[Git][security-tracker-team/security-tracker][master] new node-static-eval, rails issues

Moritz Muehlenhoff jmm at debian.org
Fri Feb 12 13:32:35 GMT 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
285f2130 by Moritz Muehlenhoff at 2021-02-12T14:31:50+01:00
new node-static-eval, rails issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -19,7 +19,7 @@ CVE-2021-27193
 CVE-2021-27192
 	RESERVED
 CVE-2021-27191 (The get-ip-range package before 4.0.0 for Node.js is vulnerable to den ...)
-	TODO: check
+	NOT-FOR-US: Node get-ip-range
 CVE-2021-3408
 	RESERVED
 CVE-2021-27190 (PEEL Shopping cart 9.3.0 allows utilisateurs/change_params.php Address ...)
@@ -1054,7 +1054,7 @@ CVE-2021-26709
 	RESERVED
 CVE-2021-26707
 	RESERVED
-	TODO: possibly NFU, as looks different from src:node-deepmerge
+	NOT-FOR-US: Node deep-merge
 CVE-2020-36241 (autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNO ...)
 	- gnome-autoar <unfixed>
 	NOTE: https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429
@@ -8760,9 +8760,10 @@ CVE-2021-23337
 CVE-2021-23336
 	RESERVED
 CVE-2021-23335 (All versions of package is-user-valid are vulnerable to LDAP Injection ...)
-	TODO: check
+	NOT-FOR-US: Node is-user-valid
 CVE-2021-23334 (All versions of package static-eval are vulnerable to Arbitrary Code E ...)
-	TODO: check
+	- node-static-eval <unfixed>
+	NOTE: https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765
 CVE-2021-23333
 	RESERVED
 CVE-2021-23332
@@ -9644,9 +9645,11 @@ CVE-2021-22883
 CVE-2021-22882
 	RESERVED
 CVE-2021-22881 (The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3 ...)
-	TODO: check
+	- rails <unfixed>
+	NOTE: https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
 CVE-2021-22880 (The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4 ...)
-	TODO: check
+	- rails <unfixed>
+	NOTE: https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
 CVE-2021-22879
 	RESERVED
 CVE-2021-22878
@@ -11636,7 +11639,7 @@ CVE-2021-21978
 CVE-2021-21977
 	RESERVED
 CVE-2021-21976 (vSphere Replication 8.3.x prior to 8.3.1.2, 8.2.x prior to 8.2.1.1, 8. ...)
-	TODO: check
+	NOT-FOR-US: vSphere Replication
 CVE-2021-21975
 	RESERVED
 CVE-2021-21974
@@ -14236,13 +14239,13 @@ CVE-2021-21311 (Adminer is an open-source database management in a single PHP fi
 	NOTE: https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6
 	NOTE: https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351 (v4.7.9)
 CVE-2021-21310 (NextAuth.js (next-auth) is am open source authentication solution for  ...)
-	TODO: check
+	NOT-FOR-US: NextAuth.js
 CVE-2021-21309
 	RESERVED
 CVE-2021-21308
 	RESERVED
 CVE-2021-21307 (Lucee Server is a dynamic, Java based (JSR-223), tag and scripting lan ...)
-	TODO: check
+	NOT-FOR-US: Lucee Server
 CVE-2021-21306 (Marked is an open-source markdown parser and compiler (npm package "ma ...)
 	- node-marked <unfixed>
 	NOTE: https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96
@@ -14259,7 +14262,7 @@ CVE-2021-21303 (Helm is open-source software which is essentially "The Kubernete
 CVE-2021-21302
 	RESERVED
 CVE-2021-21301 (Wire is an open-source collaboration platform. In Wire for iOS (iPhone ...)
-	TODO: check
+	NOT-FOR-US: Wire
 CVE-2021-21300
 	RESERVED
 CVE-2021-21298
@@ -14319,7 +14322,7 @@ CVE-2021-21279
 CVE-2021-21278 (RSSHub is an open source, easy to use, and extensible RSS feed generat ...)
 	NOT-FOR-US: RSSHub
 CVE-2021-21277 (angular-expressions is "angular's nicest part extracted as a standalon ...)
-	TODO: check
+	NOT-FOR-US: angular-expressions
 CVE-2021-21276 (Polr is an open source URL shortener. in Polr before version 2.3.0, a  ...)
