397,8 +7397,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7495,8 +7495,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7556,8 +7556,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7648,8 +7648,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7716,8 +7716,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7825,8 +7825,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7887,8 +7887,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7979,8 +7979,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8049,8 +8049,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8147,8 +8147,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8209,8 +8209,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8301,8 +8301,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8362,8 +8362,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8890,87 +8890,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.9.4.md b/docs/security/agent/grype-25.9.4.md index b760c3d..6ce951e 100644 --- a/docs/security/agent/grype-25.9.4.md +++ b/docs/security/agent/grype-25.9.4.md @@ -30,16 +30,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/agent/grype-25.9.5.json b/docs/security/agent/grype-25.9.5.json index e783594..270f5c2 100644 --- a/docs/security/agent/grype-25.9.5.json +++ b/docs/security/agent/grype-25.9.5.json @@ -25,8 +25,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -91,8 +91,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -194,8 +194,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -260,8 +260,8 @@ { "cve": "CVE-2024-7264", "epss": 0.04044, - "percentile": 0.8812, - "date": "2025-12-14" + "percentile": 0.88119, + "date": "2025-12-15" } ], "cwes": [ @@ -363,8 +363,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -426,8 +426,8 @@ { "cve": "CVE-2024-56433", "epss": 0.05074, - "percentile": 0.8942, - "date": "2025-12-14" + "percentile": 0.89421, + "date": "2025-12-15" } ], "cwes": [ @@ -504,39 +504,39 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.5, + "exploitabilityScore": 1.9, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { @@ -544,51 +544,36 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.422625 + "risk": 0.35997500000000004 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-34459", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", + "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", + "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -596,25 +581,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-34459", + "epss": 0.00847, + "percentile": 0.74212, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-34459", + "cwe": "CWE-122", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -622,21 +607,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-34459", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "707ec843794b77ca", - "name": "curl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -653,22 +638,11 @@ "MIT" ], "cpes": [ - "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { "epoch": null, @@ -678,91 +652,69 @@ }, { "vulnerability": { - "id": "CVE-2024-9681", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 3.9, - "exploitabilityScore": 1.4, - "impactScore": 2.6 + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.422625 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-9681", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://curl.se/docs/CVE-2024-9681.html", - "https://curl.se/docs/CVE-2024-9681.json", - "https://hackerone.com/reports/2764830", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "http://www.openwall.com/lists/oss-security/2024/11/06/2", - "https://security.netapp.com/advisory/ntap-20241213-0006/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", - "metrics": { - "baseScore": 6.5, - "exploitabilityScore": 2.3, - "impactScore": 4.3 - }, - "vendorMetadata": {} - }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} @@ -770,25 +722,25 @@ ], "epss": [ { - "cve": "CVE-2024-9681", - "epss": 0.01225, - "percentile": 0.78599, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-9681", - "cwe": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-41996", + "cwe": "CWE-295", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -796,21 +748,21 @@ "version": "9.6" }, "package": { - "name": "curl", - "version": "7.76.1-31.el9_6.1" + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-9681", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "220f5f360bc1aff5", - "name": "libcurl-minimal", - "version": "7.76.1-31.el9_6.1", + "id": "7dc75dc862d10c78", + "name": "openssl", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -824,48 +776,37 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" - ], - "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", - "upstreams": [ - { - "name": "curl", - "version": "7.76.1-31.el9_6.1" - } + "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" ], + "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-34459", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the xmllint program distributed by the libxml2 package. A buffer over-read in the xmlHTMLPrintFileContext function in the xmllint.c file may be triggered when a crafted file is processed with the xmllint program using the `--htmlout` command line option, causing an application crash and resulting in a denial of service.", + "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -873,52 +814,45 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.35997500000000004 + "risk": 0.30705000000000005 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-34459", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-34459", + "id": "CVE-2024-41996", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", "namespace": "nvd:cpe", "severity": "High", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/720", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8", - "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5HVUXKYTBWT3G5DEEQX62STJQBY367NL/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/INKSSLW5VMZIXHRPZBAW4TJUX5SQKARG/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRDJCNQP32LV56KESUQ5SNZKAJWSZZRI/" + "https://dheatattack.gitlab.io/details/", + "https://dheatattack.gitlab.io/faq/", + "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" ], - "description": "An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.", + "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", "cvss": [ { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, @@ -929,16 +863,16 @@ ], "epss": [ { - "cve": "CVE-2024-34459", - "epss": 0.00847, - "percentile": 0.74208, - "date": "2025-12-14" + "cve": "CVE-2024-41996", + "epss": 0.0069, + "percentile": 0.71123, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-34459", - "cwe": "CWE-122", + "cve": "CVE-2024-41996", + "cwe": "CWE-295", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } @@ -947,7 +881,7 @@ ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -955,21 +889,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "openssl", + "version": "3.2.2-6.el9_5.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-34459", + "vulnerabilityID": "CVE-2024-41996", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "58e683943e8aac02", + "name": "openssl-libs", + "version": "1:3.2.2-6.el9_5.1", "type": "rpm", "locations": [ { @@ -983,86 +917,119 @@ ], "language": "", "licenses": [ - "MIT" + "ASL 2.0" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "upstreams": [ + { + "name": "openssl", + "version": "3.2.2-6.el9_5.1" + } ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": null, + "epoch": 1, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1070,25 +1037,25 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "rpm-matcher", "searchedBy": { "distro": { @@ -1096,21 +1063,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "7dc75dc862d10c78", - "name": "openssl", - "version": "1:3.2.2-6.el9_5.1", + "id": "707ec843794b77ca", + "name": "curl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1124,86 +1091,119 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:curl-minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl-minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl_minimal:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:curl:curl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" + ], + "purl": "pkg:rpm/redhat/curl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", + "upstreams": [ + { + "name": "curl", + "version": "7.76.1-31.el9_6.1" + } ], - "purl": "pkg:rpm/redhat/openssl@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", - "upstreams": [], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } }, { "vulnerability": { - "id": "CVE-2024-41996", - "dataSource": "https://access.redhat.com/security/cve/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://access.redhat.com/security/cve/CVE-2024-9681", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A vulnerability was found in the Diffie-Hellman Ephemeral (DHE) Key Agreement Protocol, where a malicious client can exploit the server's public key validation process. By forcing the server to use DHE and validating the order of public keys, the client can trigger expensive server-side modular exponentiation calculations. This issue results in asymmetric resource consumption, potentially leading to a denial of service (DoS) attack by overwhelming the server with computationally intensive operations.", + "description": "A vulnerability was found in curl. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than intended.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 + "baseScore": 3.9, + "exploitabilityScore": 1.4, + "impactScore": 2.6 }, "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.30705000000000005 + "risk": 0.20009999999999997 }, "relatedVulnerabilities": [ { - "id": "CVE-2024-41996", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-41996", + "id": "CVE-2024-9681", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-9681", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://dheatattack.gitlab.io/details/", - "https://dheatattack.gitlab.io/faq/", - "https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1" + "https://curl.se/docs/CVE-2024-9681.html", + "https://curl.se/docs/CVE-2024-9681.json", + "https://hackerone.com/reports/2764830", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "http://www.openwall.com/lists/oss-security/2024/11/06/2", + "https://security.netapp.com/advisory/ntap-20241213-0006/" ], - "description": "Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.", + "description": "When curl is asked to use HSTS, the expiry time for a subdomain might\noverwrite a parent domain's cache entry, making it end sooner or later than\notherwise intended.\n\nThis affects curl using applications that enable HSTS and use URLs with the\ninsecure `HTTP://` scheme and perform transfers with hosts like\n`x.example.com` as well as `example.com` where the first host is a subdomain\nof the second host.\n\n(The HSTS cache either needs to have been populated manually or there needs to\nhave been previous HTTPS accesses done as the cache needs to have entries for\nthe domains involved to trigger this problem.)\n\nWhen `x.example.com` responds with `Strict-Transport-Security:` headers, this\nbug can make the subdomain's expiry timeout *bleed over* and get set for the\nparent domain `example.com` in curl's HSTS cache.\n\nThe result of a triggered bug is that HTTP accesses to `example.com` get\nconverted to HTTPS for a different period of time than what was asked for by\nthe origin server. If `example.com` for example stops supporting HTTPS at its\nexpiry time, curl might then fail to access `http://example.com` until the\n(wrongly set) timeout expires. This bug can also expire the parent's entry\n*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier\nthan otherwise intended.", "cvss": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L", + "metrics": { + "baseScore": 6.5, + "exploitabilityScore": 2.3, + "impactScore": 4.3 + }, + "vendorMetadata": {} + }, { "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} @@ -1211,18 +1211,18 @@ ], "epss": [ { - "cve": "CVE-2024-41996", - "epss": 0.0069, - "percentile": 0.71127, - "date": "2025-12-14" + "cve": "CVE-2024-9681", + "epss": 0.0058, + "percentile": 0.68138, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2024-41996", - "cwe": "CWE-295", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2024-9681", + "cwe": "CWE-697", + "source": "nvd@nist.gov", + "type": "Primary" } ] } @@ -1237,21 +1237,21 @@ "version": "9.6" }, "package": { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2024-41996", + "vulnerabilityID": "CVE-2024-9681", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "58e683943e8aac02", - "name": "openssl-libs", - "version": "1:3.2.2-6.el9_5.1", + "id": "220f5f360bc1aff5", + "name": "libcurl-minimal", + "version": "7.76.1-31.el9_6.1", "type": "rpm", "locations": [ { @@ -1265,28 +1265,28 @@ ], "language": "", "licenses": [ - "ASL 2.0" + "MIT" ], "cpes": [ - "cpe:2.3:a:openssl-libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl-libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl_libs:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:openssl:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl-libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:openssl_libs:1\\:3.2.2-6.el9_5.1:*:*:*:*:*:*:*" + "cpe:2.3:a:libcurl-minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl-minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl_minimal:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:libcurl:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl-minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libcurl_minimal:7.76.1-31.el9_6.1:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/openssl-libs@3.2.2-6.el9_5.1?arch=x86_64&distro=rhel-9.6&epoch=1&upstream=openssl-3.2.2-6.el9_5.1.src.rpm", + "purl": "pkg:rpm/redhat/libcurl-minimal@7.76.1-31.el9_6.1?arch=x86_64&distro=rhel-9.6&upstream=curl-7.76.1-31.el9_6.1.src.rpm", "upstreams": [ { - "name": "openssl", - "version": "3.2.2-6.el9_5.1" + "name": "curl", + "version": "7.76.1-31.el9_6.1" } ], "metadataType": "RpmMetadata", "metadata": { - "epoch": 1, + "epoch": null, "modularityLabel": "" } } @@ -1316,8 +1316,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1361,8 +1361,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1456,8 +1456,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ], "fix": { @@ -1501,8 +1501,8 @@ { "cve": "CVE-2024-11053", "epss": 0.00337, - "percentile": 0.55997, - "date": "2025-12-14" + "percentile": 0.55984, + "date": "2025-12-15" } ] } @@ -1596,8 +1596,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1644,8 +1644,8 @@ { "cve": "CVE-2025-14087", "epss": 0.00197, - "percentile": 0.41855, - "date": "2025-12-14" + "percentile": 0.41841, + "date": "2025-12-15" } ], "cwes": [ @@ -1736,8 +1736,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1803,8 +1803,8 @@ { "cve": "CVE-2023-32636", "epss": 0.00165, - "percentile": 0.38062, - "date": "2025-12-14" + "percentile": 0.38035, + "date": "2025-12-15" } ], "cwes": [ @@ -1878,20 +1878,20 @@ }, { "vulnerability": { - "id": "CVE-2025-1632", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", + "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 3.1, + "exploitabilityScore": 1.7, "impactScore": 1.5 }, "vendorMetadata": {} @@ -1899,27 +1899,21 @@ ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -1930,92 +1924,71 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.05921999999999999 + "risk": 0.066185 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-1632", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", + "id": "CVE-2025-27113", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", - "https://vuldb.com/?ctiid.296619", - "https://vuldb.com/?id.296619", - "https://vuldb.com/?submit.496460" + "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", + "http://seclists.org/fulldisclosure/2025/Apr/10", + "http://seclists.org/fulldisclosure/2025/Apr/11", + "http://seclists.org/fulldisclosure/2025/Apr/12", + "http://seclists.org/fulldisclosure/2025/Apr/13", + "http://seclists.org/fulldisclosure/2025/Apr/4", + "http://seclists.org/fulldisclosure/2025/Apr/5", + "http://seclists.org/fulldisclosure/2025/Apr/8", + "http://seclists.org/fulldisclosure/2025/Apr/9", + "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", + "https://security.netapp.com/advisory/ntap-20250306-0004/" ], - "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 5.5, - "exploitabilityScore": 1.9, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "4.0", - "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "metrics": { - "baseScore": 4.8 - }, - "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.3, - "exploitabilityScore": 1.9, + "baseScore": 2.9, + "exploitabilityScore": 1.5, "impactScore": 1.5 }, "vendorMetadata": {} - }, - { - "source": "cna@vuldb.com", - "type": "Secondary", - "version": "2.0", - "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", - "metrics": { - "baseScore": 1.7, - "exploitabilityScore": 3.2, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-1632", - "epss": 0.00188, - "percentile": 0.40872, - "date": "2025-12-14" + "cve": "CVE-2025-27113", + "epss": 0.00217, + "percentile": 0.44238, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-1632", - "cwe": "CWE-404", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", - "source": "cna@vuldb.com", + "source": "cve@mitre.org", "type": "Secondary" }, { - "cve": "CVE-2025-1632", + "cve": "CVE-2025-27113", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2033,21 +2006,21 @@ "version": "9.6" }, "package": { - "name": "libarchive", - "version": "0:3.5.3-6.el9_6" + "name": "libxml2", + "version": "0:2.9.13-12.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-1632", + "vulnerabilityID": "CVE-2025-27113", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "5fe8b53173092253", - "name": "libarchive", - "version": "3.5.3-6.el9_6", + "id": "66b25e26e34fcd34", + "name": "libxml2", + "version": "2.9.13-12.el9_6", "type": "rpm", "locations": [ { @@ -2061,13 +2034,13 @@ ], "language": "", "licenses": [ - "BSD" + "MIT" ], "cpes": [ - "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2078,20 +2051,20 @@ }, { "vulnerability": { - "id": "CVE-2025-27113", - "dataSource": "https://access.redhat.com/security/cve/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://access.redhat.com/security/cve/CVE-2025-1632", "namespace": "redhat:distro:redhat:9", "severity": "Low", "urls": [], - "description": "A flaw was found in libxml2. This vulnerability allows a NULL pointer dereference, leading to a potential crash or denial of service via a crafted XML pattern.", + "description": "A flaw was found in the bsdunzip utility of libarchive. In affected versions, a specially crafted file may trigger a null pointer dereference. This issue can lead to an application crash or other unexpected behavior.", "cvss": [ { "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 3.1, - "exploitabilityScore": 1.7, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} @@ -2099,21 +2072,27 @@ ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2124,71 +2103,92 @@ "state": "not-fixed" }, "advisories": [], - "risk": 0.056119999999999996 + "risk": 0.05921999999999999 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-27113", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-27113", + "id": "CVE-2025-1632", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-1632", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://gitlab.gnome.org/GNOME/libxml2/-/issues/861", - "http://seclists.org/fulldisclosure/2025/Apr/10", - "http://seclists.org/fulldisclosure/2025/Apr/11", - "http://seclists.org/fulldisclosure/2025/Apr/12", - "http://seclists.org/fulldisclosure/2025/Apr/13", - "http://seclists.org/fulldisclosure/2025/Apr/4", - "http://seclists.org/fulldisclosure/2025/Apr/5", - "http://seclists.org/fulldisclosure/2025/Apr/8", - "http://seclists.org/fulldisclosure/2025/Apr/9", - "https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html", - "https://security.netapp.com/advisory/ntap-20250306-0004/" + "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", + "https://vuldb.com/?ctiid.296619", + "https://vuldb.com/?id.296619", + "https://vuldb.com/?submit.496460" ], - "description": "libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.", + "description": "A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.5, + "exploitabilityScore": 1.9, "impactScore": 3.6 }, "vendorMetadata": {} }, { - "source": "cve@mitre.org", + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "4.0", + "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "metrics": { + "baseScore": 4.8 + }, + "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", "type": "Secondary", "version": "3.1", - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "metrics": { - "baseScore": 2.9, - "exploitabilityScore": 1.5, + "baseScore": 3.3, + "exploitabilityScore": 1.9, "impactScore": 1.5 }, "vendorMetadata": {} + }, + { + "source": "cna@vuldb.com", + "type": "Secondary", + "version": "2.0", + "vector": "AV:L/AC:L/Au:S/C:N/I:N/A:P", + "metrics": { + "baseScore": 1.7, + "exploitabilityScore": 3.2, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-27113", - "epss": 0.00184, - "percentile": 0.40434, - "date": "2025-12-14" + "cve": "CVE-2025-1632", + "epss": 0.00188, + "percentile": 0.40856, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", + "cwe": "CWE-404", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-1632", "cwe": "CWE-476", - "source": "cve@mitre.org", + "source": "cna@vuldb.com", "type": "Secondary" }, { - "cve": "CVE-2025-27113", + "cve": "CVE-2025-1632", "cwe": "CWE-476", "source": "nvd@nist.gov", "type": "Primary" @@ -2206,21 +2206,21 @@ "version": "9.6" }, "package": { - "name": "libxml2", - "version": "0:2.9.13-12.el9_6" + "name": "libarchive", + "version": "0:3.5.3-6.el9_6" }, "namespace": "redhat:distro:redhat:9" }, "found": { - "vulnerabilityID": "CVE-2025-27113", + "vulnerabilityID": "CVE-2025-1632", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "66b25e26e34fcd34", - "name": "libxml2", - "version": "2.9.13-12.el9_6", + "id": "5fe8b53173092253", + "name": "libarchive", + "version": "3.5.3-6.el9_6", "type": "rpm", "locations": [ { @@ -2234,13 +2234,13 @@ ], "language": "", "licenses": [ - "MIT" + "BSD" ], "cpes": [ - "cpe:2.3:a:libxml2:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*", - "cpe:2.3:a:redhat:libxml2:2.9.13-12.el9_6:*:*:*:*:*:*:*" + "cpe:2.3:a:libarchive:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*", + "cpe:2.3:a:redhat:libarchive:3.5.3-6.el9_6:*:*:*:*:*:*:*" ], - "purl": "pkg:rpm/redhat/libxml2@2.9.13-12.