updates 2025-04-15

Signed-off-by: Weston Steimel <[email protected]>

Author: westonsteimel

data/anchore/2024/CVE-2024-25090.json

@@ -12,9 +12,13 @@
     "affected": [
       {
         "cpes": [
-          "cpe:2.3:a:apache:roller:*:*:*:*:*:*:*:*"
+          "cpe:2.3:a:apache:roller:*:*:*:*:*:maven:*:*",
+          "cpe:2.3:a:org.apache.roller:roller-webapp:*:*:*:*:*:maven:*:*"
         ],
+        "packageName": "org.apache.roller:roller-webapp",
+        "packageType": "maven",
         "product": "Apache Roller",
+        "repo": "http://git-wip-us.apache.org/repos/asf/roller.git",
         "vendor": "Apache Software Foundation",
         "versions": [
           {

data/anchore/2024/CVE-2024-45038.json

@@ -13,7 +13,7 @@
       {
         "collectionURL": "https://github.com",
         "cpes": [
-          "cpe:2.3:a:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*"
+          "cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*"
         ],
         "packageName": "meshtastic/firmware",
         "product": "firmware",

data/anchore/2024/CVE-2024-46911.json

@@ -18,6 +18,7 @@
         "packageName": "org.apache.roller:roller-webapp",
         "packageType": "maven",
         "product": "Apache Roller",
+        "repo": "http://git-wip-us.apache.org/repos/asf/roller.git",
         "vendor": "Apache Software Foundation",
         "versions": [
           {

data/anchore/2024/CVE-2024-47079.json

@@ -13,7 +13,7 @@
       {
         "collectionURL": "https://github.com",
         "cpes": [
-          "cpe:2.3:a:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*"
+          "cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*"
         ],
         "packageName": "meshtastic/firmware",
         "product": "firmware",

data/anchore/2024/CVE-2024-51500.json

@@ -13,7 +13,7 @@
       {
         "collectionURL": "https://github.com",
         "cpes": [
-          "cpe:2.3:a:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*"
+          "cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*"
         ],
         "packageName": "meshtastic/firmware",
         "product": "firmware",

data/anchore/2024/CVE-2024-9230.json

@@ -0,0 +1,43 @@
+{
+  "additionalMetadata": {
+    "cna": "wpscan",
+    "cveId": "CVE-2024-9230",
+    "description": "The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.9.18 does not sanitise and escape some of its settings when adding a podcast, which could allow author and above users to perform Stored Cross-Site Scripting attacks",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://wpscan.com/vulnerability/ab5eaf57-fb61-4a08-b439-42dea40b7914/"
+    ],
+    "upstream": {
+      "datePublished": "2025-04-14T06:00:04.686Z",
+      "dateReserved": "2024-09-26T18:10:12.484Z",
+      "dateUpdated": "2025-04-14T14:22:16.658Z",
+      "digest": "f881746652e93136acb061b33160c1ad45cc773e6ac1a27270cd90f12c529306"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://wordpress.org/plugins",
+        "cpes": [
+          "cpe:2.3:a:blubrry:powerpress:*:*:*:*:*:wordpress:*:*"
+        ],
+        "packageName": "powerpress",
+        "packageType": "wordpress-plugin",
+        "product": "PowerPress Podcasting plugin by Blubrry",
+        "repo": "https://plugins.svn.wordpress.org/powerpress",
+        "versions": [
+          {
+            "lessThan": "11.9.18",
+            "status": "affected",
+            "version": "0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2025/CVE-2025-21608.json

@@ -19,7 +19,7 @@
       {
         "collectionURL": "https://github.com",
         "cpes": [
-          "cpe:2.3:a:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*"
+          "cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*"
         ],
         "packageName": "meshtastic/firmware",
         "product": "firmware",

data/anchore/2025/CVE-2025-24797.json

@@ -0,0 +1,43 @@
+{
+  "additionalMetadata": {
+    "cna": "github_m",
+    "cveId": "CVE-2025-24797",
+    "description": "Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid protobuf data can result in an attacker-controlled buffer overflow, allowing an attacker to hijack execution flow, potentially resulting in remote code execution. This attack does not require authentication or user interaction, as long as the target device rebroadcasts packets on the default channel. This vulnerability fixed in 2.6.2.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://github.com/meshtastic/firmware/security/advisories/GHSA-33hw-xhfh-944r"
+    ],
+    "upstream": {
+      "datePublished": "2025-04-14T23:25:19.152Z",
+      "dateReserved": "2025-01-23T17:11:35.838Z",
+      "dateUpdated": "2025-04-15T02:55:53.769Z",
+      "digest": "83f75e6b421aa0c2d67b443ab5732b5f60f23d4095eaae099a87b920a62a6b07"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "collectionURL": "https://github.com",
+        "cpes": [
+          "cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*"
+        ],
+        "packageName": "meshtastic/firmware",
+        "product": "firmware",
+        "repo": "https://github.com/meshtastic/firmware",
+        "vendor": "meshtastic",
+        "versions": [
+          {
+            "lessThan": "2.6.2",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2025/CVE-2025-24859.json

@@ -0,0 +1,45 @@
+{
+  "additionalMetadata": {
+    "cna": "apache",
+    "cveId": "CVE-2025-24859",
+    "description": "A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised.\n\nThis issue affects Apache Roller versions up to and including 6.1.4.\n\nThe vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f",
+      "https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdvo0cxw23"
+    ],
+    "upstream": {
+      "datePublished": "2025-04-14T08:18:54.729Z",
+      "dateReserved": "2025-01-26T22:17:14.419Z",
+      "dateUpdated": "2025-04-14T13:07:32.570Z",
+      "digest": "1410aa70b69857f227b7eab158bdfd0fb188bba6761ceeaaed4d83f61ff40ef5"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "cpes": [
+          "cpe:2.3:a:apache:roller:*:*:*:*:*:maven:*:*",
+          "cpe:2.3:a:org.apache.roller:roller-webapp:*:*:*:*:*:maven:*:*"
+        ],
+        "packageName": "org.apache.roller:roller-webapp",
+        "packageType": "maven",
+        "product": "Apache Roller",
+        "repo": "http://git-wip-us.apache.org/repos/asf/roller.git",
+        "vendor": "Apache Software Foundation",
+        "versions": [
+          {
+            "lessThan": "6.1.5",
+            "status": "affected",
+            "version": "1.0.0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

data/anchore/2025/CVE-2025-32200.json

@@ -7,6 +7,10 @@
     "references": [
       "https://patchstack.com/database/wordpress/plugin/advanced-backgrounds/vulnerability/wordpress-advanced-wordpress-backgrounds-plugin-1-12-4-content-injection-vulnerability?_s_id=cve"
     ],
+    "rejection": {
+      "date": "2025-04-14T13:37:58.688Z",
+      "reason": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
+    },
     "upstream": {
       "datePublished": "2025-04-04T15:59:09.196Z",
       "dateReserved": "2025-04-04T10:01:28.633Z",