Add 22 new statements that matched the dataset, excluding twin commits found by Prospector

Author: matteogreek

statements/CVE-2013-0158/statement.yaml

@@ -0,0 +1,17 @@
+vulnerability_id: CVE-2013-0158
+notes:
+- links: []
+  text: Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: a9aff088f327278a8873aef47fa8f80d3c5932fd
+    repository: https://github.com/jenkinsci/jenkins.git
+  - id: c3d8e05a1b3d58b6c4dcff97394cb3a79608b4b2
+    repository: https://github.com/jenkinsci/jenkins.git
+  - id: 3dc13b957b14cec649036e8dd517f0f9cb21fb04
+    repository: https://github.com/jenkinsci/jenkins.git
+  - id: 4895eaafca468b7f0f1a3166b2fca7414f0d5da5
+    repository: https://github.com/jenkinsci/jenkins.git
+  - id: 94a8789b699132dd706021a6be1b78bc47f19602
+    repository: https://github.com/jenkinsci/jenkins.git

statements/CVE-2014-3498/statement.yaml

@@ -0,0 +1,10 @@
+vulnerability_id: CVE-2014-3498
+notes:
+- links:
+  - https://bugzilla.redhat.com/show_bug.cgi?id=1335551
+  text: The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 8ed6350e65c82292a631f08845dfaacffe7f07f5
+    repository: https://github.com/ansible/ansible

statements/CVE-2017-0906/statement.yaml

@@ -0,0 +1,9 @@
+vulnerability_id: CVE-2017-0906
+notes:
+- links: []
+  text: The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resource.get" method that could result in compromise of API keys or other critical resources.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 049c74699ce93cf126feff06d632ea63fba36742
+    repository: https://github.com/recurly/recurly-client-python

statements/CVE-2017-7481/statement.yaml

@@ -0,0 +1,21 @@
+vulnerability_id: CVE-2017-7481
+notes:
+- links:
+  - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481
+  - https://snyk.io/vuln/SNYK-PYTHON-ANSIBLE-42165
+  text: Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: ed56f51f185a1ffd7ea57130d260098686fcc7c2
+    repository: https://github.com/ansible/ansible
+artifacts:
+- id: pkg:maven/ansible/ansible@2.8.2
+  reason: Reviewed manually
+  affected: false
+- id: pkg:maven/ansible/ansible@2.7.12
+  reason: Reviewed manually
+  affected: false
+- id: pkg:maven/ansible/ansible@2.3.0.0
+  reason: Reviewed manually
+  affected: true

statements/CVE-2018-12537/statement.yaml

@@ -0,0 +1,79 @@
+vulnerability_id: CVE-2018-12537
+notes:
+- links: []
+  text: In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 1bb6445226c39a95e7d07ce3caaf56828e8aab72
+    repository: https://github.com/eclipse/vert.x
+artifacts:
+- id: pkg:maven/io.vertx/vertx-core@3.2.1
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: true
+- id: pkg:maven/io.vertx/vertx-core@3.4.2
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: true
+- id: pkg:maven/io.vertx/vertx-core@3.5.1
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: true
+- id: pkg:maven/io.vertx/vertx-core@3.6.1
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.6.3
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.8.1
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.8.2
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.8.3
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.8.4
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.0.0
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: true
+- id: pkg:maven/io.vertx/vertx-core@3.5.0
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: true
+- id: pkg:maven/io.vertx/vertx-core@3.5.2
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.3.3
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: true
+- id: pkg:maven/io.vertx/vertx-core@3.5.3
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.5.4
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.6.0
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.6.2
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.7.0
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.7.1
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.8.0
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.8.5
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.9.0
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/io.vertx/vertx-core@3.9.2
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false

statements/CVE-2018-16984/statement.yaml

@@ -0,0 +1,50 @@
+vulnerability_id: CVE-2018-16984
+notes:
+- links:
+  - https://docs.djangoproject.com/en/2.1/releases/2.1.2/
+  text: An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: bf39978a53f117ca02e9a0c78b76664a41a54745
+    repository: https://github.com/django/django
+artifacts:
+- id: pkg:maven/Django/Django@2.0.4
+  reason: Reviewed manually
+  affected: true
+- id: pkg:maven/Django/Django@2.2.3
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/Django/Django@2.2.4
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/Django/Django@2.2.8
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/Django/Django@2.2.8
+  reason: Reviewed manually
+  affected: false
+- id: pkg:maven/Django/Django@2.2.9
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/Django/Django@2.0.1
+  reason: Reviewed manually
+  affected: true
+- id: pkg:maven/Django/Django@2.0.6
+  reason: Reviewed manually
+  affected: true
+- id: pkg:maven/Django/Django@2.2.2
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/Django/Django@2.2.11
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/Django/Django@2.2.12
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/Django/Django@2.2.13
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/Django/Django@2.2.14
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false