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libxml2-2.9.13-12.el9_6.src.rpm", + "purl": "pkg:rpm/redhat/libarchive@3.5.3-6.el9_6?arch=x86_64&distro=rhel-9.6&upstream=libarchive-3.5.3-6.el9_6.src.rpm", "upstreams": [], "metadataType": "RpmMetadata", "metadata": { @@ -2274,8 +2274,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2316,8 +2316,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2411,8 +2411,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -2453,8 +2453,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -2548,8 +2548,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2607,8 +2607,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2699,8 +2699,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2024-13176", "epss": 0.00123, - "percentile": 0.32308, - "date": "2025-12-14" + "percentile": 0.3226, + "date": "2025-12-15" } ], "cwes": [ @@ -2861,8 +2861,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -2911,8 +2911,8 @@ { "cve": "CVE-2023-45322", "epss": 0.00076, - "percentile": 0.23163, - "date": "2025-12-14" + "percentile": 0.2314, + "date": "2025-12-15" } ], "cwes": [ @@ -3003,8 +3003,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3051,8 +3051,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3143,8 +3143,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3191,8 +3191,8 @@ { "cve": "CVE-2022-41409", "epss": 0.00061, - "percentile": 0.19071, - "date": "2025-12-14" + "percentile": 0.19053, + "date": "2025-12-15" } ], "cwes": [ @@ -3294,8 +3294,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3337,8 +3337,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3432,8 +3432,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ], "fix": { @@ -3475,8 +3475,8 @@ { "cve": "CVE-2023-50495", "epss": 0.00051, - "percentile": 0.15858, - "date": "2025-12-14" + "percentile": 0.15825, + "date": "2025-12-15" } ] } @@ -3570,8 +3570,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3619,8 +3619,8 @@ { "cve": "CVE-2025-3360", "epss": 0.00068, - "percentile": 0.2117, - "date": "2025-12-14" + "percentile": 0.21148, + "date": "2025-12-15" } ], "cwes": [ @@ -3711,8 +3711,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3772,8 +3772,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3869,8 +3869,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -3930,8 +3930,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -4027,8 +4027,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4100,8 +4100,8 @@ { "cve": "CVE-2025-4598", "epss": 0.00042, - "percentile": 0.12535, - "date": "2025-12-14" + "percentile": 0.12486, + "date": "2025-12-15" } ], "cwes": [ @@ -4206,8 +4206,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4254,8 +4254,8 @@ { "cve": "CVE-2025-14512", "epss": 0.00034, - "percentile": 0.09609, - "date": "2025-12-14" + "percentile": 0.09535, + "date": "2025-12-15" } ], "cwes": [ @@ -4349,8 +4349,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4441,8 +4441,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4518,8 +4518,8 @@ { "cve": "CVE-2025-6965", "epss": 0.00022, - "percentile": 0.05249, - "date": "2025-12-14" + "percentile": 0.05222, + "date": "2025-12-15" } ], "cwes": [ @@ -4624,8 +4624,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4690,8 +4690,8 @@ { "cve": "CVE-2023-4156", "epss": 0.00031, - "percentile": 0.08475, - "date": "2025-12-14" + "percentile": 0.08405, + "date": "2025-12-15" } ], "cwes": [ @@ -4788,8 +4788,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4864,8 +4864,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4965,8 +4965,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5041,8 +5041,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -5153,8 +5153,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5227,8 +5227,8 @@ { "cve": "CVE-2025-9714", "epss": 0.00024, - "percentile": 0.05691, - "date": "2025-12-14" + "percentile": 0.05683, + "date": "2025-12-15" } ], "cwes": [ @@ -5322,8 +5322,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5376,8 +5376,8 @@ { "cve": "CVE-2025-60753", "epss": 0.0002, - "percentile": 0.04699, - "date": "2025-12-14" + "percentile": 0.04656, + "date": "2025-12-15" } ], "cwes": [ @@ -5477,8 +5477,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5569,8 +5569,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5619,8 +5619,8 @@ { "cve": "CVE-2025-13601", "epss": 0.00015, - "percentile": 0.02458, - "date": "2025-12-14" + "percentile": 0.0245, + "date": "2025-12-15" } ], "cwes": [ @@ -5711,8 +5711,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5753,8 +5753,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5848,8 +5848,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -5890,8 +5890,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -5985,8 +5985,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6047,8 +6047,8 @@ { "cve": "CVE-2025-5915", "epss": 0.00026, - "percentile": 0.06449, - "date": "2025-12-14" + "percentile": 0.06425, + "date": "2025-12-15" } ], "cwes": [ @@ -6139,8 +6139,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6192,8 +6192,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6284,8 +6284,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6337,8 +6337,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -6440,8 +6440,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6502,8 +6502,8 @@ { "cve": "CVE-2025-5916", "epss": 0.00023, - "percentile": 0.05378, - "date": "2025-12-14" + "percentile": 0.05349, + "date": "2025-12-15" } ], "cwes": [ @@ -6594,8 +6594,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6642,8 +6642,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6739,8 +6739,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6787,8 +6787,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6884,8 +6884,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -6932,8 +6932,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7077,8 +7077,8 @@ { "cve": "CVE-2025-14104", "epss": 0.00014, - "percentile": 0.01837, - "date": "2025-12-14" + "percentile": 0.01829, + "date": "2025-12-15" } ], "cwes": [ @@ -7174,8 +7174,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7228,8 +7228,8 @@ { "cve": "CVE-2025-5278", "epss": 0.00016, - "percentile": 0.02784, - "date": "2025-12-14" + "percentile": 0.02777, + "date": "2025-12-15" } ], "cwes": [ @@ -7331,8 +7331,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7397,8 +7397,8 @@ { "cve": "CVE-2023-30571", "epss": 0.00014, - "percentile": 0.02021, - "date": "2025-12-14" + "percentile": 0.02012, + "date": "2025-12-15" } ], "cwes": [ @@ -7495,8 +7495,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7556,8 +7556,8 @@ { "cve": "CVE-2025-30258", "epss": 0.00025, - "percentile": 0.05983, - "date": "2025-12-14" + "percentile": 0.0597, + "date": "2025-12-15" } ], "cwes": [ @@ -7648,8 +7648,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7716,8 +7716,8 @@ { "cve": "CVE-2024-0232", "epss": 0.00018, - "percentile": 0.03785, - "date": "2025-12-14" + "percentile": 0.03749, + "date": "2025-12-15" } ], "cwes": [ @@ -7825,8 +7825,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7887,8 +7887,8 @@ { "cve": "CVE-2025-5918", "epss": 0.00019, - "percentile": 0.04307, - "date": "2025-12-14" + "percentile": 0.04264, + "date": "2025-12-15" } ], "cwes": [ @@ -7979,8 +7979,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8049,8 +8049,8 @@ { "cve": "CVE-2022-3219", "epss": 0.00012, - "percentile": 0.01397, - "date": "2025-12-14" + "percentile": 0.01394, + "date": "2025-12-15" } ], "cwes": [ @@ -8147,8 +8147,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8209,8 +8209,8 @@ { "cve": "CVE-2025-5917", "epss": 0.00019, - "percentile": 0.04396, - "date": "2025-12-14" + "percentile": 0.04351, + "date": "2025-12-15" } ], "cwes": [ @@ -8301,8 +8301,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8362,8 +8362,8 @@ { "cve": "CVE-2025-6170", "epss": 0.00017, - "percentile": 0.03384, - "date": "2025-12-14" + "percentile": 0.03368, + "date": "2025-12-15" } ], "cwes": [ @@ -8890,87 +8890,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/agent/grype-25.9.5.md b/docs/security/agent/grype-25.9.5.md index e8cded9..b29e521 100644 --- a/docs/security/agent/grype-25.9.5.md +++ b/docs/security/agent/grype-25.9.5.md @@ -30,16 +30,16 @@ Refer to the [triaged vulnerabilities](https://docs.fluent.do/security/triaged.h | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-7264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7264) | Low | | shadow-utils | 2:4.9-12.el9 | [CVE-2024-56433](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56433) | Low | -| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | -| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2024-34459](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34459) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-41996](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41996) | Low | +| curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | +| libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-9681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9681) | Low | | curl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | libcurl-minimal | 7.76.1-31.el9_6.1 | [CVE-2024-11053](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11053) | Low | | glib2 | 2.68.4-16.el9_6.2 | [CVE-2023-32636](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32636) | Low | -| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2025-27113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27113) | Low | +| libarchive | 3.5.3-6.el9_6 | [CVE-2025-1632](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1632) | Low | | openssl | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | openssl-libs | 1:3.2.2-6.el9_5.1 | [CVE-2024-13176](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13176) | Low | | libxml2 | 2.9.13-12.el9_6 | [CVE-2023-45322](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322) | Low | diff --git a/docs/security/oss/grype-4.0.10.json b/docs/security/oss/grype-4.0.10.json index ddcc187..be31832 100644 --- a/docs/security/oss/grype-4.0.10.json +++ b/docs/security/oss/grype-4.0.10.json @@ -26,8 +26,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -105,8 +105,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -202,8 +202,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -337,8 +337,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -413,8 +413,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ], "fix": { @@ -467,8 +467,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ] } @@ -544,8 +544,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -607,8 +607,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -702,8 +702,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -765,8 +765,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -863,8 +863,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -905,8 +905,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -973,8 +973,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1033,8 +1033,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1128,8 +1128,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1182,8 +1182,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1271,8 +1271,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ], "fix": { @@ -1315,8 +1315,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ] } @@ -1383,8 +1383,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1435,8 +1435,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1519,96 +1519,94 @@ }, { "vulnerability": { - "id": "CVE-2018-6829", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", "namespace": "debian:distro:debian:12", - "severity": "Negligible", + "severity": "Medium", "urls": [], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "cvss": [], + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "cvss": [ + { + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.02885 + "risk": 0.031065 }, "relatedVulnerabilities": [ { - "id": "CVE-2018-6829", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", - "https://www.oracle.com/security-alerts/cpujan2020.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.0", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "metrics": { - "baseScore": 5, - "exploitabilityScore": 10, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1616,27 +1614,27 @@ "version": "12" }, "package": { - "name": "libgcrypt20", - "version": "1.10.1-3" + "name": "postgresql-15", + "version": "15.14-0+deb12u1" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2018-6829", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "aa143951e2980797", - "name": "libgcrypt20", - "version": "1.10.1-3", + "id": "da0ab4ee51b298d8", + "name": "libpq5", + "version": "15.14-0+deb12u1", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libgcrypt20", + "path": "/var/lib/dpkg/status.d/libpq5", "layerID": "sha256:b4a39b70e964ebebbece567bb17d6f8248c6267b5bda8c42de06b7037fa560b5", - "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", + "accessPath": "/var/lib/dpkg/status.d/libpq5", "annotations": { "evidence": "primary" } @@ -1645,102 +1643,108 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" + "cpe:2.3:a:libpq5:libpq5:15.14-0\\+deb12u1:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", - "upstreams": [] + "purl": "pkg:deb/debian/libpq5@15.14-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", + "upstreams": [ + { + "name": "postgresql-15" + } + ] } }, { "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "namespace": "debian:distro:debian:12", - "severity": "Medium", + "severity": "Negligible", "urls": [], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "cvss": [], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.02834 + "risk": 0.02885 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [ { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1748,27 +1752,27 @@ "version": "12" }, "package": { - "name": "postgresql-15", - "version": "15.14-0+deb12u1" + "name": "libgcrypt20", + "version": "1.10.1-3" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2025-12818", + "vulnerabilityID": "CVE-2018-6829", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "da0ab4ee51b298d8", - "name": "libpq5", - "version": "15.14-0+deb12u1", + "id": "aa143951e2980797", + "name": "libgcrypt20", + "version": "1.10.1-3", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libpq5", + "path": "/var/lib/dpkg/status.d/libgcrypt20", "layerID": "sha256:b4a39b70e964ebebbece567bb17d6f8248c6267b5bda8c42de06b7037fa560b5", - "accessPath": "/var/lib/dpkg/status.d/libpq5", + "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", "annotations": { "evidence": "primary" } @@ -1777,14 +1781,10 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libpq5:libpq5:15.14-0\\+deb12u1:*:*:*:*:*:*:*" + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libpq5@15.14-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", - "upstreams": [ - { - "name": "postgresql-15" - } - ] + "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", + "upstreams": [] } }, { @@ -1800,8 +1800,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -1860,8 +1860,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -1945,8 +1945,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2005,8 +2005,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2081,8 +2081,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2141,8 +2141,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2222,8 +2222,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2282,8 +2282,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2371,8 +2371,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -2447,8 +2447,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -2553,8 +2553,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -2617,8 +2617,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -2727,8 +2727,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -2807,8 +2807,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -2870,8 +2870,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -2965,8 +2965,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ], "fix": { @@ -3032,8 +3032,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ] } @@ -3132,8 +3132,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -3199,8 +3199,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -3311,9 +3311,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -3329,7 +3329,7 @@ "state": "wont-fix" }, "advisories": [], - "risk": 0.012199999999999999 + "risk": 0.014029999999999999 }, "relatedVulnerabilities": [ { @@ -3358,9 +3358,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -3435,8 +3435,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -3487,8 +3487,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -3559,8 +3559,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -3624,8 +3624,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -3709,8 +3709,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3757,8 +3757,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3842,8 +3842,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3890,8 +3890,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3966,8 +3966,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4014,8 +4014,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4095,8 +4095,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4143,8 +4143,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4219,8 +4219,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -4276,8 +4276,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -4367,8 +4367,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -4447,8 +4447,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -4509,8 +4509,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -4604,8 +4604,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4671,8 +4671,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4753,8 +4753,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4820,8 +4820,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4898,8 +4898,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -4958,8 +4958,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -5043,8 +5043,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -5093,8 +5093,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -5169,8 +5169,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -5219,8 +5219,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -5291,8 +5291,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5341,8 +5341,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5417,8 +5417,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5467,8 +5467,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5539,8 +5539,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5587,8 +5587,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5672,8 +5672,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5720,8 +5720,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5796,8 +5796,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5844,8 +5844,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5925,8 +5925,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5973,8 +5973,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -6049,8 +6049,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -6116,8 +6116,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -6198,8 +6198,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -6265,8 +6265,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -6343,8 +6343,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6404,8 +6404,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6512,8 +6512,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6573,8 +6573,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6649,8 +6649,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6710,8 +6710,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6814,8 +6814,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6875,8 +6875,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6974,8 +6974,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7035,8 +7035,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7134,8 +7134,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -7182,8 +7182,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -7279,8 +7279,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -7321,8 +7321,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -7762,87 +7762,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/oss/grype-4.0.11.json b/docs/security/oss/grype-4.0.11.json index 81111f0..4161ab0 100644 --- a/docs/security/oss/grype-4.0.11.json +++ b/docs/security/oss/grype-4.0.11.json @@ -26,8 +26,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -105,8 +105,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -202,8 +202,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -337,8 +337,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -413,8 +413,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ], "fix": { @@ -467,8 +467,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ] } @@ -544,8 +544,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -607,8 +607,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -702,8 +702,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -765,8 +765,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -863,8 +863,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -905,8 +905,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -973,8 +973,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1033,8 +1033,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1128,8 +1128,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1182,8 +1182,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1271,8 +1271,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ], "fix": { @@ -1315,8 +1315,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ] } @@ -1383,8 +1383,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1435,8 +1435,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1519,96 +1519,94 @@ }, { "vulnerability": { - "id": "CVE-2018-6829", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", "namespace": "debian:distro:debian:12", - "severity": "Negligible", + "severity": "Medium", "urls": [], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "cvss": [], + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "cvss": [ + { + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.02885 + "risk": 0.031065 }, "relatedVulnerabilities": [ { - "id": "CVE-2018-6829", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", - "https://www.oracle.com/security-alerts/cpujan2020.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.0", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "metrics": { - "baseScore": 5, - "exploitabilityScore": 10, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1616,27 +1614,27 @@ "version": "12" }, "package": { - "name": "libgcrypt20", - "version": "1.10.1-3" + "name": "postgresql-15", + "version": "15.14-0+deb12u1" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2018-6829", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "aa143951e2980797", - "name": "libgcrypt20", - "version": "1.10.1-3", + "id": "da0ab4ee51b298d8", + "name": "libpq5", + "version": "15.14-0+deb12u1", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libgcrypt20", + "path": "/var/lib/dpkg/status.d/libpq5", "layerID": "sha256:43789fe97f5566d641028c0fae496e6c7e5e76709b6cf6b2a7768453a3915cfb", - "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", + "accessPath": "/var/lib/dpkg/status.d/libpq5", "annotations": { "evidence": "primary" } @@ -1645,102 +1643,108 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" + "cpe:2.3:a:libpq5:libpq5:15.14-0\\+deb12u1:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", - "upstreams": [] + "purl": "pkg:deb/debian/libpq5@15.14-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", + "upstreams": [ + { + "name": "postgresql-15" + } + ] } }, { "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "namespace": "debian:distro:debian:12", - "severity": "Medium", + "severity": "Negligible", "urls": [], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "cvss": [], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.02834 + "risk": 0.02885 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [ { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1748,27 +1752,27 @@ "version": "12" }, "package": { - "name": "postgresql-15", - "version": "15.14-0+deb12u1" + "name": "libgcrypt20", + "version": "1.10.1-3" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2025-12818", + "vulnerabilityID": "CVE-2018-6829", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "da0ab4ee51b298d8", - "name": "libpq5", - "version": "15.14-0+deb12u1", + "id": "aa143951e2980797", + "name": "libgcrypt20", + "version": "1.10.1-3", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libpq5", + "path": "/var/lib/dpkg/status.d/libgcrypt20", "layerID": "sha256:43789fe97f5566d641028c0fae496e6c7e5e76709b6cf6b2a7768453a3915cfb", - "accessPath": "/var/lib/dpkg/status.d/libpq5", + "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", "annotations": { "evidence": "primary" } @@ -1777,14 +1781,10 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libpq5:libpq5:15.14-0\\+deb12u1:*:*:*:*:*:*:*" + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libpq5@15.14-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", - "upstreams": [ - { - "name": "postgresql-15" - } - ] + "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", + "upstreams": [] } }, { @@ -1800,8 +1800,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -1860,8 +1860,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -1945,8 +1945,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2005,8 +2005,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2081,8 +2081,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2141,8 +2141,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2222,8 +2222,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2282,8 +2282,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2371,8 +2371,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -2447,8 +2447,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -2553,8 +2553,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -2617,8 +2617,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -2727,8 +2727,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -2807,8 +2807,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -2870,8 +2870,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -2965,8 +2965,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ], "fix": { @@ -3032,8 +3032,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ] } @@ -3132,8 +3132,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -3199,8 +3199,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -3311,9 +3311,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -3329,7 +3329,7 @@ "state": "wont-fix" }, "advisories": [], - "risk": 0.012199999999999999 + "risk": 0.014029999999999999 }, "relatedVulnerabilities": [ { @@ -3358,9 +3358,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -3435,8 +3435,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -3487,8 +3487,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -3559,8 +3559,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -3624,8 +3624,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -3709,8 +3709,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3757,8 +3757,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3842,8 +3842,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3890,8 +3890,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3966,8 +3966,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4014,8 +4014,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4095,8 +4095,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4143,8 +4143,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4219,8 +4219,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -4276,8 +4276,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -4367,8 +4367,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -4447,8 +4447,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -4509,8 +4509,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -4604,8 +4604,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4671,8 +4671,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4753,8 +4753,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4820,8 +4820,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4898,8 +4898,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -4958,8 +4958,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -5043,8 +5043,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -5093,8 +5093,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -5169,8 +5169,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -5219,8 +5219,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -5291,8 +5291,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5341,8 +5341,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5417,8 +5417,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5467,8 +5467,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5539,8 +5539,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5587,8 +5587,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5672,8 +5672,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5720,8 +5720,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5796,8 +5796,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5844,8 +5844,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5925,8 +5925,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5973,8 +5973,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -6049,8 +6049,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -6116,8 +6116,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -6198,8 +6198,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -6265,8 +6265,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -6343,8 +6343,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6404,8 +6404,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6512,8 +6512,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6573,8 +6573,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6649,8 +6649,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6710,8 +6710,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6814,8 +6814,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6875,8 +6875,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6974,8 +6974,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7035,8 +7035,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7134,8 +7134,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -7182,8 +7182,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -7279,8 +7279,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -7321,8 +7321,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -7762,87 +7762,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/oss/grype-4.0.12.json b/docs/security/oss/grype-4.0.12.json index e9d8862..ae0903c 100644 --- a/docs/security/oss/grype-4.0.12.json +++ b/docs/security/oss/grype-4.0.12.json @@ -26,8 +26,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -105,8 +105,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -202,8 +202,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -337,8 +337,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -413,8 +413,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ], "fix": { @@ -467,8 +467,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ] } @@ -544,8 +544,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -607,8 +607,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -702,8 +702,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -765,8 +765,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -863,8 +863,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -905,8 +905,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -973,8 +973,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1033,8 +1033,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1128,8 +1128,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1182,8 +1182,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1271,8 +1271,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ], "fix": { @@ -1315,8 +1315,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ] } @@ -1383,8 +1383,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1435,8 +1435,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1519,96 +1519,94 @@ }, { "vulnerability": { - "id": "CVE-2018-6829", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", "namespace": "debian:distro:debian:12", - "severity": "Negligible", + "severity": "Medium", "urls": [], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "cvss": [], + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "cvss": [ + { + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.02885 + "risk": 0.031065 }, "relatedVulnerabilities": [ { - "id": "CVE-2018-6829", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", - "https://www.oracle.com/security-alerts/cpujan2020.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.0", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "metrics": { - "baseScore": 5, - "exploitabilityScore": 10, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1616,27 +1614,27 @@ "version": "12" }, "package": { - "name": "libgcrypt20", - "version": "1.10.1-3" + "name": "postgresql-15", + "version": "15.14-0+deb12u1" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2018-6829", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "aa143951e2980797", - "name": "libgcrypt20", - "version": "1.10.1-3", + "id": "da0ab4ee51b298d8", + "name": "libpq5", + "version": "15.14-0+deb12u1", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libgcrypt20", + "path": "/var/lib/dpkg/status.d/libpq5", "layerID": "sha256:417b18e12362eb08bbee953a1a4ffe7152162c98178006fd3274e3a6e11d36df", - "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", + "accessPath": "/var/lib/dpkg/status.d/libpq5", "annotations": { "evidence": "primary" } @@ -1645,102 +1643,108 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" + "cpe:2.3:a:libpq5:libpq5:15.14-0\\+deb12u1:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", - "upstreams": [] + "purl": "pkg:deb/debian/libpq5@15.14-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", + "upstreams": [ + { + "name": "postgresql-15" + } + ] } }, { "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "namespace": "debian:distro:debian:12", - "severity": "Medium", + "severity": "Negligible", "urls": [], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "cvss": [], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.02834 + "risk": 0.02885 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [ { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1748,27 +1752,27 @@ "version": "12" }, "package": { - "name": "postgresql-15", - "version": "15.14-0+deb12u1" + "name": "libgcrypt20", + "version": "1.10.1-3" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2025-12818", + "vulnerabilityID": "CVE-2018-6829", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "da0ab4ee51b298d8", - "name": "libpq5", - "version": "15.14-0+deb12u1", + "id": "aa143951e2980797", + "name": "libgcrypt20", + "version": "1.10.1-3", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libpq5", + "path": "/var/lib/dpkg/status.d/libgcrypt20", "layerID": "sha256:417b18e12362eb08bbee953a1a4ffe7152162c98178006fd3274e3a6e11d36df", - "accessPath": "/var/lib/dpkg/status.d/libpq5", + "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", "annotations": { "evidence": "primary" } @@ -1777,14 +1781,10 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libpq5:libpq5:15.14-0\\+deb12u1:*:*:*:*:*:*:*" + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libpq5@15.14-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", - "upstreams": [ - { - "name": "postgresql-15" - } - ] + "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", + "upstreams": [] } }, { @@ -1800,8 +1800,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -1860,8 +1860,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -1945,8 +1945,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2005,8 +2005,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2081,8 +2081,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2141,8 +2141,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2222,8 +2222,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2282,8 +2282,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2358,8 +2358,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -2422,8 +2422,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -2532,8 +2532,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -2612,8 +2612,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -2675,8 +2675,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -2770,8 +2770,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ], "fix": { @@ -2837,8 +2837,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ] } @@ -2936,9 +2936,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -2954,7 +2954,7 @@ "state": "wont-fix" }, "advisories": [], - "risk": 0.012199999999999999 + "risk": 0.014029999999999999 }, "relatedVulnerabilities": [ { @@ -2983,9 +2983,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -3060,8 +3060,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -3112,8 +3112,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -3184,8 +3184,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -3249,8 +3249,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -3334,8 +3334,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3382,8 +3382,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3467,8 +3467,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3515,8 +3515,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3591,8 +3591,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3639,8 +3639,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3720,8 +3720,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3768,8 +3768,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3844,8 +3844,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -3901,8 +3901,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -3992,8 +3992,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -4072,8 +4072,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -4134,8 +4134,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -4229,8 +4229,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4296,8 +4296,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4378,8 +4378,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4445,8 +4445,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4523,8 +4523,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -4583,8 +4583,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -4668,8 +4668,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -4718,8 +4718,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -4794,8 +4794,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -4844,8 +4844,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -4916,8 +4916,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -4966,8 +4966,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5042,8 +5042,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5092,8 +5092,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5164,8 +5164,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5212,8 +5212,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5297,8 +5297,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5345,8 +5345,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5421,8 +5421,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5469,8 +5469,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5550,8 +5550,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5598,8 +5598,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5674,8 +5674,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -5741,8 +5741,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -5823,8 +5823,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -5890,8 +5890,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -5968,8 +5968,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6029,8 +6029,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6137,8 +6137,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6198,8 +6198,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6274,8 +6274,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6335,8 +6335,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6439,8 +6439,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6500,8 +6500,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6599,8 +6599,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6660,8 +6660,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6759,8 +6759,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -6807,8 +6807,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -6904,8 +6904,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -6946,8 +6946,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -7387,87 +7387,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/oss/grype-4.0.13.json b/docs/security/oss/grype-4.0.13.json index 89fca74..c19fcbf 100644 --- a/docs/security/oss/grype-4.0.13.json +++ b/docs/security/oss/grype-4.0.13.json @@ -26,8 +26,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -105,8 +105,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -202,8 +202,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -337,8 +337,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -413,8 +413,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ], "fix": { @@ -467,8 +467,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ] } @@ -544,8 +544,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -607,8 +607,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -702,8 +702,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -765,8 +765,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -863,8 +863,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -905,8 +905,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -973,8 +973,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1033,8 +1033,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1128,8 +1128,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1182,8 +1182,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1271,8 +1271,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ], "fix": { @@ -1315,8 +1315,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ] } @@ -1383,8 +1383,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1435,8 +1435,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1519,96 +1519,94 @@ }, { "vulnerability": { - "id": "CVE-2018-6829", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", "namespace": "debian:distro:debian:12", - "severity": "Negligible", + "severity": "Medium", "urls": [], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "cvss": [], + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "cvss": [ + { + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.02885 + "risk": 0.031065 }, "relatedVulnerabilities": [ { - "id": "CVE-2018-6829", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", - "https://www.oracle.com/security-alerts/cpujan2020.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.0", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "metrics": { - "baseScore": 5, - "exploitabilityScore": 10, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1616,27 +1614,27 @@ "version": "12" }, "package": { - "name": "libgcrypt20", - "version": "1.10.1-3" + "name": "postgresql-15", + "version": "15.14-0+deb12u1" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2018-6829", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "aa143951e2980797", - "name": "libgcrypt20", - "version": "1.10.1-3", + "id": "da0ab4ee51b298d8", + "name": "libpq5", + "version": "15.14-0+deb12u1", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libgcrypt20", + "path": "/var/lib/dpkg/status.d/libpq5", "layerID": "sha256:c37bf7ef1af500ef329b6439c3d13f6008d5779df3433d8994325e53bb39b551", - "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", + "accessPath": "/var/lib/dpkg/status.d/libpq5", "annotations": { "evidence": "primary" } @@ -1645,102 +1643,108 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" + "cpe:2.3:a:libpq5:libpq5:15.14-0\\+deb12u1:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", - "upstreams": [] + "purl": "pkg:deb/debian/libpq5@15.14-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", + "upstreams": [ + { + "name": "postgresql-15" + } + ] } }, { "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "namespace": "debian:distro:debian:12", - "severity": "Medium", + "severity": "Negligible", "urls": [], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "cvss": [], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.02834 + "risk": 0.02885 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [ { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1748,27 +1752,27 @@ "version": "12" }, "package": { - "name": "postgresql-15", - "version": "15.14-0+deb12u1" + "name": "libgcrypt20", + "version": "1.10.1-3" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2025-12818", + "vulnerabilityID": "CVE-2018-6829", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "da0ab4ee51b298d8", - "name": "libpq5", - "version": "15.14-0+deb12u1", + "id": "aa143951e2980797", + "name": "libgcrypt20", + "version": "1.10.1-3", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libpq5", + "path": "/var/lib/dpkg/status.d/libgcrypt20", "layerID": "sha256:c37bf7ef1af500ef329b6439c3d13f6008d5779df3433d8994325e53bb39b551", - "accessPath": "/var/lib/dpkg/status.d/libpq5", + "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", "annotations": { "evidence": "primary" } @@ -1777,14 +1781,10 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libpq5:libpq5:15.14-0\\+deb12u1:*:*:*:*:*:*:*" + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libpq5@15.14-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", - "upstreams": [ - { - "name": "postgresql-15" - } - ] + "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", + "upstreams": [] } }, { @@ -1800,8 +1800,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -1860,8 +1860,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -1945,8 +1945,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2005,8 +2005,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2081,8 +2081,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2141,8 +2141,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2222,8 +2222,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2282,8 +2282,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2358,8 +2358,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -2422,8 +2422,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -2532,8 +2532,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -2612,8 +2612,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -2675,8 +2675,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -2770,8 +2770,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ], "fix": { @@ -2837,8 +2837,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ] } @@ -2936,9 +2936,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -2954,7 +2954,7 @@ "state": "wont-fix" }, "advisories": [], - "risk": 0.012199999999999999 + "risk": 0.014029999999999999 }, "relatedVulnerabilities": [ { @@ -2983,9 +2983,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -3060,8 +3060,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -3112,8 +3112,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -3184,8 +3184,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -3249,8 +3249,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -3334,8 +3334,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3382,8 +3382,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3467,8 +3467,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3515,8 +3515,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3591,8 +3591,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3639,8 +3639,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3720,8 +3720,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3768,8 +3768,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -3844,8 +3844,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -3901,8 +3901,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -3992,8 +3992,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -4072,8 +4072,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -4134,8 +4134,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -4229,8 +4229,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4296,8 +4296,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4378,8 +4378,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4445,8 +4445,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -4523,8 +4523,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -4583,8 +4583,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -4668,8 +4668,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -4718,8 +4718,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -4794,8 +4794,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -4844,8 +4844,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -4916,8 +4916,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -4966,8 +4966,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5042,8 +5042,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5092,8 +5092,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5164,8 +5164,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5212,8 +5212,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5297,8 +5297,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5345,8 +5345,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5421,8 +5421,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5469,8 +5469,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5550,8 +5550,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5598,8 +5598,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -5674,8 +5674,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -5741,8 +5741,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -5823,8 +5823,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -5890,8 +5890,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -5968,8 +5968,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6029,8 +6029,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6137,8 +6137,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6198,8 +6198,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6274,8 +6274,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6335,8 +6335,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6439,8 +6439,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6500,8 +6500,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6599,8 +6599,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6660,8 +6660,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6759,8 +6759,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -6807,8 +6807,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -6904,8 +6904,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -6946,8 +6946,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -7387,87 +7387,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/oss/grype-4.0.3.json b/docs/security/oss/grype-4.0.3.json index 69bcb88..f271d03 100644 --- a/docs/security/oss/grype-4.0.3.json +++ b/docs/security/oss/grype-4.0.3.json @@ -26,8 +26,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -105,8 +105,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -202,8 +202,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -337,8 +337,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -413,8 +413,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ], "fix": { @@ -467,8 +467,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ] } @@ -557,8 +557,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -641,8 +641,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -720,8 +720,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -783,8 +783,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -878,8 +878,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -941,8 +941,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -1039,8 +1039,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -1081,8 +1081,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -1162,8 +1162,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -1246,8 +1246,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -1338,8 +1338,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1394,8 +1394,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1473,8 +1473,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1533,8 +1533,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1628,8 +1628,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1682,8 +1682,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1771,8 +1771,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ], "fix": { @@ -1815,8 +1815,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ] } @@ -1883,8 +1883,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1935,8 +1935,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -2043,8 +2043,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -2115,8 +2115,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -2183,96 +2183,94 @@ }, { "vulnerability": { - "id": "CVE-2018-6829", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", "namespace": "debian:distro:debian:12", - "severity": "Negligible", + "severity": "Medium", "urls": [], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "cvss": [], + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "cvss": [ + { + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.02885 + "risk": 0.031065 }, "relatedVulnerabilities": [ { - "id": "CVE-2018-6829", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", - "https://www.oracle.com/security-alerts/cpujan2020.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.0", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "metrics": { - "baseScore": 5, - "exploitabilityScore": 10, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -2280,27 +2278,27 @@ "version": "12" }, "package": { - "name": "libgcrypt20", - "version": "1.10.1-3" + "name": "postgresql-15", + "version": "15.13-0+deb12u1" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2018-6829", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "aa143951e2980797", - "name": "libgcrypt20", - "version": "1.10.1-3", + "id": "11769cd41fdc5daa", + "name": "libpq5", + "version": "15.13-0+deb12u1", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libgcrypt20", + "path": "/var/lib/dpkg/status.d/libpq5", "layerID": "sha256:52e55bb5fc324478ddc62ebaec39a618e9b33d61041b37b718f41563baaaee59", - "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", + "accessPath": "/var/lib/dpkg/status.d/libpq5", "annotations": { "evidence": "primary" } @@ -2309,102 +2307,108 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" + "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", - "upstreams": [] + "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", + "upstreams": [ + { + "name": "postgresql-15" + } + ] } }, { "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "namespace": "debian:distro:debian:12", - "severity": "Medium", + "severity": "Negligible", "urls": [], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "cvss": [], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.02834 + "risk": 0.02885 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [ { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -2412,27 +2416,27 @@ "version": "12" }, "package": { - "name": "postgresql-15", - "version": "15.13-0+deb12u1" + "name": "libgcrypt20", + "version": "1.10.1-3" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2025-12818", + "vulnerabilityID": "CVE-2018-6829", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "11769cd41fdc5daa", - "name": "libpq5", - "version": "15.13-0+deb12u1", + "id": "aa143951e2980797", + "name": "libgcrypt20", + "version": "1.10.1-3", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libpq5", + "path": "/var/lib/dpkg/status.d/libgcrypt20", "layerID": "sha256:52e55bb5fc324478ddc62ebaec39a618e9b33d61041b37b718f41563baaaee59", - "accessPath": "/var/lib/dpkg/status.d/libpq5", + "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", "annotations": { "evidence": "primary" } @@ -2441,14 +2445,10 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", - "upstreams": [ - { - "name": "postgresql-15" - } - ] + "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", + "upstreams": [] } }, { @@ -2477,8 +2477,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -2547,8 +2547,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -2639,8 +2639,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2709,8 +2709,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2810,8 +2810,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2880,8 +2880,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2972,8 +2972,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -3042,8 +3042,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -3139,8 +3139,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -3209,8 +3209,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -3301,8 +3301,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -3357,8 +3357,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -3436,8 +3436,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3496,8 +3496,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3581,8 +3581,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3641,8 +3641,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3717,8 +3717,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3777,8 +3777,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3858,8 +3858,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3918,8 +3918,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -4007,8 +4007,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4083,8 +4083,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4189,8 +4189,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -4253,8 +4253,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -4363,8 +4363,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4443,8 +4443,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -4506,8 +4506,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -4614,8 +4614,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -4670,8 +4670,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -4749,8 +4749,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ], "fix": { @@ -4816,8 +4816,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ] } @@ -4914,8 +4914,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -4970,8 +4970,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -5081,8 +5081,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5148,8 +5148,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5260,9 +5260,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -5278,7 +5278,7 @@ "state": "wont-fix" }, "advisories": [], - "risk": 0.012199999999999999 + "risk": 0.014029999999999999 }, "relatedVulnerabilities": [ { @@ -5307,9 +5307,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -5384,8 +5384,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -5436,8 +5436,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -5508,8 +5508,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -5573,8 +5573,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -5658,8 +5658,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5706,8 +5706,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5791,8 +5791,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5839,8 +5839,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5915,8 +5915,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5963,8 +5963,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -6044,8 +6044,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -6092,8 +6092,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -6168,8 +6168,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -6225,8 +6225,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -6316,8 +6316,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -6409,8 +6409,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -6469,8 +6469,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -6567,8 +6567,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -6629,8 +6629,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -6724,8 +6724,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6791,8 +6791,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6873,8 +6873,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6940,8 +6940,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -7018,8 +7018,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -7078,8 +7078,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -7163,8 +7163,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -7213,8 +7213,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -7289,8 +7289,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -7339,8 +7339,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -7411,8 +7411,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -7461,8 +7461,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -7537,8 +7537,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -7587,8 +7587,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -7659,8 +7659,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7707,8 +7707,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7792,8 +7792,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7840,8 +7840,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7916,8 +7916,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7964,8 +7964,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -8045,8 +8045,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -8093,8 +8093,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -8169,8 +8169,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -8236,8 +8236,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -8318,8 +8318,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -8385,8 +8385,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -8463,8 +8463,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8524,8 +8524,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8632,8 +8632,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8693,8 +8693,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8769,8 +8769,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8830,8 +8830,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8934,8 +8934,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8995,8 +8995,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -9094,8 +9094,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -9155,8 +9155,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -9254,8 +9254,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -9302,8 +9302,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -9399,8 +9399,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -9441,8 +9441,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -9877,87 +9877,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/oss/grype-4.0.4.json b/docs/security/oss/grype-4.0.4.json index efb16b2..cdb8b51 100644 --- a/docs/security/oss/grype-4.0.4.json +++ b/docs/security/oss/grype-4.0.4.json @@ -26,8 +26,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -105,8 +105,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -202,8 +202,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -337,8 +337,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -413,8 +413,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ], "fix": { @@ -467,8 +467,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ] } @@ -557,8 +557,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -641,8 +641,8 @@ { "cve": "CVE-2025-32990", "epss": 0.0011, - "percentile": 0.30071, - "date": "2025-12-14" + "percentile": 0.3004, + "date": "2025-12-15" } ], "cwes": [ @@ -720,8 +720,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -783,8 +783,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -878,8 +878,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -941,8 +941,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -1039,8 +1039,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -1081,8 +1081,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -1162,8 +1162,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -1246,8 +1246,8 @@ { "cve": "CVE-2025-32988", "epss": 0.00083, - "percentile": 0.24589, - "date": "2025-12-14" + "percentile": 0.24562, + "date": "2025-12-15" } ], "cwes": [ @@ -1338,8 +1338,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1394,8 +1394,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1473,8 +1473,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1533,8 +1533,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1628,8 +1628,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1682,8 +1682,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1771,8 +1771,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ], "fix": { @@ -1815,8 +1815,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ] } @@ -1883,8 +1883,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1935,8 +1935,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -2043,8 +2043,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -2115,8 +2115,8 @@ { "cve": "CVE-2025-6395", "epss": 0.00059, - "percentile": 0.18686, - "date": "2025-12-14" + "percentile": 0.18672, + "date": "2025-12-15" } ], "cwes": [ @@ -2183,96 +2183,94 @@ }, { "vulnerability": { - "id": "CVE-2018-6829", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", "namespace": "debian:distro:debian:12", - "severity": "Negligible", + "severity": "Medium", "urls": [], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "cvss": [], + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "cvss": [ + { + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.02885 + "risk": 0.031065 }, "relatedVulnerabilities": [ { - "id": "CVE-2018-6829", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", - "https://www.oracle.com/security-alerts/cpujan2020.