Search

Find a vulnerability

Search criteria

    3 vulnerabilities found for GBrowse by Generic Model Organism Database Project

    CVE-2023-32637 (GCVE-0-2023-32637)

    Vulnerability from nvd – Published: 2023-07-25 05:01 – Updated: 2024-10-23 19:13 Unsupported When Assigned
    VLAI
    Summary
    GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests. Therefore, anyone who can upload files through the product may execute arbitrary code on the server.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:25:36.265Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://gmod.org/wiki/GBrowse"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jbrowse.org/jb2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN35897618/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32637",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T19:13:16.328467Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-23T19:13:27.167Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GBrowse",
              "vendor": "Generic Model Organism Database Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "unspecified"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests. Therefore, anyone who can upload files through the product may execute arbitrary code on the server."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-25T05:01:48.955Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "http://gmod.org/wiki/GBrowse"
            },
            {
              "url": "https://jbrowse.org/jb2/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN35897618/"
            }
          ],
          "tags": [
            "unsupported-when-assigned"
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-32637",
        "datePublished": "2023-07-25T05:01:48.955Z",
        "dateReserved": "2023-05-11T04:09:45.896Z",
        "dateUpdated": "2024-10-23T19:13:27.167Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32637 (GCVE-0-2023-32637)

    Vulnerability from cvelistv5 – Published: 2023-07-25 05:01 – Updated: 2024-10-23 19:13 Unsupported When Assigned
    VLAI
    Summary
    GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests. Therefore, anyone who can upload files through the product may execute arbitrary code on the server.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:25:36.265Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://gmod.org/wiki/GBrowse"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jbrowse.org/jb2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN35897618/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32637",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T19:13:16.328467Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-23T19:13:27.167Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "GBrowse",
              "vendor": "Generic Model Organism Database Project",
              "versions": [
                {
                  "status": "affected",
                  "version": "unspecified"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "GBrowse accepts files with any formats uploaded and places them in the area accessible through unauthenticated web requests. Therefore, anyone who can upload files through the product may execute arbitrary code on the server."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-25T05:01:48.955Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "url": "http://gmod.org/wiki/GBrowse"
            },
            {
              "url": "https://jbrowse.org/jb2/"
            },
            {
              "url": "https://jvn.jp/en/jp/JVN35897618/"
            }
          ],
          "tags": [
            "unsupported-when-assigned"
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2023-32637",
        "datePublished": "2023-07-25T05:01:48.955Z",
        "dateReserved": "2023-05-11T04:09:45.896Z",
        "dateUpdated": "2024-10-23T19:13:27.167Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    JVNDB-2023-000073

    Vulnerability from jvndb - Published: 2023-07-21 15:02 - Updated:2024-04-12 17:31
    Severity
    Summary
    GBrowse vulnerable to unrestricted upload of files with dangerous types
    Details
    GBrowse provided by Generic Model Organism Database Project is a web-based genome browser. GBrowse allows the users to upload their own data in several file formats (see "GBrowse User Uploads"). The affected versions of GBrowse accept files with any formats uploaded (CWE-434), and place them in the area accessible through unauthenticated web requests. The reporter states that attacks exploiting this vulnerability have been observed. Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000073.html",
      "dc:date": "2024-04-12T17:31+09:00",
      "dcterms:issued": "2023-07-21T15:02+09:00",
      "dcterms:modified": "2024-04-12T17:31+09:00",
      "description": "GBrowse provided by Generic Model Organism Database Project is a web-based genome browser. GBrowse allows the users to upload their own data in several file formats (see \"GBrowse User Uploads\").\r\nThe affected versions of GBrowse accept files with any formats uploaded (CWE-434), and place them in the area accessible through unauthenticated web requests.\r\n\r\nThe reporter states that attacks exploiting this vulnerability have been observed.\r\n\r\nCyber Defense Institute, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-000073.html",
      "sec:cpe": {
        "#text": "cpe:/a:gmod:gbrowse",
        "@product": "GBrowse",
        "@vendor": "Generic Model Organism Database Project",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "5.0",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "@version": "2.0"
        },
        {
          "@score": "5.3",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2023-000073",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN35897618/index.html",
          "@id": "JVN#35897618",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2023-32637",
          "@id": "CVE-2023-32637",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-32637",
          "@id": "CVE-2023-32637",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-Other",
          "@title": "No Mapping(CWE-Other)"
        }
      ],
      "title": "GBrowse vulnerable to unrestricted upload of files with dangerous types"
    }