 	NOT-FOR-US: Polr
 CVE-2021-21275 (The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSR ...)
@@ -15838,45 +15841,45 @@ CVE-2021-20656
 CVE-2021-20655
 	RESERVED
 CVE-2021-20654 (Wekan, open source kanban board system, between version 3.12 and 4.11, ...)
-	TODO: check
+	NOT-FOR-US: Wekan
 CVE-2021-20653
 	RESERVED
 CVE-2021-20652 (Cross-site request forgery (CSRF) vulnerability in Name Directory 1.17 ...)
 	NOT-FOR-US: Name Directory
 CVE-2021-20651 (Directory traversal vulnerability in ELECOM File Manager all versions  ...)
-	TODO: check
+	NOT-FOR-US: ELECOM
 CVE-2021-20650 (Cross-site request forgery (CSRF) vulnerability in ELECOM NCC-EWF100RM ...)
-	TODO: check
+	NOT-FOR-US: ELECOM
 CVE-2021-20649 (ELECOM WRC-300FEBK-S contains an improper certificate validation vulne ...)
-	TODO: check
+	NOT-FOR-US: ELECOM
 CVE-2021-20648 (ELECOM WRC-300FEBK-S allows an attacker with administrator rights to e ...)
-	TODO: check
+	NOT-FOR-US: ELECOM
 CVE-2021-20647 (Cross-site request forgery (CSRF) vulnerability in ELECOM WRC-300FEBK- ...)
-	TODO: check
+	NOT-FOR-US: ELECOM
 CVE-2021-20646 (Cross-site request forgery (CSRF) vulnerability in ELECOM WRC-300FEBK- ...)
-	TODO: check
+	NOT-FOR-US: ELECOM
 CVE-2021-20645 (Cross-site scripting vulnerability in ELECOM WRC-300FEBK-A allows remo ...)
-	TODO: check
+	NOT-FOR-US: ELECOM
 CVE-2021-20644 (ELECOM WRC-1467GHBK-A allows arbitrary scripts to be executed on the u ...)
-	TODO: check
+	NOT-FOR-US: ELECOM
 CVE-2021-20643 (Improper access control vulnerability in ELECOM LD-PS/U1 allows remote ...)
-	TODO: check
+	NOT-FOR-US: ELECOM
 CVE-2021-20642 (Improper check or handling of exceptional conditions in LOGITEC LAN-W3 ...)
-	TODO: check
+	NOT-FOR-US: LOGITEC
 CVE-2021-20641 (Cross-site request forgery (CSRF) vulnerability in LOGITEC LAN-W300N/R ...)
-	TODO: check
+	NOT-FOR-US: LOGITEC
 CVE-2021-20640 (Buffer overflow vulnerability in LOGITEC LAN-W300N/PGRB allows an atta ...)
-	TODO: check
+	NOT-FOR-US: LOGITEC
 CVE-2021-20639 (LOGITEC LAN-W300N/PGRB allows an attacker with administrative privileg ...)
-	TODO: check
+	NOT-FOR-US: LOGITEC
 CVE-2021-20638 (LOGITEC LAN-W300N/PGRB allows an attacker with administrative privileg ...)
-	TODO: check
+	NOT-FOR-US: LOGITEC
 CVE-2021-20637 (Improper check or handling of exceptional conditions in LOGITEC LAN-W3 ...)
-	TODO: check
+	NOT-FOR-US: LOGITEC
 CVE-2021-20636 (Cross-site request forgery (CSRF) vulnerability in LOGITEC LAN-W300N/P ...)
-	TODO: check
+	NOT-FOR-US: LOGITEC
 CVE-2021-20635 (Improper restriction of excessive authentication attempts in LOGITEC L ...)
-	TODO: check
+	NOT-FOR-US: LOGITEC
 CVE-2021-20634
 	RESERVED
 CVE-2021-20633
@@ -16476,7 +16479,7 @@ CVE-2021-20337
 CVE-2021-20336
 	RESERVED
 CVE-2021-20335 (For MongoDB Ops Manager 4.2.X with multiple OM application servers, th ...)
-	TODO: check
+	NOT-FOR-US: MongoDB Ops Manager
 CVE-2021-20334
 	RESERVED
 CVE-2021-20333



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/285f213020a9f2ca761e29cdf8095993964e35b9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/285f213020a9f2ca761e29cdf8095993964e35b9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210212/ec1068dc/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list