Merge pull request #892 from DIVD-NL/Divd-2024-00031

Replacement RP for Divd 2024 00031
DIVD-NL · Dec 15, 2024 · 01128ab · 01128ab
2 parents 6b0898c + a78a271
commit 01128ab
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 7 deletions.
diff --git a/_cases/2024/DIVD-2024-00031.md b/_cases/2024/DIVD-2024-00031.md
@@ -3,15 +3,15 @@ layout: case
 title: "Unauthenticated Local File Inclusion vulnerability in ComfortKey"
 author: Victor Pasman
 lead: Alwin Warringa
-excerpt: "A Local File Inclusion vulnerability has been found in ComfortKey, a product of Celsius Benelux. Using this vulnerability, an unauthenticated attacker may retrieve sensitive information about the underlying system."
+excerpt: "An Unautheticated Local File Inclusion vulnerability has been found in ComfortKey, a product of Celsius Benelux. Using this vulnerability, an unauthenticated attacker may retrieve sensitive information about the underlying system."
 researchers:
 - Alwin Warringa
 cves:
 - CVE-2024-27120
 product:
 - ComfortKey
 versions:
-- ComfortKey below version 24.1.2. 
+- < 24.1.2. 
 recommendation: "Check for the patched versions and get those installed"
 workaround: "N/A"
 patch_status: Released
@@ -32,17 +32,19 @@ timeline:
   end:
   event: "First version of this casefile."
 # ips: 0
-
+# The lines below redirect all the CVE references to our site
+# Uncommend these lines if we are the CNA of record. (ask @cna_admins on Slack if you don't know)
+jekyll-secinfo:
+  cve:
+    url: /cves/CVE-
 ---
 
 ## Summary
-A Local File Inclusion vulnerability has been found in ComfortKey, a product of Celsius Benelux. Using this vulnerability, an unauthenticated attacker may retrieve sensitive information about the underlying system.
+An Unauthenticated Local File Inclusion vulnerability has been found in ComfortKey, a product of Celsius Benelux. Using this vulnerability, an unauthenticated attacker may retrieve sensitive information about the underlying system.
 
 ## Recommendations
 Comfort Key released patched version 24.1.2. Please update to this version number or higher if possible.
 
-## Mitigation
-N/A
 
 ## What we are doing
 DIVD is currently working to identify parties that are running a vulnerable version of Geoserver and to notify these parties. We do this by verifying the presence of the vulnerability in a harmless manner and collect the software version number if possible.

diff --git a/_data/cves/2024/CVE-2024-27120.json b/_data/cves/2024/CVE-2024-27120.json
@@ -44,7 +44,8 @@
           "versions": [
             {
               "status": "affected",
-              "version": "before 24.1.2"
+              "version": "*",
+              "lessThan": "24.1.2"
             }
           ],
           "defaultStatus": "unaffected"