-
Notifications
You must be signed in to change notification settings - Fork 1
/
SAGVulnDisclosureSAMPLE.xml
81 lines (79 loc) · 4.91 KB
/
SAGVulnDisclosureSAMPLE.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
<?xml version='1.0' encoding='utf-8'?>
<!--
Copyright and all other rights reserved by Reliable Energy Analytics, LLC (REA) 2018-2021.
Licensed under Creative Commons 4.0 https://creativecommons.org/licenses/by/4.0/
DISCLAIMER OF WARRANTIES
TO THE EXTENT NOT PROHIBITED BY LAW, REA HEREBY DISCLAIMS ALL EXPRESS OR IMPLIED REPRESENTATIONS,
WARRANTIES, GUARANTEES, AND CONDITIONS OF ANY KIND, ARISING BY LAW OR OTHERWISE, WITH REGARD TO THIS ARTIFACT,
INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, GUARANTEES, AND CONDITIONS OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, AND QUALITY OF SERVICE.
REA MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING THE CONTENT, EFFECTIVENESS, USEFULNESS, RELIABILITY,
AVAILABILITY, TIMELINESS, QUALITY, SUITABILITY, ACCURACY OR COMPLETENESS OF THIS ARTIFACT OR THE
RESULTS YOU MAY OBTAIN BY USING THE ARTIFACT OR THAT THE ARTIFACT WILL BE ERROR-FREE.
-->
<SAG:SBOMVulnerabilityDisclosure
xmlns:SAG="http://softwareassuranceguardian.com/1_1_7"
CVERespository="NIST_NVD"
NISTNVDSearchStatus="Success"
UnresolvedVulnerabilities="N"
PackageSourceLocation="https://softwareassuranceguardian.com/sag-pm.zip"
ProductName="SAG-PM (TM)"
ProductVersion="1.1.4"
SBOMAuthor="Reliable Energy Analytics LLC"
SBOMFormat="cycloneDX"
SBOMFormatSyntax="XML"
SBOMLocation="https://softwareassuranceguardian.com/SAG-PM-1_1_4-cycloneDX.xml"
SBOMTimestamp=" 2021-10-05T22:04:00Z"
SBOMTotalComponentCount="86"
SupplierName="Reliable Energy Analytics LLC"
VulnDisclosureCreateDate="2021-10-26T17:50:36.914560+00:00"
xsi:schemaLocation="http://softwareassuranceguardian.com/1_1_7 SAGVulnDisclosure.xsd "
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SAG:Component
CVESearchString="https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=SAG-PM+(TM)+1.1.4"
ComponentID="None" ComponentName="SAG-PM (TM)"
ComponentSupplierName="Reliable Energy Analytics LLC"
ComponentVersion="1.1.4" NumberVulnsReported="0" />
<SAG:Component
CVESearchString="https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=SAG-PM.msi+1.1.4"
ComponentID="None" ComponentName="SAG-PM.msi"
ComponentSupplierName="Reliable Energy Analytics LLC"
ComponentVersion="1.1.4" NumberVulnsReported="0" />
<SAG:Component
CVESearchString="https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=SAG-PM.exe+1.1.4"
ComponentID="None" ComponentName="SAG-PM.exe"
ComponentSupplierName="Reliable Energy Analytics LLC"
ComponentVersion="1.1.4" NumberVulnsReported="0" />
<SAG:Component
CVESearchString="https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=sag-pm-viewer.exe+1.1.4"
ComponentID="None" ComponentName="sag-pm-viewer.exe"
ComponentSupplierName="Reliable Energy Analytics LLC"
ComponentVersion="1.1.4" NumberVulnsReported="0" />
<SAG:Component
CVESearchString="https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=END+USER+LICENSE+AGREEMENT.rtf+1.1.4"
ComponentID="None" ComponentName="END USER LICENSE AGREEMENT.rtf"
ComponentSupplierName="Reliable Energy Analytics LLC"
ComponentVersion="1.1.4" NumberVulnsReported="0" />
<SAG:Component
CVESearchString="https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=cryptography+3.3.1"
ComponentID="pkg:pypi/[email protected]" ComponentName="cryptography"
ComponentSupplierName="The cryptography developers"
ComponentVersion="3.3.1" NumberVulnsReported="2">
<SAG:CVE>
<SAG:CVEID>CVE-2020-36242</SAG:CVEID>
<SAG:CVSS>9.1</SAG:CVSS>
<SAG:CVEDescription>In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.</SAG:CVEDescription>
<SAG:Exploitable>N</SAG:Exploitable>
<SAG:FixStatus>N/A</SAG:FixStatus>
<SAG:AnalysisFindings>This vulnerability is exploited during file encryption. SAG-PM does not perform file encryption using this component and is most likely not vulnerable to this CVE</SAG:AnalysisFindings>
</SAG:CVE>
<SAG:CVE>
<SAG:CVEID>CVE-2014-8564</SAG:CVEID>
<SAG:CVSS>5.0</SAG:CVSS>
<SAG:CVEDescription>The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) Elliptic Curve Cryptography (ECC) certificate or (2) certificate signing requests (CSR), related to generating key IDs.</SAG:CVEDescription>
<SAG:Exploitable>N</SAG:Exploitable>
<SAG:FixStatus>N/A</SAG:FixStatus>
<SAG:AnalysisFindings>This vulnerability is exploited when Elliptic curve certificates are used. SAG-PM does not perform any elliptic curve certificate functions from this component and is most likely not vulnerable to this CVE</SAG:AnalysisFindings>
</SAG:CVE>
</SAG:Component>
</SAG:SBOMVulnerabilityDisclosure>