[Git][security-tracker-team/security-tracker][master] new jupyter-server issue
Moritz Muehlenhoff
jmm at debian.org
Fri Dec 25 19:05:22 GMT 2020
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0c0198d3 by Moritz Muehlenhoff at 2020-12-25T20:05:02+01:00
new jupyter-server issue
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -35,7 +35,7 @@ CVE-2020-35695
CVE-2020-35694
RESERVED
CVE-2020-35693 (On some Samsung phones and tablets running Android through 7.1.1, it i ...)
- TODO: check
+ NOT-FOR-US: Samsung
CVE-2020-35692
RESERVED
CVE-2020-35691
@@ -87,13 +87,13 @@ CVE-2020-35671
CVE-2020-35670
RESERVED
CVE-2020-35669 (An issue was discovered in the http package through 0.12.2 for Dart. I ...)
- TODO: check
+ NOT-FOR-US: Dart http
CVE-2020-35668 (RedisGraph 2.x through 2.2.11 has a NULL Pointer Dereference that lead ...)
- TODO: check
+ NOT-FOR-US: RedisGraph
CVE-2020-35667
RESERVED
CVE-2020-35666 (Steedos Platform through 1.21.24 allows NoSQL injection because the /a ...)
- TODO: check
+ NOT-FOR-US: Steedos Platform
CVE-2020-35665 (An unauthenticated command-execution vulnerability exists in TerraMast ...)
NOT-FOR-US: TerraMaster TOS
CVE-2020-35664
@@ -125,7 +125,7 @@ CVE-2020-35652
CVE-2020-35651
RESERVED
CVE-2020-35650 (Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups ...)
- TODO: check
+ NOT-FOR-US: Uncanny Groups for LearnDash
CVE-2020-35649
RESERVED
CVE-2020-35648
@@ -3797,7 +3797,8 @@ CVE-2020-35271
CVE-2020-35270
RESERVED
CVE-2020-35269 (There is a Cross Site Request Forgery (CSRF) vulnerability in Nagios C ...)
- TODO: check
+ - nagios4 <undetermined>
+ NOTE: https://gist.github.com/MoSalah20/d1d40b43eafba0bd22ee4cddecad3cbc
CVE-2020-35268
RESERVED
CVE-2020-35267
@@ -9752,7 +9753,7 @@ CVE-2020-28462
CVE-2020-28461
RESERVED
CVE-2020-28460 (This affects the package multi-ini before 2.1.2. It is possible to pol ...)
- TODO: check
+ NOT-FOR-US: Node multi-ini
CVE-2020-28459
RESERVED
CVE-2020-28458 (All versions of package datatables.net are vulnerable to Prototype Pol ...)
@@ -9776,7 +9777,7 @@ CVE-2020-28450
CVE-2020-28449
RESERVED
CVE-2020-28448 (This affects the package multi-ini before 2.1.1. It is possible to pol ...)
- TODO: check
+ NOT-FOR-US: Node multi-ini
CVE-2020-28447
RESERVED
CVE-2020-28446
@@ -11902,7 +11903,7 @@ CVE-2020-28171
CVE-2020-28170
RESERVED
CVE-2020-28169 (The td-agent-builder plugin before 2020-12-18 for Fluentd allows attac ...)
- TODO: check
+ NOT-FOR-US: Fluentd plugin
CVE-2020-28168 (Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) ...)
- node-axios <unfixed> (bug #975305)
[buster] - node-axios <no-dsa> (Minor issue)
@@ -16918,7 +16919,7 @@ CVE-2020-26284 (Hugo is a fast and Flexible Static Site Generator built in Go. H
CVE-2020-26283
RESERVED
CVE-2020-26282 (BrowserUp Proxy allows you to manipulate HTTP requests and responses, ...)
- TODO: check
+ NOT-FOR-US: BrowserUp Proxy
CVE-2020-26281 (async-h1 is an asynchronous HTTP/1.1 parser for Rust (crates.io). Ther ...)
NOT-FOR-US: Rust async-h1
CVE-2020-26280 (OpenSlides is a free, Web-based presentation and assembly system for m ...)
@@ -16932,7 +16933,8 @@ CVE-2020-26277 (DBdeployer is a tool that deploys MySQL database servers easily.
CVE-2020-26276 (Fleet is an open source osquery manager. In Fleet before version 3.5.1 ...)
NOT-FOR-US: Fleet (osquery frontend)
CVE-2020-26275 (The Jupyter Server provides the backend (i.e. the core services, APIs, ...)
- TODO: check
+ - jupyter-server 1.1.1-1
+ NOTE: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-9f66-54xg-pc2c
CVE-2020-26274 (In systeminformation (npm package) before version 4.31.1 there is a co ...)
NOT-FOR-US: Node systeminformation
CVE-2020-26273 (osquery is a SQL powered operating system instrumentation, monitoring, ...)
