A sample vulnerability definition using the WIP CycloneDX Vulnerability extension changes in CycloneDX/specification#44
Last active
January 2, 2021 10:48
-
-
Save garethr/b069d9bf84ca80635cd506e74c8e2247 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "title":"Cryptographic Issues", | |
| "credit":[ | |
| "" | |
| ], | |
| "packageName":"openssl", | |
| "language":"linux", | |
| "packageManager":"debian:9", | |
| "description":"## Overview\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.osvdb.org/62808](http://www.osvdb.org/62808)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n", | |
| "identifiers":{ | |
| "ALTERNATIVE":[ | |
| ], | |
| "CVE":[ | |
| "CVE-2010-0928" | |
| ], | |
| "CWE":[ | |
| "CWE-310" | |
| ] | |
| }, | |
| "severity":"low", | |
| "severityWithCritical":"low", | |
| "cvssScore":5.1, | |
| "CVSSv3":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", | |
| "patches":[ | |
| ], | |
| "references":[ | |
| { | |
| "title":"Debian Security Tracker", | |
| "url":"https://security-tracker.debian.org/tracker/CVE-2010-0928" | |
| }, | |
| { | |
| "title":"http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/", | |
| "url":"http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/" | |
| }, | |
| { | |
| "title":"http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf", | |
| "url":"http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf" | |
| }, | |
| { | |
| "title":"http://www.networkworld.com/news/2010/030410-rsa-security-attack.html", | |
| "url":"http://www.networkworld.com/news/2010/030410-rsa-security-attack.html" | |
| }, | |
| { | |
| "title":"http://www.osvdb.org/62808", | |
| "url":"http://www.osvdb.org/62808" | |
| }, | |
| { | |
| "title":"http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/", | |
| "url":"http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/" | |
| }, | |
| { | |
| "title":"http://xforce.iss.net/xforce/xfdb/56750", | |
| "url":"http://xforce.iss.net/xforce/xfdb/56750" | |
| }, | |
| { | |
| "title":"X-force Vulnerability Report", | |
| "url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/56750" | |
| } | |
| ], | |
| "creationTime":"2020-08-19T09:30:53.396991Z", | |
| "modificationTime":"2020-08-19T13:28:20.872020Z", | |
| "publicationTime":"2010-03-05T19:30:00Z", | |
| "disclosureTime":"2010-03-05T19:30:00Z", | |
| "id":"SNYK-DEBIAN9-OPENSSL-374995", | |
| "nvdSeverity":"medium", | |
| "relativeImportance":"unimportant", | |
| "semver":{ | |
| "vulnerable":[ | |
| "*" | |
| ] | |
| }, | |
| "exploit":"Not Defined", | |
| "from":[ | |
| "docker-image|gcr.io/distroless/base@latest", | |
| "openssl@1.1.0l-1~deb9u1", | |
| "openssl/libssl1.1@1.1.0l-1~deb9u1" | |
| ], | |
| "upgradePath":[ | |
| ], | |
| "isUpgradable":false, | |
| "isPatchable":false, | |
| "name":"openssl/libssl1.1", | |
| "version":"1.1.0l-1~deb9u1" | |
| }, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "vulnerabilities": [ | |
| { | |
| "ref": "<bom-ref>", | |
| "id": "CVE-2010-0928", | |
| "sources": [ | |
| { | |
| "name": "Snyk Intel", | |
| "url": "https://snyk.io/vuln/SNYK-DEBIAN9-OPENSSL-374995" | |
| }, | |
| { | |
| "name": "Debian Security Tracker", | |
| "url": "https://security-tracker.debian.org/tracker/CVE-2010-0928" | |
| }, | |
| { | |
| "name": "NVD", | |
| "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-0928" | |
| } | |
| ], | |
| "ratings": [ | |
| { | |
| "score": { | |
| "base": 9.8, | |
| "impact": 5.9, | |
| "exploitability": 3.0 | |
| }, | |
| "severity": "Medium", | |
| "source": "NVD", | |
| "method": "CVSSv3", | |
| "vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" | |
| }, | |
| { | |
| "severity": "None", | |
| "source": "Debian Security Tracker", | |
| "method": "Other" | |
| }, | |
| { | |
| "score": 100, | |
| "severity": "Low", | |
| "source": "Snyk", | |
| "method": "Other" | |
| } | |
| ], | |
| "cwes": [ | |
| 310 | |
| ], | |
| "description":"## Overview\nOpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"\n\n## References\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2010-0928)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/56750)\n- [http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/](http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/)\n- [http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf](http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf)\n- [http://www.networkworld.com/news/2010/030410-rsa-security-attack.html](http://www.networkworld.com/news/2010/030410-rsa-security-attack.html)\n- [http://www.osvdb.org/62808](http://www.osvdb.org/62808)\n- [http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/](http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/)\n- [http://xforce.iss.net/xforce/xfdb/56750](http://xforce.iss.net/xforce/xfdb/56750)\n", | |
| "recommendatations": [ | |
| ], | |
| "advisories": [ | |
| {"url": "http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/"}, | |
| {"url": "http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf"}, | |
| {"url": "http://www.networkworld.com/news/2010/030410-rsa-security-attack.html"}, | |
| {"url": "http://www.osvdb.org/62808"}, | |
| {"url": "http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/"}, | |
| {"url": "http://xforce.iss.net/xforce/xfdb/56750"}, | |
| {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56750"} | |
| ] | |
| } | |
| ] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment