[Git][security-tracker-team/security-tracker][master] 2 commits: Process some NFUs

Salvatore Bonaccorso carnil at debian.org
Wed Dec 30 08:31:41 GMT 2020


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2083b028 by Salvatore Bonaccorso at 2020-12-30T09:31:21+01:00
Process some NFUs

- - - - -
f74a565b by Salvatore Bonaccorso at 2020-12-30T09:31:21+01:00
Add CVE-2020-35850/cockpit

Classification could range between unimportant or no-dsa, as Martin Pitt
stated

        My initial classification of this is somewhere between
        "enhancement" and "mild unexpected security-related issue", so
        let's not rush this.

https://github.com/cockpit-project/cockpit/issues/15077#issuecomment-751797360

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -19,15 +19,16 @@ CVE-2021-21435
 CVE-2021-21434
 	RESERVED
 CVE-2020-35850 (** DISPUTED ** An SSRF issue was discovered in cockpit-project.org Coc ...)
-	TODO: check
+	- cockpit <unfixed>
+	NOTE: https://github.com/cockpit-project/cockpit/issues/15077
 CVE-2020-35849
 	RESERVED
 CVE-2020-35848 (Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controll ...)
-	TODO: check
+	NOT-FOR-US: Agentejo Cockpit
 CVE-2020-35847 (Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controll ...)
-	TODO: check
+	NOT-FOR-US: Agentejo Cockpit
 CVE-2020-35846 (Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controll ...)
-	TODO: check
+	NOT-FOR-US: Agentejo Cockpit
 CVE-2020-35845
 	RESERVED
 CVE-2020-35844
@@ -6238,7 +6239,7 @@ CVE-2020-29596 (MiniWeb HTTP server 0.8.19 allows remote attackers to cause a de
 CVE-2020-29595 (PlugIns\IDE_ACDStd.apl in ACDSee Photo Studio Studio Professional 2021 ...)
 	NOT-FOR-US: ACDSee Photo Studio Studio Professional
 CVE-2020-29594 (Rocket.Chat before 0.74.4, 1.x before 1.3.4, 2.x before 2.4.13, 3.x be ...)
-	TODO: check
+	NOT-FOR-US: Rocket.Chat
 CVE-2020-29593
 	RESERVED
 CVE-2020-29592
@@ -6783,9 +6784,9 @@ CVE-2020-29473
 CVE-2020-29472 (EGavilan Media Under Construction page with cPanel 1.0 contains a SQL  ...)
 	NOT-FOR-US: cPanel
 CVE-2020-29471 (OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Prof ...)
-	TODO: check
+	NOT-FOR-US: OpenCart
 CVE-2020-29470 (OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subj ...)
-	TODO: check
+	NOT-FOR-US: OpenCart
 CVE-2020-29469
 	RESERVED
 CVE-2020-29468
@@ -14232,11 +14233,11 @@ CVE-2020-27647
 CVE-2020-27646 (Biscom Secure File Transfer (SFT) before 5.1.1082 and 6.x before 6.0.1 ...)
 	NOT-FOR-US: Biscom Secure File Transfer (SFT)
 CVE-2020-27645 (The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unqu ...)
-	TODO: check
+	NOT-FOR-US: 1E Client
 CVE-2020-27644 (The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unqu ...)
-	TODO: check
+	NOT-FOR-US: 1E Client
 CVE-2020-27643 (The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0 ...)
-	TODO: check
+	NOT-FOR-US: 1E Client
 CVE-2020-27642 (A cross-site scripting (XSS) vulnerability exists in the 'merge accoun ...)
 	NOT-FOR-US: BigBlueButton
 CVE-2020-27641
@@ -38248,7 +38249,7 @@ CVE-2020-16269 (radare2 4.5.0 misparses DWARF information in executable files, c
 	- radare2 <unfixed>
 	NOTE: https://github.com/radareorg/radare2/issues/17383
 CVE-2020-16268 (The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote a ...)
-	TODO: check
+	NOT-FOR-US: 1E Client
 CVE-2020-16267 (Zoho ManageEngine Applications Manager version 14740 and prior allows  ...)
 	NOT-FOR-US: Zoho ManageEngine Applications Manager
 CVE-2020-16266 (An XSS issue was discovered in MantisBT before 2.24.2. Improper escapi ...)
@@ -55916,15 +55917,15 @@ CVE-2020-10212 (upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SS
 CVE-2020-10211 (A remote code execution vulnerability in UCB component of Mitel MiVoic ...)
 	NOT-FOR-US: Mitel
 CVE-2020-10210 (Because of hard-coded SSH keys for the root user in Amino Communicatio ...)
-	TODO: check
+	NOT-FOR-US: Amino Communications
 CVE-2020-10209 (Command Injection in the CPE WAN Management Protocol (CWMP) registrati ...)
-	TODO: check
+	NOT-FOR-US: Amino Communications
 CVE-2020-10208 (Command Injection in EntoneWebEngine in Amino Communications AK45x ser ...)
-	TODO: check
+	NOT-FOR-US: Amino Communications
 CVE-2020-10207 (Use of Hard-coded Credentials in EntoneWebEngine in Amino Communicatio ...)
-	TODO: check
+	NOT-FOR-US: Amino Communications
 CVE-2020-10206 (Use of a Hard-coded Password in VNCserver in Amino Communications AK45 ...)
-	TODO: check
+	NOT-FOR-US: Amino Communications
 CVE-2020-10205
 	RESERVED
 CVE-2020-10204 (Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution. ...)
@@ -56085,7 +56086,7 @@ CVE-2020-10150
 CVE-2020-10149
 	RESERVED
 CVE-2020-10148 (The SolarWinds Orion API is vulnerable to an authentication bypass tha ...)
-	TODO: check
+	NOT-FOR-US: SolarWinds
 CVE-2020-10147
 	RESERVED
 CVE-2020-10146 (The Microsoft Teams online service contains a stored cross-site script ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8583d9b17f6b09921081de585a2b2edf3b5df018...f74a565bc1360e66df6b77d707b58155812d05ec

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8583d9b17f6b09921081de585a2b2edf3b5df018...f74a565bc1360e66df6b77d707b58155812d05ec
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201230/2560ed33/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list