statements/CVE-2019-1003012/statement.yaml

@@ -0,0 +1,11 @@
+vulnerability_id: CVE-2019-1003012
+notes:
+- links:
+  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003012
+  - https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1201
+  text: A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 1a03020b5a50c1e3f47d4b0902ec7fc78d3c86ce
+    repository: https://github.com/jenkinsci/blueocean-plugin

statements/CVE-2019-1003013/statement.yaml

@@ -0,0 +1,11 @@
+vulnerability_id: CVE-2019-1003013
+notes:
+- links:
+  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003013
+  - https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1204
+  text: An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 62775e78532b756826bb237775b64a5052624b57
+    repository: https://github.com/jenkinsci/blueocean-plugin

statements/CVE-2019-12387/statement.yaml

@@ -0,0 +1,11 @@
+vulnerability_id: CVE-2019-12387
+notes:
+- links:
+  - https://labs.twistedmatrix.com/2019/06/twisted-1921-released.html
+  - https://twistedmatrix.com/pipermail/twisted-python/2019-June/032352.html
+  text: In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2
+    repository: https://github.com/twisted/twisted

statements/CVE-2019-18933/statement.yaml

@@ -0,0 +1,10 @@
+vulnerability_id: CVE-2019-18933
+notes:
+- links:
+  - https://blog.zulip.com/2019/11/21/zulip-2-0-7-security-release/
+  text: In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 0c2cc41d2e40807baa5ee2c72987ebfb64ea2eb6
+    repository: https://github.com/zulip/zulip

statements/CVE-2019-19687/statement.yaml

@@ -0,0 +1,10 @@
+vulnerability_id: CVE-2019-19687
+notes:
+- links:
+  - https://bugs.launchpad.net/keystone/+bug/968696
+  text: OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 17c337dbdbfb9d548ad531c2ad0483c9bce5b98f
+    repository: https://github.com/openstack/keystone

statements/CVE-2019-3558/statement.yaml

@@ -0,0 +1,11 @@
+vulnerability_id: CVE-2019-3558
+notes:
+- links:
+  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3558
+  - https://www.facebook.com/security/advisories/cve-2019-3558
+  text: Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: c5d6e07588cd03061bc54d451a7fa6e84883d62b
+    repository: https://github.com/facebook/fbthrift

statements/CVE-2019-3559/statement.yaml

@@ -0,0 +1,11 @@
+vulnerability_id: CVE-2019-3559
+notes:
+- links:
+  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3559
+  - https://www.facebook.com/security/advisories/cve-2019-3559
+  text: Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: a56346ceacad28bf470017a6bda1d5518d0bd943
+    repository: https://github.com/facebook/fbthrift

statements/CVE-2020-10799/statement.yaml

@@ -0,0 +1,10 @@
+vulnerability_id: CVE-2020-10799
+notes:
+- links:
+  - https://github.com/deeplook/svglib/issues/229
+  text: The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: d6d08c4323a3656ee5ebe9a072a6e6237efde800
+    repository: https://github.com/deeplook/svglib

statements/CVE-2020-13654/statement.yaml

@@ -0,0 +1,10 @@
+vulnerability_id: CVE-2020-13654
+notes:
+- links:
+  - https://github.com/xwiki/xwiki-platform/pull/1315
+  text: XWiki Platform before 12.8 mishandles escaping in the property displayer.
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 82c31ea56be4ac756140f082d216268e1dca6ac8
+    repository: https://github.com/xwiki/xwiki-platform

statements/CVE-2020-13757/statement.yaml

@@ -0,0 +1,18 @@
+vulnerability_id: CVE-2020-13757
+notes:
+- links:
+  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13757
+  - https://github.com/sybrenstuvel/python-rsa/issues/146
+  text: Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
+fixes:
+- id: DEFAULT_BRANCH
+  commits:
+  - id: 93af6f2f89a9bf28361e67716c4240e691520f30
+    repository: https://github.com/sybrenstuvel/python-rsa
+artifacts:
+- id: pkg:maven/rsa/rsa@4.2
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false
+- id: pkg:maven/rsa/rsa@4.6
+  reason: Assessed with Eclipse Steady (AST_EQUALITY)
+  affected: false