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.0", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "metrics": { - "baseScore": 5, - "exploitabilityScore": 10, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -2280,27 +2278,27 @@ "version": "12" }, "package": { - "name": "libgcrypt20", - "version": "1.10.1-3" + "name": "postgresql-15", + "version": "15.13-0+deb12u1" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2018-6829", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "aa143951e2980797", - "name": "libgcrypt20", - "version": "1.10.1-3", + "id": "11769cd41fdc5daa", + "name": "libpq5", + "version": "15.13-0+deb12u1", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libgcrypt20", + "path": "/var/lib/dpkg/status.d/libpq5", "layerID": "sha256:1c3c5b9e02f8172ebd6cb9474721807064773a5f70d3d21a8b3ddf6dc45985d2", - "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", + "accessPath": "/var/lib/dpkg/status.d/libpq5", "annotations": { "evidence": "primary" } @@ -2309,102 +2307,108 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" + "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", - "upstreams": [] + "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", + "upstreams": [ + { + "name": "postgresql-15" + } + ] } }, { "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "namespace": "debian:distro:debian:12", - "severity": "Medium", + "severity": "Negligible", "urls": [], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "cvss": [], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.02834 + "risk": 0.02885 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [ { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -2412,27 +2416,27 @@ "version": "12" }, "package": { - "name": "postgresql-15", - "version": "15.13-0+deb12u1" + "name": "libgcrypt20", + "version": "1.10.1-3" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2025-12818", + "vulnerabilityID": "CVE-2018-6829", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "11769cd41fdc5daa", - "name": "libpq5", - "version": "15.13-0+deb12u1", + "id": "aa143951e2980797", + "name": "libgcrypt20", + "version": "1.10.1-3", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libpq5", + "path": "/var/lib/dpkg/status.d/libgcrypt20", "layerID": "sha256:1c3c5b9e02f8172ebd6cb9474721807064773a5f70d3d21a8b3ddf6dc45985d2", - "accessPath": "/var/lib/dpkg/status.d/libpq5", + "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", "annotations": { "evidence": "primary" } @@ -2441,14 +2445,10 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", - "upstreams": [ - { - "name": "postgresql-15" - } - ] + "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", + "upstreams": [] } }, { @@ -2477,8 +2477,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -2547,8 +2547,8 @@ { "cve": "CVE-2025-32989", "epss": 0.00055, - "percentile": 0.17349, - "date": "2025-12-14" + "percentile": 0.17321, + "date": "2025-12-15" } ], "cwes": [ @@ -2639,8 +2639,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2709,8 +2709,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2810,8 +2810,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2880,8 +2880,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2972,8 +2972,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -3042,8 +3042,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -3139,8 +3139,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -3209,8 +3209,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -3301,8 +3301,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -3357,8 +3357,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -3436,8 +3436,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3496,8 +3496,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3581,8 +3581,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3641,8 +3641,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3717,8 +3717,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3777,8 +3777,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3858,8 +3858,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3918,8 +3918,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -4007,8 +4007,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4083,8 +4083,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -4189,8 +4189,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -4253,8 +4253,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -4363,8 +4363,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -4443,8 +4443,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -4506,8 +4506,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -4614,8 +4614,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -4670,8 +4670,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -4749,8 +4749,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ], "fix": { @@ -4816,8 +4816,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ] } @@ -4914,8 +4914,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -4970,8 +4970,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -5081,8 +5081,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5148,8 +5148,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -5260,9 +5260,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -5278,7 +5278,7 @@ "state": "wont-fix" }, "advisories": [], - "risk": 0.012199999999999999 + "risk": 0.014029999999999999 }, "relatedVulnerabilities": [ { @@ -5307,9 +5307,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -5384,8 +5384,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -5436,8 +5436,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -5508,8 +5508,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -5573,8 +5573,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -5658,8 +5658,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5706,8 +5706,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5791,8 +5791,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5839,8 +5839,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5915,8 +5915,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5963,8 +5963,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -6044,8 +6044,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -6092,8 +6092,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -6168,8 +6168,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -6225,8 +6225,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -6316,8 +6316,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -6409,8 +6409,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -6469,8 +6469,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -6567,8 +6567,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -6629,8 +6629,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -6724,8 +6724,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6791,8 +6791,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6873,8 +6873,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6940,8 +6940,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -7018,8 +7018,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -7078,8 +7078,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -7163,8 +7163,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -7213,8 +7213,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -7289,8 +7289,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -7339,8 +7339,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -7411,8 +7411,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -7461,8 +7461,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -7537,8 +7537,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -7587,8 +7587,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -7659,8 +7659,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7707,8 +7707,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7792,8 +7792,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7840,8 +7840,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7916,8 +7916,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7964,8 +7964,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -8045,8 +8045,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -8093,8 +8093,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -8169,8 +8169,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -8236,8 +8236,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -8318,8 +8318,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -8385,8 +8385,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -8463,8 +8463,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8524,8 +8524,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8632,8 +8632,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8693,8 +8693,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8769,8 +8769,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8830,8 +8830,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8934,8 +8934,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8995,8 +8995,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -9094,8 +9094,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -9155,8 +9155,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -9254,8 +9254,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -9302,8 +9302,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -9399,8 +9399,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -9441,8 +9441,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -9877,87 +9877,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/oss/grype-4.0.5.json b/docs/security/oss/grype-4.0.5.json index 4e6d805..07fa10d 100644 --- a/docs/security/oss/grype-4.0.5.json +++ b/docs/security/oss/grype-4.0.5.json @@ -26,8 +26,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -105,8 +105,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -202,8 +202,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -337,8 +337,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -413,8 +413,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ], "fix": { @@ -467,8 +467,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ] } @@ -544,8 +544,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -607,8 +607,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -702,8 +702,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -765,8 +765,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -863,8 +863,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -905,8 +905,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -986,8 +986,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1042,8 +1042,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1121,8 +1121,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1181,8 +1181,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1276,8 +1276,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1330,8 +1330,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1419,8 +1419,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ], "fix": { @@ -1463,8 +1463,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ] } @@ -1531,8 +1531,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1583,8 +1583,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1667,96 +1667,94 @@ }, { "vulnerability": { - "id": "CVE-2018-6829", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", "namespace": "debian:distro:debian:12", - "severity": "Negligible", + "severity": "Medium", "urls": [], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "cvss": [], + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "cvss": [ + { + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.02885 + "risk": 0.031065 }, "relatedVulnerabilities": [ { - "id": "CVE-2018-6829", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", - "https://www.oracle.com/security-alerts/cpujan2020.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.0", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "metrics": { - "baseScore": 5, - "exploitabilityScore": 10, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1764,27 +1762,27 @@ "version": "12" }, "package": { - "name": "libgcrypt20", - "version": "1.10.1-3" + "name": "postgresql-15", + "version": "15.13-0+deb12u1" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2018-6829", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "aa143951e2980797", - "name": "libgcrypt20", - "version": "1.10.1-3", + "id": "11769cd41fdc5daa", + "name": "libpq5", + "version": "15.13-0+deb12u1", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libgcrypt20", + "path": "/var/lib/dpkg/status.d/libpq5", "layerID": "sha256:2c48143b46c0c37e19b24b81b44f4c3620784ae714155891d332b1b1a59c8ca8", - "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", + "accessPath": "/var/lib/dpkg/status.d/libpq5", "annotations": { "evidence": "primary" } @@ -1793,102 +1791,108 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" + "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", - "upstreams": [] + "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", + "upstreams": [ + { + "name": "postgresql-15" + } + ] } }, { "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "namespace": "debian:distro:debian:12", - "severity": "Medium", + "severity": "Negligible", "urls": [], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "cvss": [], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.02834 + "risk": 0.02885 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [ { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1896,27 +1900,27 @@ "version": "12" }, "package": { - "name": "postgresql-15", - "version": "15.13-0+deb12u1" + "name": "libgcrypt20", + "version": "1.10.1-3" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2025-12818", + "vulnerabilityID": "CVE-2018-6829", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "11769cd41fdc5daa", - "name": "libpq5", - "version": "15.13-0+deb12u1", + "id": "aa143951e2980797", + "name": "libgcrypt20", + "version": "1.10.1-3", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libpq5", + "path": "/var/lib/dpkg/status.d/libgcrypt20", "layerID": "sha256:2c48143b46c0c37e19b24b81b44f4c3620784ae714155891d332b1b1a59c8ca8", - "accessPath": "/var/lib/dpkg/status.d/libpq5", + "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", "annotations": { "evidence": "primary" } @@ -1925,14 +1929,10 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", - "upstreams": [ - { - "name": "postgresql-15" - } - ] + "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", + "upstreams": [] } }, { @@ -1961,8 +1961,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2031,8 +2031,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2132,8 +2132,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2202,8 +2202,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2294,8 +2294,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2364,8 +2364,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2461,8 +2461,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2531,8 +2531,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2623,8 +2623,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -2679,8 +2679,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2818,8 +2818,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2903,8 +2903,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2963,8 +2963,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3039,8 +3039,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3099,8 +3099,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3180,8 +3180,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3240,8 +3240,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3329,8 +3329,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -3405,8 +3405,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -3511,8 +3511,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -3575,8 +3575,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -3685,8 +3685,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -3765,8 +3765,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -3828,8 +3828,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -3936,8 +3936,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -3992,8 +3992,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -4071,8 +4071,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ], "fix": { @@ -4138,8 +4138,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ] } @@ -4236,8 +4236,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -4292,8 +4292,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -4403,8 +4403,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -4470,8 +4470,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -4582,9 +4582,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -4600,7 +4600,7 @@ "state": "wont-fix" }, "advisories": [], - "risk": 0.012199999999999999 + "risk": 0.014029999999999999 }, "relatedVulnerabilities": [ { @@ -4629,9 +4629,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -4706,8 +4706,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -4758,8 +4758,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -4830,8 +4830,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -4895,8 +4895,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -4980,8 +4980,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5028,8 +5028,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5113,8 +5113,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5161,8 +5161,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5237,8 +5237,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5285,8 +5285,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5366,8 +5366,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5414,8 +5414,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5490,8 +5490,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -5547,8 +5547,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -5638,8 +5638,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5731,8 +5731,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -5791,8 +5791,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -5889,8 +5889,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -5951,8 +5951,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -6046,8 +6046,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6113,8 +6113,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6195,8 +6195,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6262,8 +6262,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6340,8 +6340,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -6400,8 +6400,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -6485,8 +6485,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6535,8 +6535,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6611,8 +6611,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6661,8 +6661,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6733,8 +6733,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6783,8 +6783,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6859,8 +6859,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6909,8 +6909,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6981,8 +6981,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7114,8 +7114,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7162,8 +7162,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7238,8 +7238,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7286,8 +7286,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7367,8 +7367,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7415,8 +7415,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7491,8 +7491,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7558,8 +7558,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7640,8 +7640,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7707,8 +7707,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7785,8 +7785,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7846,8 +7846,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7954,8 +7954,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8015,8 +8015,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8091,8 +8091,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8152,8 +8152,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8256,8 +8256,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8317,8 +8317,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8416,8 +8416,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8477,8 +8477,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8576,8 +8576,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -8624,8 +8624,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -8721,8 +8721,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -8763,8 +8763,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -9199,87 +9199,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/oss/grype-4.0.6.json b/docs/security/oss/grype-4.0.6.json index 9b4e7c8..af50501 100644 --- a/docs/security/oss/grype-4.0.6.json +++ b/docs/security/oss/grype-4.0.6.json @@ -26,8 +26,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -105,8 +105,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -202,8 +202,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -337,8 +337,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -413,8 +413,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ], "fix": { @@ -467,8 +467,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ] } @@ -544,8 +544,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -607,8 +607,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -702,8 +702,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -765,8 +765,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -863,8 +863,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -905,8 +905,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -986,8 +986,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1042,8 +1042,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1121,8 +1121,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1181,8 +1181,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1276,8 +1276,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1330,8 +1330,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1419,8 +1419,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ], "fix": { @@ -1463,8 +1463,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ] } @@ -1531,8 +1531,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1583,8 +1583,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1667,96 +1667,94 @@ }, { "vulnerability": { - "id": "CVE-2018-6829", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", "namespace": "debian:distro:debian:12", - "severity": "Negligible", + "severity": "Medium", "urls": [], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "cvss": [], + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "cvss": [ + { + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.02885 + "risk": 0.031065 }, "relatedVulnerabilities": [ { - "id": "CVE-2018-6829", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", - "https://www.oracle.com/security-alerts/cpujan2020.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.0", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "metrics": { - "baseScore": 5, - "exploitabilityScore": 10, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1764,27 +1762,27 @@ "version": "12" }, "package": { - "name": "libgcrypt20", - "version": "1.10.1-3" + "name": "postgresql-15", + "version": "15.13-0+deb12u1" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2018-6829", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "aa143951e2980797", - "name": "libgcrypt20", - "version": "1.10.1-3", + "id": "11769cd41fdc5daa", + "name": "libpq5", + "version": "15.13-0+deb12u1", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libgcrypt20", + "path": "/var/lib/dpkg/status.d/libpq5", "layerID": "sha256:c50e2491877490906be6ab542e8699363b77483314e53074ead89a6c34f9dc7d", - "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", + "accessPath": "/var/lib/dpkg/status.d/libpq5", "annotations": { "evidence": "primary" } @@ -1793,102 +1791,108 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" + "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", - "upstreams": [] + "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", + "upstreams": [ + { + "name": "postgresql-15" + } + ] } }, { "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "namespace": "debian:distro:debian:12", - "severity": "Medium", + "severity": "Negligible", "urls": [], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "cvss": [], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.02834 + "risk": 0.02885 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [ { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1896,27 +1900,27 @@ "version": "12" }, "package": { - "name": "postgresql-15", - "version": "15.13-0+deb12u1" + "name": "libgcrypt20", + "version": "1.10.1-3" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2025-12818", + "vulnerabilityID": "CVE-2018-6829", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "11769cd41fdc5daa", - "name": "libpq5", - "version": "15.13-0+deb12u1", + "id": "aa143951e2980797", + "name": "libgcrypt20", + "version": "1.10.1-3", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libpq5", + "path": "/var/lib/dpkg/status.d/libgcrypt20", "layerID": "sha256:c50e2491877490906be6ab542e8699363b77483314e53074ead89a6c34f9dc7d", - "accessPath": "/var/lib/dpkg/status.d/libpq5", + "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", "annotations": { "evidence": "primary" } @@ -1925,14 +1929,10 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", - "upstreams": [ - { - "name": "postgresql-15" - } - ] + "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", + "upstreams": [] } }, { @@ -1961,8 +1961,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2031,8 +2031,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2132,8 +2132,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2202,8 +2202,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2294,8 +2294,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2364,8 +2364,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2461,8 +2461,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2531,8 +2531,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2623,8 +2623,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -2679,8 +2679,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2818,8 +2818,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2903,8 +2903,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2963,8 +2963,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3039,8 +3039,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3099,8 +3099,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3180,8 +3180,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3240,8 +3240,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3329,8 +3329,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -3405,8 +3405,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -3511,8 +3511,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -3575,8 +3575,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -3685,8 +3685,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -3765,8 +3765,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -3828,8 +3828,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -3936,8 +3936,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -3992,8 +3992,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -4071,8 +4071,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ], "fix": { @@ -4138,8 +4138,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ] } @@ -4236,8 +4236,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -4292,8 +4292,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -4403,8 +4403,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -4470,8 +4470,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -4582,9 +4582,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -4600,7 +4600,7 @@ "state": "wont-fix" }, "advisories": [], - "risk": 0.012199999999999999 + "risk": 0.014029999999999999 }, "relatedVulnerabilities": [ { @@ -4629,9 +4629,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -4706,8 +4706,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -4758,8 +4758,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -4830,8 +4830,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -4895,8 +4895,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -4980,8 +4980,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5028,8 +5028,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5113,8 +5113,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5161,8 +5161,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5237,8 +5237,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5285,8 +5285,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5366,8 +5366,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5414,8 +5414,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5490,8 +5490,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -5547,8 +5547,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -5638,8 +5638,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5731,8 +5731,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -5791,8 +5791,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -5889,8 +5889,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -5951,8 +5951,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -6046,8 +6046,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6113,8 +6113,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6195,8 +6195,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6262,8 +6262,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6340,8 +6340,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -6400,8 +6400,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -6485,8 +6485,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6535,8 +6535,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6611,8 +6611,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6661,8 +6661,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6733,8 +6733,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6783,8 +6783,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6859,8 +6859,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6909,8 +6909,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6981,8 +6981,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7114,8 +7114,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7162,8 +7162,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7238,8 +7238,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7286,8 +7286,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7367,8 +7367,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7415,8 +7415,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7491,8 +7491,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7558,8 +7558,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7640,8 +7640,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7707,8 +7707,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7785,8 +7785,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7846,8 +7846,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7954,8 +7954,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8015,8 +8015,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8091,8 +8091,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8152,8 +8152,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8256,8 +8256,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8317,8 +8317,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8416,8 +8416,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8477,8 +8477,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8576,8 +8576,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -8624,8 +8624,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -8721,8 +8721,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -8763,8 +8763,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -9199,87 +9199,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/oss/grype-4.0.7.json b/docs/security/oss/grype-4.0.7.json index 75bd5e1..33b4283 100644 --- a/docs/security/oss/grype-4.0.7.json +++ b/docs/security/oss/grype-4.0.7.json @@ -26,8 +26,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -105,8 +105,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -202,8 +202,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -337,8 +337,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -413,8 +413,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ], "fix": { @@ -467,8 +467,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ] } @@ -544,8 +544,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -607,8 +607,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -702,8 +702,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -765,8 +765,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -863,8 +863,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -905,8 +905,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -986,8 +986,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1042,8 +1042,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1121,8 +1121,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1181,8 +1181,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1276,8 +1276,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1330,8 +1330,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1419,8 +1419,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ], "fix": { @@ -1463,8 +1463,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ] } @@ -1531,8 +1531,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1583,8 +1583,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1667,96 +1667,94 @@ }, { "vulnerability": { - "id": "CVE-2018-6829", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", "namespace": "debian:distro:debian:12", - "severity": "Negligible", + "severity": "Medium", "urls": [], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "cvss": [], + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "cvss": [ + { + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.02885 + "risk": 0.031065 }, "relatedVulnerabilities": [ { - "id": "CVE-2018-6829", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", - "https://www.oracle.com/security-alerts/cpujan2020.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.0", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "metrics": { - "baseScore": 5, - "exploitabilityScore": 10, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1764,27 +1762,27 @@ "version": "12" }, "package": { - "name": "libgcrypt20", - "version": "1.10.1-3" + "name": "postgresql-15", + "version": "15.13-0+deb12u1" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2018-6829", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "aa143951e2980797", - "name": "libgcrypt20", - "version": "1.10.1-3", + "id": "11769cd41fdc5daa", + "name": "libpq5", + "version": "15.13-0+deb12u1", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libgcrypt20", + "path": "/var/lib/dpkg/status.d/libpq5", "layerID": "sha256:e6f08f1f30bd6689a69c11717623bb6741c1e1ed323e4868b90b6a1d49eda610", - "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", + "accessPath": "/var/lib/dpkg/status.d/libpq5", "annotations": { "evidence": "primary" } @@ -1793,102 +1791,108 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" + "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", - "upstreams": [] + "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", + "upstreams": [ + { + "name": "postgresql-15" + } + ] } }, { "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "namespace": "debian:distro:debian:12", - "severity": "Medium", + "severity": "Negligible", "urls": [], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "cvss": [], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.02834 + "risk": 0.02885 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [ { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1896,27 +1900,27 @@ "version": "12" }, "package": { - "name": "postgresql-15", - "version": "15.13-0+deb12u1" + "name": "libgcrypt20", + "version": "1.10.1-3" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2025-12818", + "vulnerabilityID": "CVE-2018-6829", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "11769cd41fdc5daa", - "name": "libpq5", - "version": "15.13-0+deb12u1", + "id": "aa143951e2980797", + "name": "libgcrypt20", + "version": "1.10.1-3", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libpq5", + "path": "/var/lib/dpkg/status.d/libgcrypt20", "layerID": "sha256:e6f08f1f30bd6689a69c11717623bb6741c1e1ed323e4868b90b6a1d49eda610", - "accessPath": "/var/lib/dpkg/status.d/libpq5", + "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", "annotations": { "evidence": "primary" } @@ -1925,14 +1929,10 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", - "upstreams": [ - { - "name": "postgresql-15" - } - ] + "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", + "upstreams": [] } }, { @@ -1961,8 +1961,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2031,8 +2031,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2132,8 +2132,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2202,8 +2202,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2294,8 +2294,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2364,8 +2364,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2461,8 +2461,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2531,8 +2531,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2623,8 +2623,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -2679,8 +2679,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2818,8 +2818,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2903,8 +2903,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2963,8 +2963,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3039,8 +3039,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3099,8 +3099,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3180,8 +3180,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3240,8 +3240,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3329,8 +3329,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -3405,8 +3405,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -3511,8 +3511,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -3575,8 +3575,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -3685,8 +3685,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -3765,8 +3765,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -3828,8 +3828,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -3936,8 +3936,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -3992,8 +3992,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -4071,8 +4071,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ], "fix": { @@ -4138,8 +4138,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ] } @@ -4236,8 +4236,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -4292,8 +4292,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -4403,8 +4403,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -4470,8 +4470,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -4582,9 +4582,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -4600,7 +4600,7 @@ "state": "wont-fix" }, "advisories": [], - "risk": 0.012199999999999999 + "risk": 0.014029999999999999 }, "relatedVulnerabilities": [ { @@ -4629,9 +4629,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -4706,8 +4706,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -4758,8 +4758,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -4830,8 +4830,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -4895,8 +4895,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -4980,8 +4980,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5028,8 +5028,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5113,8 +5113,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5161,8 +5161,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5237,8 +5237,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5285,8 +5285,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5366,8 +5366,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5414,8 +5414,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5490,8 +5490,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -5547,8 +5547,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -5638,8 +5638,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5731,8 +5731,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -5791,8 +5791,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -5889,8 +5889,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -5951,8 +5951,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -6046,8 +6046,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6113,8 +6113,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6195,8 +6195,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6262,8 +6262,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6340,8 +6340,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -6400,8 +6400,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -6485,8 +6485,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6535,8 +6535,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6611,8 +6611,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6661,8 +6661,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6733,8 +6733,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6783,8 +6783,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6859,8 +6859,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6909,8 +6909,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6981,8 +6981,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7114,8 +7114,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7162,8 +7162,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7238,8 +7238,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7286,8 +7286,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7367,8 +7367,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7415,8 +7415,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7491,8 +7491,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7558,8 +7558,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7640,8 +7640,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7707,8 +7707,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7785,8 +7785,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7846,8 +7846,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7954,8 +7954,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8015,8 +8015,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8091,8 +8091,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8152,8 +8152,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8256,8 +8256,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8317,8 +8317,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8416,8 +8416,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8477,8 +8477,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8576,8 +8576,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -8624,8 +8624,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -8721,8 +8721,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -8763,8 +8763,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -9204,87 +9204,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/oss/grype-4.0.8.json b/docs/security/oss/grype-4.0.8.json index e4ed339..f2a8c01 100644 --- a/docs/security/oss/grype-4.0.8.json +++ b/docs/security/oss/grype-4.0.8.json @@ -26,8 +26,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -105,8 +105,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -202,8 +202,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -337,8 +337,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -413,8 +413,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ], "fix": { @@ -467,8 +467,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ] } @@ -544,8 +544,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -607,8 +607,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -702,8 +702,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -765,8 +765,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -863,8 +863,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -905,8 +905,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -986,8 +986,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1042,8 +1042,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1121,8 +1121,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1181,8 +1181,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1276,8 +1276,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1330,8 +1330,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1419,8 +1419,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ], "fix": { @@ -1463,8 +1463,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ] } @@ -1531,8 +1531,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1583,8 +1583,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1667,96 +1667,94 @@ }, { "vulnerability": { - "id": "CVE-2018-6829", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", "namespace": "debian:distro:debian:12", - "severity": "Negligible", + "severity": "Medium", "urls": [], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "cvss": [], + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "cvss": [ + { + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.02885 + "risk": 0.031065 }, "relatedVulnerabilities": [ { - "id": "CVE-2018-6829", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", - "https://www.oracle.com/security-alerts/cpujan2020.