@@ -16964,7 +16966,7 @@ CVE-2020-26263 (tlslite-ng is an open source python library that implements SSL
CVE-2020-26262
RESERVED
CVE-2020-26261 (jupyterhub-systemdspawner enables JupyterHub to spawn single-user note ...)
- TODO: check
+ NOT-FOR-US: JupyterHub
CVE-2020-26260 (BookStack is a platform for storing and organising information and doc ...)
NOT-FOR-US: BookStack
CVE-2020-26259 (XStream is a Java library to serialize objects to XML and back again. ...)
@@ -16985,7 +16987,7 @@ CVE-2020-26256 (Fast-csv is an npm package for parsing and formatting CSVs or an
CVE-2020-26255 (Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and ...)
NOT-FOR-US: Kirby CMS
CVE-2020-26254 (omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (Ruby ...)
- TODO: check
+ NOT-FOR-US: omniauth-apple
CVE-2020-26253 (Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and ...)
NOT-FOR-US: Kirby CMS
CVE-2020-26252
@@ -17030,9 +17032,9 @@ CVE-2020-26237 (Highlight.js is a syntax highlighter written in JavaScript. High
CVE-2020-26236 (In ScratchVerifier before commit a603769, an attacker can hijack the v ...)
NOT-FOR-US: ScratchVerifier
CVE-2020-26234 (Opencast before versions 8.9 and 7.9 disables HTTPS hostname verificat ...)
- TODO: check
+ NOT-FOR-US: Opencast
CVE-2020-26233 (Git Credential Manager Core (GCM Core) is a secure Git credential help ...)
- TODO: check
+ NOT-FOR-US: Git Credential Manager
CVE-2020-26232 (Jupyter Server before version 1.0.6 has an Open redirect vulnerability ...)
- jupyter-server 1.0.7-1
NOTE: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-grfj-wjv9-4f9v
@@ -20757,7 +20759,7 @@ CVE-2020-24659 (An issue was discovered in GnuTLS before 3.6.15. A server can tr
NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1071
NOTE: https://gitlab.com/gnutls/gnutls/-/commit/29ee67c205855e848a0a26e6d0e4f65b6b943e0a
CVE-2020-24658 (Arm Compiler 5 through 5.06u6 has an error in a stack protection featu ...)
- TODO: check
+ NOT-FOR-US: Arm Compiler
CVE-2020-24657
RESERVED
CVE-2020-24656 (Maltego before 4.2.12 allows XXE attacks. ...)
@@ -25633,10 +25635,7 @@ CVE-2020-22280
CVE-2020-22279
RESERVED
CVE-2020-22278 (** DISPUTED ** phpMyAdmin through 5.0.2 allows CSV injection via Expor ...)
- - phpmyadmin <undetermined>
- NOTE: upstream considers this invalid until now, to be debated
- NOTE: https://github.com/phpmyadmin/phpmyadmin/issues/16101
- TODO: check, wait for validation of vulnerability status
+ NOTE: Disputed phpMyAdmin issue
CVE-2020-22277 (Import and export users and customers WordPress Plugin through 1.15.5. ...)
NOT-FOR-US: Import and export users and customers WordPress Plugin
CVE-2020-22276 (WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry ...)
@@ -29827,7 +29826,7 @@ CVE-2020-20191
CVE-2020-20190
RESERVED
CVE-2020-20189 (SQL Injection vulnerability in NewPK 1.1 via the title parameter to ad ...)
- TODO: check
+ NOT-FOR-US: NewPK
CVE-2020-20188
RESERVED
CVE-2020-20187
@@ -29921,7 +29920,7 @@ CVE-2020-20144
CVE-2020-20143
RESERVED
CVE-2020-20142 (Cross Site Scripting (XSS) vulnerability in the "To Remote CSV" compon ...)
- TODO: check
+ NOT-FOR-US: Flexmonster Pivot Table & Charts
CVE-2020-20141 (Cross Site Scripting (XSS) vulnerability in the To OLAP (XMLA) compone ...)
NOT-FOR-US: Flexmonster Pivot Table & Charts
CVE-2020-20140 (Cross Site Scripting (XSS) vulnerability in Remote Report component un ...)
@@ -37096,7 +37095,7 @@ CVE-2020-16610 (Hoosk Codeigniter CMS before 1.7.2 is affected by a Cross Site R
CVE-2020-16609
RESERVED
CVE-2020-16608 (Notable 1.8.4 allows XSS via crafted Markdown text, with resultant rem ...)
- TODO: check
+ NOT-FOR-US: Notable
CVE-2020-16607
RESERVED
CVE-2020-16606
@@ -49445,7 +49444,7 @@ CVE-2020-11976 (By crafting a special URL it is possible to make Wicket deliver
CVE-2020-11975 (Apache Unomi allows conditions to use OGNL scripting which offers the ...)
NOT-FOR-US: Apache Unomi
CVE-2020-11974 (In DolphinScheduler 1.2.0 and 1.2.1, with mysql connectorj a remote co ...)
- TODO: check
+ NOT-FOR-US: DolphinScheduler
CVE-2020-11973 (Apache Camel Netty enables Java deserialization by default. Apache Cam ...)
NOT-FOR-US: Apache Camel
CVE-2020-11972 (Apache Camel RabbitMQ enables Java deserialization by default. Apache ...)
@@ -52797,7 +52796,7 @@ CVE-2020-11095 (In FreeRDP before version 2.1.2, an out of bound reads occurs re
CVE-2020-11094 (The October CMS debugbar plugin before version 3.1.0 contains a featur ...)
NOT-FOR-US: October CMS
CVE-2020-11093 (Hyperledger Indy Node is the server portion of a distributed ledger pu ...)
- TODO: check
+ NOT-FOR-US: Hyperledger Indy Node
CVE-2020-11092
RESERVED
CVE-2020-11091 (In Weave Net before version 2.6.3, an attacker able to run a process a ...)
@@ -55728,7 +55727,7 @@ CVE-2020-10145
CVE-2020-10144
RESERVED
CVE-2020-10143 (Macrium Reflect includes an OpenSSL component that specifies an OPENSS ...)
- TODO: check
+ NOT-FOR-US: Macrium Reflect
CVE-2020-10142
RESERVED
CVE-2020-10141
@@ -61612,11 +61611,11 @@ CVE-2020-7793 (The package ua-parser-js before 0.7.23 are vulnerable to Regular
NOTE: https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599
NOTE: https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18 (0.7.23)
CVE-2020-7792 (This affects all versions of package mout. The deepFillIn function can ...)
- TODO: check
+ NOT-FOR-US: Node mout
CVE-2020-7791 (This affects the package i18n before 2.1.15. Vulnerability arises out ...)
- TODO: check
+ NOT-FOR-US: i18n module for asp.net
CVE-2020-7790 (This affects the package spatie/browsershot from 0.0.0. By specifying ...)
- TODO: check
+ NOT-FOR-US: spatie/browsershot
CVE-2020-7789 (This affects the package node-notifier before 9.0.0. It allows an atta ...)
NOT-FOR-US: Node node-notifier
CVE-2020-7788 (This affects the package ini before 1.3.6. If an attacker submits a ma ...)
@@ -61626,7 +61625,7 @@ CVE-2020-7788 (This affects the package ini before 1.3.6. If an attacker submits
NOTE: https://snyk.io/vuln/SNYK-JS-INI-1048974
NOTE: https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1 (v1.3.6)
CVE-2020-7787 (This affects all versions of package react-adal. It is possible for a ...)
- TODO: check
+ NOT-FOR-US: Node react-adal
CVE-2020-7786
RESERVED
CVE-2020-7785
@@ -61638,9 +61637,9 @@ CVE-2020-7783
CVE-2020-7782
RESERVED
CVE-2020-7781 (This affects the package connection-tester before 0.2.1. The injection ...)
- TODO: check
+ NOT-FOR-US: Node connection-tester
CVE-2020-7780 (This affects the package com.softwaremill.akka-http-session:core_2.13 ...)
- TODO: check
+ NOT-FOR-US: om.softwaremill.akka-http-session:core_2.13
CVE-2020-7779 (All versions of package djvalidator are vulnerable to Regular Expressi ...)
NOT-FOR-US: Node djvalidator
CVE-2020-7778 (This affects the package systeminformation before 4.30.2. The attacker ...)
@@ -61648,7 +61647,7 @@ CVE-2020-7778 (This affects the package systeminformation before 4.30.2. The att
CVE-2020-7777 (This affects all versions of package jsen. If an attacker can control ...)
NOT-FOR-US: Node jsen
CVE-2020-7776 (This affects the package phpoffice/phpspreadsheet from 0.0.0. The libr ...)
- TODO: check
+ NOT-FOR-US: phpoffice/phpspreadsheet
CVE-2020-7775
RESERVED
CVE-2020-7774 (This affects the package y18n before 4.0.1 and 5.0.5. PoC by po6ix: co ...)
@@ -65809,7 +65808,7 @@ CVE-2020-6161
CVE-2020-6160
RESERVED
CVE-2020-6159 (URLs using “javascript:” have the protocol removed when pa ...)
- TODO: check
+ NOT-FOR-US: Opera
CVE-2020-6158
RESERVED
CVE-2020-6157 (Opera Touch for iOS before version 2.4.5 is vulnerable to an address b ...)
@@ -66613,7 +66612,7 @@ CVE-2020-5810
CVE-2020-5809
RESERVED
CVE-2020-5808 (In certain scenarios in Tenable.sc prior to 5.17.0, a scanner could po ...)
- TODO: check
+ NOT-FOR-US: Tenable
CVE-2020-5807
RESERVED
CVE-2020-5806
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c0198d3984a31d4291156362769843d482ec66c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c0198d3984a31d4291156362769843d482ec66c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201225/e9f0313c/attachment.html>
More information about the debian-security-tracker-commits
mailing list