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.0", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "metrics": { - "baseScore": 5, - "exploitabilityScore": 10, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1764,27 +1762,27 @@ "version": "12" }, "package": { - "name": "libgcrypt20", - "version": "1.10.1-3" + "name": "postgresql-15", + "version": "15.13-0+deb12u1" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2018-6829", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "aa143951e2980797", - "name": "libgcrypt20", - "version": "1.10.1-3", + "id": "11769cd41fdc5daa", + "name": "libpq5", + "version": "15.13-0+deb12u1", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libgcrypt20", + "path": "/var/lib/dpkg/status.d/libpq5", "layerID": "sha256:d14e017542c6367905f426ac3c8499aaf190db45bba7a74ae4d62115bfe67064", - "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", + "accessPath": "/var/lib/dpkg/status.d/libpq5", "annotations": { "evidence": "primary" } @@ -1793,102 +1791,108 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" + "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", - "upstreams": [] + "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", + "upstreams": [ + { + "name": "postgresql-15" + } + ] } }, { "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "namespace": "debian:distro:debian:12", - "severity": "Medium", + "severity": "Negligible", "urls": [], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "cvss": [], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.02834 + "risk": 0.02885 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [ { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1896,27 +1900,27 @@ "version": "12" }, "package": { - "name": "postgresql-15", - "version": "15.13-0+deb12u1" + "name": "libgcrypt20", + "version": "1.10.1-3" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2025-12818", + "vulnerabilityID": "CVE-2018-6829", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "11769cd41fdc5daa", - "name": "libpq5", - "version": "15.13-0+deb12u1", + "id": "aa143951e2980797", + "name": "libgcrypt20", + "version": "1.10.1-3", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libpq5", + "path": "/var/lib/dpkg/status.d/libgcrypt20", "layerID": "sha256:d14e017542c6367905f426ac3c8499aaf190db45bba7a74ae4d62115bfe67064", - "accessPath": "/var/lib/dpkg/status.d/libpq5", + "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", "annotations": { "evidence": "primary" } @@ -1925,14 +1929,10 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", - "upstreams": [ - { - "name": "postgresql-15" - } - ] + "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", + "upstreams": [] } }, { @@ -1961,8 +1961,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2031,8 +2031,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2132,8 +2132,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2202,8 +2202,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2294,8 +2294,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2364,8 +2364,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2461,8 +2461,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2531,8 +2531,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2623,8 +2623,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -2679,8 +2679,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2818,8 +2818,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2903,8 +2903,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2963,8 +2963,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3039,8 +3039,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3099,8 +3099,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3180,8 +3180,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3240,8 +3240,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3329,8 +3329,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -3405,8 +3405,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -3511,8 +3511,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -3575,8 +3575,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -3685,8 +3685,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -3765,8 +3765,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -3828,8 +3828,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -3936,8 +3936,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -3992,8 +3992,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -4071,8 +4071,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ], "fix": { @@ -4138,8 +4138,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ] } @@ -4236,8 +4236,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -4292,8 +4292,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -4403,8 +4403,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -4470,8 +4470,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -4582,9 +4582,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -4600,7 +4600,7 @@ "state": "wont-fix" }, "advisories": [], - "risk": 0.012199999999999999 + "risk": 0.014029999999999999 }, "relatedVulnerabilities": [ { @@ -4629,9 +4629,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -4706,8 +4706,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -4758,8 +4758,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -4830,8 +4830,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -4895,8 +4895,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -4980,8 +4980,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5028,8 +5028,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5113,8 +5113,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5161,8 +5161,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5237,8 +5237,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5285,8 +5285,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5366,8 +5366,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5414,8 +5414,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5490,8 +5490,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -5547,8 +5547,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -5638,8 +5638,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5731,8 +5731,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -5791,8 +5791,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -5889,8 +5889,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -5951,8 +5951,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -6046,8 +6046,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6113,8 +6113,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6195,8 +6195,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6262,8 +6262,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6340,8 +6340,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -6400,8 +6400,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -6485,8 +6485,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6535,8 +6535,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6611,8 +6611,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6661,8 +6661,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6733,8 +6733,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6783,8 +6783,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6859,8 +6859,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6909,8 +6909,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6981,8 +6981,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7114,8 +7114,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7162,8 +7162,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7238,8 +7238,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7286,8 +7286,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7367,8 +7367,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7415,8 +7415,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7491,8 +7491,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7558,8 +7558,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7640,8 +7640,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7707,8 +7707,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7785,8 +7785,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7846,8 +7846,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7954,8 +7954,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8015,8 +8015,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8091,8 +8091,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8152,8 +8152,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8256,8 +8256,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8317,8 +8317,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8416,8 +8416,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8477,8 +8477,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8576,8 +8576,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -8624,8 +8624,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -8721,8 +8721,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -8763,8 +8763,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -9204,87 +9204,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/oss/grype-4.0.9.json b/docs/security/oss/grype-4.0.9.json index 061c829..7959c7e 100644 --- a/docs/security/oss/grype-4.0.9.json +++ b/docs/security/oss/grype-4.0.9.json @@ -26,8 +26,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -105,8 +105,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -202,8 +202,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -337,8 +337,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -413,8 +413,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ], "fix": { @@ -467,8 +467,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ] } @@ -544,8 +544,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -607,8 +607,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -702,8 +702,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -765,8 +765,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -863,8 +863,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -905,8 +905,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -986,8 +986,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1042,8 +1042,8 @@ { "cve": "CVE-2025-8715", "epss": 0.00072, - "percentile": 0.2224, - "date": "2025-12-14" + "percentile": 0.22219, + "date": "2025-12-15" } ], "cwes": [ @@ -1121,8 +1121,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1181,8 +1181,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1276,8 +1276,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1330,8 +1330,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1419,8 +1419,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ], "fix": { @@ -1463,8 +1463,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ] } @@ -1531,8 +1531,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1583,8 +1583,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1667,96 +1667,94 @@ }, { "vulnerability": { - "id": "CVE-2018-6829", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", "namespace": "debian:distro:debian:12", - "severity": "Negligible", + "severity": "Medium", "urls": [], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "cvss": [], + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "cvss": [ + { + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.02885 + "risk": 0.031065 }, "relatedVulnerabilities": [ { - "id": "CVE-2018-6829", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", - "https://www.oracle.com/security-alerts/cpujan2020.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.0", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "metrics": { - "baseScore": 5, - "exploitabilityScore": 10, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1764,27 +1762,27 @@ "version": "12" }, "package": { - "name": "libgcrypt20", - "version": "1.10.1-3" + "name": "postgresql-15", + "version": "15.13-0+deb12u1" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2018-6829", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "aa143951e2980797", - "name": "libgcrypt20", - "version": "1.10.1-3", + "id": "11769cd41fdc5daa", + "name": "libpq5", + "version": "15.13-0+deb12u1", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libgcrypt20", + "path": "/var/lib/dpkg/status.d/libpq5", "layerID": "sha256:891dbdd591f164fd4e1660f7b72e82c3d995057109207f08bad18b217a16df88", - "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", + "accessPath": "/var/lib/dpkg/status.d/libpq5", "annotations": { "evidence": "primary" } @@ -1793,102 +1791,108 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" + "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", - "upstreams": [] + "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", + "upstreams": [ + { + "name": "postgresql-15" + } + ] } }, { "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "namespace": "debian:distro:debian:12", - "severity": "Medium", + "severity": "Negligible", "urls": [], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "cvss": [], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.02834 + "risk": 0.02885 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [ { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -1896,27 +1900,27 @@ "version": "12" }, "package": { - "name": "postgresql-15", - "version": "15.13-0+deb12u1" + "name": "libgcrypt20", + "version": "1.10.1-3" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2025-12818", + "vulnerabilityID": "CVE-2018-6829", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "11769cd41fdc5daa", - "name": "libpq5", - "version": "15.13-0+deb12u1", + "id": "aa143951e2980797", + "name": "libgcrypt20", + "version": "1.10.1-3", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libpq5", + "path": "/var/lib/dpkg/status.d/libgcrypt20", "layerID": "sha256:891dbdd591f164fd4e1660f7b72e82c3d995057109207f08bad18b217a16df88", - "accessPath": "/var/lib/dpkg/status.d/libpq5", + "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", "annotations": { "evidence": "primary" } @@ -1925,14 +1929,10 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libpq5:libpq5:15.13-0\\+deb12u1:*:*:*:*:*:*:*" + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libpq5@15.13-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", - "upstreams": [ - { - "name": "postgresql-15" - } - ] + "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", + "upstreams": [] } }, { @@ -1961,8 +1961,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2031,8 +2031,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2132,8 +2132,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2202,8 +2202,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2294,8 +2294,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2364,8 +2364,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2461,8 +2461,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2531,8 +2531,8 @@ { "cve": "CVE-2025-3576", "epss": 0.0005, - "percentile": 0.15798, - "date": "2025-12-14" + "percentile": 0.15765, + "date": "2025-12-15" } ], "cwes": [ @@ -2623,8 +2623,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -2679,8 +2679,8 @@ { "cve": "CVE-2025-8714", "epss": 0.00032, - "percentile": 0.0894, - "date": "2025-12-14" + "percentile": 0.08868, + "date": "2025-12-15" } ], "cwes": [ @@ -2758,8 +2758,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2818,8 +2818,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2903,8 +2903,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2963,8 +2963,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3039,8 +3039,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3099,8 +3099,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3180,8 +3180,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3240,8 +3240,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -3329,8 +3329,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -3405,8 +3405,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -3511,8 +3511,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -3575,8 +3575,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -3685,8 +3685,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -3765,8 +3765,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -3828,8 +3828,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -3936,8 +3936,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -3992,8 +3992,8 @@ { "cve": "CVE-2025-8713", "epss": 0.00057, - "percentile": 0.17875, - "date": "2025-12-14" + "percentile": 0.17855, + "date": "2025-12-15" } ], "cwes": [ @@ -4071,8 +4071,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ], "fix": { @@ -4138,8 +4138,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ] } @@ -4236,8 +4236,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -4292,8 +4292,8 @@ { "cve": "CVE-2025-8058", "epss": 0.00031, - "percentile": 0.08295, - "date": "2025-12-14" + "percentile": 0.08225, + "date": "2025-12-15" } ], "cwes": [ @@ -4403,8 +4403,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -4470,8 +4470,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -4582,9 +4582,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -4600,7 +4600,7 @@ "state": "wont-fix" }, "advisories": [], - "risk": 0.012199999999999999 + "risk": 0.014029999999999999 }, "relatedVulnerabilities": [ { @@ -4629,9 +4629,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -4706,8 +4706,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -4758,8 +4758,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -4830,8 +4830,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -4895,8 +4895,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -4980,8 +4980,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5028,8 +5028,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5113,8 +5113,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5161,8 +5161,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5237,8 +5237,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5285,8 +5285,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5366,8 +5366,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5414,8 +5414,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -5490,8 +5490,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -5547,8 +5547,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -5638,8 +5638,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -5731,8 +5731,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -5791,8 +5791,8 @@ { "cve": "CVE-2025-4802", "epss": 0.00012, - "percentile": 0.01157, - "date": "2025-12-14" + "percentile": 0.01154, + "date": "2025-12-15" } ], "cwes": [ @@ -5889,8 +5889,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -5951,8 +5951,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -6046,8 +6046,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6113,8 +6113,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6195,8 +6195,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6262,8 +6262,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -6340,8 +6340,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -6400,8 +6400,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -6485,8 +6485,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6535,8 +6535,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6611,8 +6611,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6661,8 +6661,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -6733,8 +6733,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6783,8 +6783,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6859,8 +6859,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6909,8 +6909,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6981,8 +6981,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7029,8 +7029,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7114,8 +7114,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7162,8 +7162,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7238,8 +7238,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7286,8 +7286,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7367,8 +7367,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7415,8 +7415,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -7491,8 +7491,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7558,8 +7558,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7640,8 +7640,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7707,8 +7707,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -7785,8 +7785,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7846,8 +7846,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7954,8 +7954,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8015,8 +8015,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8091,8 +8091,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8152,8 +8152,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8256,8 +8256,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8317,8 +8317,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8416,8 +8416,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8477,8 +8477,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -8576,8 +8576,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -8624,8 +8624,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -8721,8 +8721,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -8763,8 +8763,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -9204,87 +9204,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } } diff --git a/docs/security/oss/grype-4.1.0.json b/docs/security/oss/grype-4.1.0.json index 2cfd984..fb33db0 100644 --- a/docs/security/oss/grype-4.1.0.json +++ b/docs/security/oss/grype-4.1.0.json @@ -26,8 +26,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -105,8 +105,8 @@ { "cve": "CVE-2023-2953", "epss": 0.01466, - "percentile": 0.80391, - "date": "2025-12-14" + "percentile": 0.80389, + "date": "2025-12-15" } ], "cwes": [ @@ -202,8 +202,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -337,8 +337,8 @@ { "cve": "CVE-2011-3389", "epss": 0.03795, - "percentile": 0.8769, - "date": "2025-12-14" + "percentile": 0.87688, + "date": "2025-12-15" } ], "cwes": [ @@ -413,8 +413,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ], "fix": { @@ -467,8 +467,8 @@ { "cve": "CVE-2015-3276", "epss": 0.02852, - "percentile": 0.8578, - "date": "2025-12-14" + "percentile": 0.85775, + "date": "2025-12-15" } ] } @@ -560,8 +560,8 @@ { "cve": "CVE-2025-12970", "epss": 0.00117, - "percentile": 0.3122, - "date": "2025-12-14" + "percentile": 0.31179, + "date": "2025-12-15" } ], "cwes": [ @@ -640,8 +640,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -703,8 +703,8 @@ { "cve": "CVE-2018-20796", "epss": 0.01669, - "percentile": 0.8162, - "date": "2025-12-14" + "percentile": 0.81616, + "date": "2025-12-15" } ], "cwes": [ @@ -798,8 +798,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -861,8 +861,8 @@ { "cve": "CVE-2017-17740", "epss": 0.01643, - "percentile": 0.81471, - "date": "2025-12-14" + "percentile": 0.81467, + "date": "2025-12-15" } ], "cwes": [ @@ -959,8 +959,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ], "fix": { @@ -1001,8 +1001,8 @@ { "cve": "CVE-2025-9086", "epss": 0.00095, - "percentile": 0.27178, - "date": "2025-12-14" + "percentile": 0.27151, + "date": "2025-12-15" } ] } @@ -1085,8 +1085,8 @@ { "cve": "CVE-2025-12977", "epss": 0.00072, - "percentile": 0.22148, - "date": "2025-12-14" + "percentile": 0.22126, + "date": "2025-12-15" } ], "cwes": [ @@ -1180,8 +1180,8 @@ { "cve": "CVE-2025-12978", "epss": 0.00114, - "percentile": 0.30839, - "date": "2025-12-14" + "percentile": 0.30806, + "date": "2025-12-15" } ], "fix": { @@ -1252,8 +1252,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1312,8 +1312,8 @@ { "cve": "CVE-2019-9192", "epss": 0.00942, - "percentile": 0.75629, - "date": "2025-12-14" + "percentile": 0.75628, + "date": "2025-12-15" } ], "cwes": [ @@ -1407,8 +1407,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1461,8 +1461,8 @@ { "cve": "CVE-2025-0725", "epss": 0.00904, - "percentile": 0.75077, - "date": "2025-12-14" + "percentile": 0.7508, + "date": "2025-12-15" } ], "cwes": [ @@ -1553,8 +1553,8 @@ { "cve": "CVE-2025-12972", "epss": 0.00086, - "percentile": 0.25316, - "date": "2025-12-14" + "percentile": 0.25288, + "date": "2025-12-15" } ], "cwes": [ @@ -1649,8 +1649,8 @@ { "cve": "CVE-2025-12969", "epss": 0.00076, - "percentile": 0.2293, - "date": "2025-12-14" + "percentile": 0.22908, + "date": "2025-12-15" } ], "cwes": [ @@ -1742,8 +1742,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ], "fix": { @@ -1786,8 +1786,8 @@ { "cve": "CVE-2025-10148", "epss": 0.0007, - "percentile": 0.21525, - "date": "2025-12-14" + "percentile": 0.21504, + "date": "2025-12-15" } ] } @@ -1854,8 +1854,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1906,8 +1906,8 @@ { "cve": "CVE-2010-4756", "epss": 0.00691, - "percentile": 0.71132, - "date": "2025-12-14" + "percentile": 0.71128, + "date": "2025-12-15" } ], "cwes": [ @@ -1990,96 +1990,94 @@ }, { "vulnerability": { - "id": "CVE-2018-6829", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", "namespace": "debian:distro:debian:12", - "severity": "Negligible", + "severity": "Medium", "urls": [], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", - "cvss": [], + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "cvss": [ + { + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 5.9, + "exploitabilityScore": 2.3, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ], "fix": { "versions": [], - "state": "not-fixed" + "state": "wont-fix" }, "advisories": [], - "risk": 0.02885 + "risk": 0.031065 }, "relatedVulnerabilities": [ { - "id": "CVE-2018-6829", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", + "id": "CVE-2025-12818", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", "namespace": "nvd:cpe", - "severity": "High", + "severity": "Medium", "urls": [ - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", - "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", - "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", - "https://www.oracle.com/security-alerts/cpujan2020.html" + "https://www.postgresql.org/support/security/CVE-2025-12818/" ], - "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", "cvss": [ { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "3.0", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary", + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { - "baseScore": 7.5, - "exploitabilityScore": 3.9, + "baseScore": 5.9, + "exploitabilityScore": 2.3, "impactScore": 3.6 }, "vendorMetadata": {} - }, - { - "source": "nvd@nist.gov", - "type": "Primary", - "version": "2.0", - "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "metrics": { - "baseScore": 5, - "exploitabilityScore": 10, - "impactScore": 2.9 - }, - "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2018-6829", - "epss": 0.00577, - "percentile": 0.68044, - "date": "2025-12-14" + "cve": "CVE-2025-12818", + "epss": 0.00057, + "percentile": 0.1792, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2018-6829", - "cwe": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2025-12818", + "cwe": "CWE-190", + "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", + "type": "Secondary" } ] } ], "matchDetails": [ { - "type": "exact-direct-match", + "type": "exact-indirect-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -2087,27 +2085,27 @@ "version": "12" }, "package": { - "name": "libgcrypt20", - "version": "1.10.1-3" + "name": "postgresql-15", + "version": "15.14-0+deb12u1" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2018-6829", + "vulnerabilityID": "CVE-2025-12818", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "aa143951e2980797", - "name": "libgcrypt20", - "version": "1.10.1-3", + "id": "da0ab4ee51b298d8", + "name": "libpq5", + "version": "15.14-0+deb12u1", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libgcrypt20", + "path": "/var/lib/dpkg/status.d/libpq5", "layerID": "sha256:86fa2649786cc0925c0034adaf3ae286626382a50b431c29a3896af91fd013e8", - "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", + "accessPath": "/var/lib/dpkg/status.d/libpq5", "annotations": { "evidence": "primary" } @@ -2116,102 +2114,108 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" + "cpe:2.3:a:libpq5:libpq5:15.14-0\\+deb12u1:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", - "upstreams": [] + "purl": "pkg:deb/debian/libpq5@15.14-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", + "upstreams": [ + { + "name": "postgresql-15" + } + ] } }, { "vulnerability": { - "id": "CVE-2025-12818", - "dataSource": "https://security-tracker.debian.org/tracker/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "namespace": "debian:distro:debian:12", - "severity": "Medium", + "severity": "Negligible", "urls": [], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", - "cvss": [ - { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, - "impactScore": 3.6 - }, - "vendorMetadata": {} - } - ], + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", + "cvss": [], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ], "fix": { "versions": [], - "state": "wont-fix" + "state": "not-fixed" }, "advisories": [], - "risk": 0.02834 + "risk": 0.02885 }, "relatedVulnerabilities": [ { - "id": "CVE-2025-12818", - "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2025-12818", + "id": "CVE-2018-6829", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2018-6829", "namespace": "nvd:cpe", - "severity": "Medium", + "severity": "High", "urls": [ - "https://www.postgresql.org/support/security/CVE-2025-12818/" + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal", + "https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki", + "https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html", + "https://www.oracle.com/security-alerts/cpujan2020.html" ], - "description": "Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.", + "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.", "cvss": [ { - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary", - "version": "3.1", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": "nvd@nist.gov", + "type": "Primary", + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "metrics": { - "baseScore": 5.9, - "exploitabilityScore": 2.3, + "baseScore": 7.5, + "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "metrics": { + "baseScore": 5, + "exploitabilityScore": 10, + "impactScore": 2.9 + }, + "vendorMetadata": {} } ], "epss": [ { - "cve": "CVE-2025-12818", - "epss": 0.00052, - "percentile": 0.16429, - "date": "2025-12-14" + "cve": "CVE-2018-6829", + "epss": 0.00577, + "percentile": 0.6804, + "date": "2025-12-15" } ], "cwes": [ { - "cve": "CVE-2025-12818", - "cwe": "CWE-190", - "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", - "type": "Secondary" + "cve": "CVE-2018-6829", + "cwe": "CWE-327", + "source": "nvd@nist.gov", + "type": "Primary" } ] } ], "matchDetails": [ { - "type": "exact-indirect-match", + "type": "exact-direct-match", "matcher": "dpkg-matcher", "searchedBy": { "distro": { @@ -2219,27 +2223,27 @@ "version": "12" }, "package": { - "name": "postgresql-15", - "version": "15.14-0+deb12u1" + "name": "libgcrypt20", + "version": "1.10.1-3" }, "namespace": "debian:distro:debian:12" }, "found": { - "vulnerabilityID": "CVE-2025-12818", + "vulnerabilityID": "CVE-2018-6829", "versionConstraint": "none (unknown)" } } ], "artifact": { - "id": "da0ab4ee51b298d8", - "name": "libpq5", - "version": "15.14-0+deb12u1", + "id": "aa143951e2980797", + "name": "libgcrypt20", + "version": "1.10.1-3", "type": "deb", "locations": [ { - "path": "/var/lib/dpkg/status.d/libpq5", + "path": "/var/lib/dpkg/status.d/libgcrypt20", "layerID": "sha256:86fa2649786cc0925c0034adaf3ae286626382a50b431c29a3896af91fd013e8", - "accessPath": "/var/lib/dpkg/status.d/libpq5", + "accessPath": "/var/lib/dpkg/status.d/libgcrypt20", "annotations": { "evidence": "primary" } @@ -2248,14 +2252,10 @@ "language": "", "licenses": [], "cpes": [ - "cpe:2.3:a:libpq5:libpq5:15.14-0\\+deb12u1:*:*:*:*:*:*:*" + "cpe:2.3:a:libgcrypt20:libgcrypt20:1.10.1-3:*:*:*:*:*:*:*" ], - "purl": "pkg:deb/debian/libpq5@15.14-0%2Bdeb12u1?arch=amd64&distro=debian-12&upstream=postgresql-15", - "upstreams": [ - { - "name": "postgresql-15" - } - ] + "purl": "pkg:deb/debian/libgcrypt20@1.10.1-3?arch=amd64&distro=debian-12", + "upstreams": [] } }, { @@ -2271,8 +2271,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2331,8 +2331,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2416,8 +2416,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2476,8 +2476,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2552,8 +2552,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2612,8 +2612,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2693,8 +2693,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2753,8 +2753,8 @@ { "cve": "CVE-2018-5709", "epss": 0.00463, - "percentile": 0.635, - "date": "2025-12-14" + "percentile": 0.63493, + "date": "2025-12-15" } ], "cwes": [ @@ -2842,8 +2842,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -2918,8 +2918,8 @@ { "cve": "CVE-2025-9230", "epss": 0.00026, - "percentile": 0.06473, - "date": "2025-12-14" + "percentile": 0.06447, + "date": "2025-12-15" } ], "cwes": [ @@ -3024,8 +3024,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -3088,8 +3088,8 @@ { "cve": "CVE-2019-1010024", "epss": 0.00364, - "percentile": 0.5785, - "date": "2025-12-14" + "percentile": 0.57833, + "date": "2025-12-15" } ], "cwes": [ @@ -3198,8 +3198,8 @@ { "cve": "CVE-2025-29478", "epss": 0.00034, - "percentile": 0.09478, - "date": "2025-12-14" + "percentile": 0.09393, + "date": "2025-12-15" } ], "cwes": [ @@ -3278,8 +3278,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -3341,8 +3341,8 @@ { "cve": "CVE-2019-1010025", "epss": 0.00356, - "percentile": 0.5727, - "date": "2025-12-14" + "percentile": 0.57254, + "date": "2025-12-15" } ], "cwes": [ @@ -3436,8 +3436,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ], "fix": { @@ -3503,8 +3503,8 @@ { "cve": "CVE-2019-1010023", "epss": 0.00346, - "percentile": 0.5661, - "date": "2025-12-14" + "percentile": 0.56596, + "date": "2025-12-15" } ] } @@ -3603,8 +3603,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -3670,8 +3670,8 @@ { "cve": "CVE-2025-9232", "epss": 0.00027, - "percentile": 0.06662, - "date": "2025-12-14" + "percentile": 0.06628, + "date": "2025-12-15" } ], "cwes": [ @@ -3782,9 +3782,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -3800,7 +3800,7 @@ "state": "wont-fix" }, "advisories": [], - "risk": 0.012199999999999999 + "risk": 0.014029999999999999 }, "relatedVulnerabilities": [ { @@ -3829,9 +3829,9 @@ "epss": [ { "cve": "CVE-2025-12817", - "epss": 0.0004, - "percentile": 0.11878, - "date": "2025-12-14" + "epss": 0.00046, + "percentile": 0.14034, + "date": "2025-12-15" } ], "cwes": [ @@ -3906,8 +3906,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -3958,8 +3958,8 @@ { "cve": "CVE-2024-2236", "epss": 0.00222, - "percentile": 0.44746, - "date": "2025-12-14" + "percentile": 0.44727, + "date": "2025-12-15" } ], "cwes": [ @@ -4030,8 +4030,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -4095,8 +4095,8 @@ { "cve": "CVE-2020-15719", "epss": 0.00216, - "percentile": 0.44145, - "date": "2025-12-14" + "percentile": 0.44125, + "date": "2025-12-15" } ], "cwes": [ @@ -4180,8 +4180,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4228,8 +4228,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4313,8 +4313,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4361,8 +4361,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4437,8 +4437,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4485,8 +4485,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4566,8 +4566,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4614,8 +4614,8 @@ { "cve": "CVE-2024-26458", "epss": 0.00206, - "percentile": 0.43059, - "date": "2025-12-14" + "percentile": 0.43043, + "date": "2025-12-15" } ], "cwes": [ @@ -4690,8 +4690,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -4747,8 +4747,8 @@ { "cve": "CVE-2024-2379", "epss": 0.00205, - "percentile": 0.42752, - "date": "2025-12-14" + "percentile": 0.42737, + "date": "2025-12-15" } ], "cwes": [ @@ -4838,8 +4838,8 @@ { "cve": "CVE-2025-29477", "epss": 0.00019, - "percentile": 0.04132, - "date": "2025-12-14" + "percentile": 0.04084, + "date": "2025-12-15" } ], "cwes": [ @@ -4918,8 +4918,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -4980,8 +4980,8 @@ { "cve": "CVE-2019-1010022", "epss": 0.00145, - "percentile": 0.35451, - "date": "2025-12-14" + "percentile": 0.35413, + "date": "2025-12-15" } ], "cwes": [ @@ -5075,8 +5075,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -5142,8 +5142,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -5224,8 +5224,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -5291,8 +5291,8 @@ { "cve": "CVE-2023-31437", "epss": 0.00128, - "percentile": 0.32956, - "date": "2025-12-14" + "percentile": 0.32907, + "date": "2025-12-15" } ], "cwes": [ @@ -5369,8 +5369,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -5429,8 +5429,8 @@ { "cve": "CVE-2017-14159", "epss": 0.00123, - "percentile": 0.32248, - "date": "2025-12-14" + "percentile": 0.32198, + "date": "2025-12-15" } ], "cwes": [ @@ -5514,8 +5514,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -5564,8 +5564,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -5640,8 +5640,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -5690,8 +5690,8 @@ { "cve": "CVE-2023-31438", "epss": 0.001, - "percentile": 0.2847, - "date": "2025-12-14" + "percentile": 0.28437, + "date": "2025-12-15" } ], "cwes": [ @@ -5762,8 +5762,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5812,8 +5812,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5888,8 +5888,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -5938,8 +5938,8 @@ { "cve": "CVE-2023-31439", "epss": 0.00094, - "percentile": 0.26906, - "date": "2025-12-14" + "percentile": 0.26877, + "date": "2025-12-15" } ], "cwes": [ @@ -6010,8 +6010,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -6058,8 +6058,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -6143,8 +6143,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -6191,8 +6191,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -6267,8 +6267,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -6315,8 +6315,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -6396,8 +6396,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -6444,8 +6444,8 @@ { "cve": "CVE-2024-26461", "epss": 0.00062, - "percentile": 0.19387, - "date": "2025-12-14" + "percentile": 0.19368, + "date": "2025-12-15" } ], "cwes": [ @@ -6520,8 +6520,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -6587,8 +6587,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -6669,8 +6669,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -6736,8 +6736,8 @@ { "cve": "CVE-2013-4392", "epss": 0.00057, - "percentile": 0.17828, - "date": "2025-12-14" + "percentile": 0.17808, + "date": "2025-12-15" } ], "cwes": [ @@ -6814,8 +6814,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6875,8 +6875,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -6983,8 +6983,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7044,8 +7044,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7120,8 +7120,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7181,8 +7181,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7285,8 +7285,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7346,8 +7346,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7445,8 +7445,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7506,8 +7506,8 @@ { "cve": "CVE-2022-27943", "epss": 0.0005, - "percentile": 0.15519, - "date": "2025-12-14" + "percentile": 0.15487, + "date": "2025-12-15" } ], "cwes": [ @@ -7605,8 +7605,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -7653,8 +7653,8 @@ { "cve": "CVE-2025-27587", "epss": 0.00035, - "percentile": 0.101, - "date": "2025-12-14" + "percentile": 0.10027, + "date": "2025-12-15" } ], "cwes": [ @@ -7750,8 +7750,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ], "fix": { @@ -7792,8 +7792,8 @@ { "cve": "CVE-2025-10966", "epss": 0.00017, - "percentile": 0.03228, - "date": "2025-12-14" + "percentile": 0.03214, + "date": "2025-12-15" } ] } @@ -8233,87 +8233,87 @@ "db": { "status": { "schemaVersion": "v6.1.3", - "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-15T00:26:22Z_1765786837.tar.zst?checksum=sha256%3A819b50d22f073b9ab2ad3c00d212207037c07e1de037f81b528b58717b758db2", - "built": "2025-12-15T08:20:37Z", + "from": "https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2025-12-16T00:25:11Z_1765880790.tar.zst?checksum=sha256%3Aa8bb3ef2cc68f242e78cda1e451f290ff56a23b1063de65d22a0ac20e16ae5bd", + "built": "2025-12-16T10:26:30Z", "path": ".cache/grype/db/6/vulnerability.db", "valid": true }, "providers": { "alma": { - "captured": "2025-12-15T00:26:29Z", + "captured": "2025-12-16T00:25:17Z", "input": "xxh64:3bae44c7a22f7a7a" }, "alpine": { - "captured": "2025-12-15T00:26:22Z", - "input": "xxh64:a6910ebae352b990" + "captured": "2025-12-16T00:25:13Z", + "input": "xxh64:0d94cc3d895e96e4" }, "amazon": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:d9332811ab10da09" + "captured": "2025-12-16T00:25:14Z", + "input": "xxh64:96351b3c21f16cdd" }, "bitnami": { - "captured": "2025-12-15T00:26:31Z", - "input": "xxh64:1ecf12b668dea077" + "captured": "2025-12-16T00:25:26Z", + "input": "xxh64:01d096e52d6c584d" }, "chainguard": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:c788b1823558ccdc" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:aeb142b1fabd05ef" }, "chainguard-libraries": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:61125e10198fff74" + "captured": "2025-12-16T00:25:25Z", + "input": "xxh64:131c1a3e98113468" }, "debian": { - "captured": "2025-12-15T00:26:33Z", - "input": "xxh64:3a0aef0ee5db3f38" + "captured": "2025-12-16T00:25:24Z", + "input": "xxh64:9c5942d58a5f0d0a" }, "echo": { - "captured": "2025-12-15T00:26:34Z", - "input": "xxh64:b407f1052619408a" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:e65ed35a7a7899d0" }, "epss": { - "captured": "2025-12-15T00:26:28Z", - "input": "xxh64:05fd1e2ee709d2a5" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:c443dbaf0209cf17" }, "github": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:3c7fd996a88f1c66" + "captured": "2025-12-16T00:25:21Z", + "input": "xxh64:640038905439d285" }, "kev": { - "captured": "2025-12-15T00:26:23Z", - "input": "xxh64:ed425533655d771d" + "captured": "2025-12-16T00:25:11Z", + "input": "xxh64:c28f5b32e2103243" }, "mariner": { - "captured": "2025-12-15T00:26:32Z", - "input": "xxh64:6fdbff1192df3158" + "captured": "2025-12-16T00:25:18Z", + "input": "xxh64:647810a8c07a63eb" }, "minimos": { - "captured": "2025-12-15T00:26:30Z", - "input": "xxh64:66fa9397e7abbbe3" + "captured": "2025-12-16T00:25:20Z", + "input": "xxh64:24ca3b7889974a27" }, "nvd": { - "captured": "2025-12-15T00:29:34Z", - "input": "xxh64:52a15157244d2eb4" + "captured": "2025-12-16T00:28:18Z", + "input": "xxh64:8ee1877e9a9e680b" }, "oracle": { - "captured": "2025-12-15T00:26:29Z", - "input": "xxh64:a3297070ed6c54c1" + "captured": "2025-12-16T00:25:23Z", + "input": "xxh64:a4416b6b3e4250df" }, "rhel": { - "captured": "2025-12-15T00:27:19Z", - "input": "xxh64:e625d0086bf187f1" + "captured": "2025-12-16T00:26:07Z", + "input": "xxh64:9911b1a567d8f57c" }, "sles": { - "captured": "2025-12-15T00:26:44Z", - "input": "xxh64:baf8228a110f8ba2" + "captured": "2025-12-16T00:25:43Z", + "input": "xxh64:1b717d5f2e45fdee" }, "ubuntu": { - "captured": "2025-12-15T00:27:45Z", - "input": "xxh64:dd0f79d777310979" + "captured": "2025-12-16T00:27:14Z", + "input": "xxh64:2d3097578288b46f" }, "wolfi": { - "captured": "2025-12-15T00:26:25Z", - "input": "xxh64:7f14313934ae61bb" + "captured": "2025-12-16T00:25:19Z", + "input": "xxh64:f85923693eb62700" } } }