[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Mon Jun 7 21:10:31 BST 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
38323357 by security tracker role at 2021-06-07T20:10:24+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,11 +1,32 @@
+CVE-2021-3582
+ RESERVED
+CVE-2021-33907
+ RESERVED
+CVE-2021-33906
+ RESERVED
+CVE-2021-33905
+ RESERVED
+CVE-2021-33904 (In Accela Civic Platform through 21.1, the security/hostSignon.do para ...)
+ TODO: check
+CVE-2021-33903
+ RESERVED
+CVE-2021-33902
+ RESERVED
+CVE-2021-33901
+ RESERVED
+CVE-2021-33900
+ RESERVED
+CVE-2020-36384 (PageLayer before 1.3.5 allows reflected XSS via color settings. ...)
+ TODO: check
+CVE-2020-36383 (PageLayer before 1.3.5 allows reflected XSS via the font-size paramete ...)
+ TODO: check
CVE-2021-33899
RESERVED
CVE-2021-33898 (In Invoice Ninja before 4.4.0, there is an unsafe call to unserialize( ...)
NOT-FOR-US: Invoice Ninja
CVE-2021-33897
RESERVED
-CVE-2021-33896 [Path traversal in Dino file transfers]
- RESERVED
+CVE-2021-33896 (Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal (o ...)
- dino-im 0.2.0-3
NOTE: https://www.openwall.com/lists/oss-security/2021/06/07/2
NOTE: https://github.com/dino/dino/commit/0c8d25b7a3e7a10a506f1e19b868fe9b0c761495 (master)
@@ -27,6 +48,7 @@ CVE-2021-33889
CVE-2021-33888
RESERVED
CVE-2017-20005 (NGINX before 1.13.6 has a buffer overflow for years that exceed four d ...)
+ {DLA-2680-1}
- nginx 1.13.6-1
NOTE: https://github.com/nginx/nginx/commit/0206ebe76f748bb39d9de4dd4b3fce777fdfdccf
NOTE: https://github.com/nginx/nginx/commit/b900cc28fcbb4cf5a32ab62f80b59292e1c85b4b
@@ -257,7 +279,7 @@ CVE-2021-3571
RESERVED
CVE-2021-3570
RESERVED
-CVE-2020-36385 [RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy]
+CVE-2020-36385 (An issue was discovered in the Linux kernel before 5.10. drivers/infin ...)
- linux 5.10.4-1
NOTE: https://git.kernel.org/linus/f5449e74802c1112dea984aec8af7a33c4516af1
CVE-2020-36382 (OpenVPN Access Server 2.7.3 to 2.8.7 allows remote attackers to trigge ...)
@@ -2854,7 +2876,7 @@ CVE-2021-32637 (Authelia is a a single sign-on multi-factor portal for web apps.
NOT-FOR-US: Authelia
CVE-2021-32636
RESERVED
-CVE-2021-32635 (### Impact Due to incorrect use of a default URL, `singularity` action ...)
+CVE-2021-32635 (Singularity is an open source container platform. In verions 3.7.2 and ...)
- singularity-container <not-affected> (Vulnerable code introduced in 3.7.2)
NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3
NOTE: https://github.com/hpcng/singularity/commit/cd298aaeb7698fb692689e2e1b49972c94bfa440
@@ -2889,9 +2911,9 @@ CVE-2021-32623
RESERVED
CVE-2021-32622 (Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip ...)
NOT-FOR-US: Matrix-React-SDK
-CVE-2021-32621 (### Impact A user without Script or Programming right is able to execu ...)
+CVE-2021-32621 (XWiki Platform is a generic wiki platform offering runtime services fo ...)
NOT-FOR-US: XWiki
-CVE-2021-32620 (### Impact A user disabled on a wiki using email verification for regi ...)
+CVE-2021-32620 (XWiki Platform is a generic wiki platform offering runtime services fo ...)
NOT-FOR-US: XWiki
CVE-2021-32619 (Deno is a runtime for JavaScript and TypeScript that uses V8 and is bu ...)
NOT-FOR-US: Deno
@@ -10221,8 +10243,8 @@ CVE-2021-29622 (Prometheus is an open-source monitoring system and time series d
NOTE: (due to lack of React support in Debian) in 01-Do_not_embed_blobs.patch.
NOTE: The vulnerability itself is introduced with 2.23.0 upstream.
NOTE: See https://bugs.debian.org/988804 for details.
-CVE-2021-29621
- RESERVED
+CVE-2021-29621 (Flask-AppBuilder is a development framework, built on top of Flask. Us ...)
+ TODO: check
CVE-2021-29620
RESERVED
CVE-2021-29619 (TensorFlow is an end-to-end open source platform for machine learning. ...)
@@ -10462,7 +10484,7 @@ CVE-2021-29507 (GENIVI Diagnostic Log and Trace (DLT) provides a log and trace i
NOTE: No security impact, config files need to be trusted
CVE-2021-29506 (GraphHopper is an open-source Java routing engine. In GrassHopper from ...)
NOT-FOR-US: GraphHopper
-CVE-2021-29505 (### Impact The vulnerability may allow a remote attacker has sufficien ...)
+CVE-2021-29505 (XStream is software for serializing Java objects to XML and back again ...)
- libxstream-java <unfixed> (bug #989491)
NOTE: https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
CVE-2021-29504
@@ -10494,7 +10516,7 @@ CVE-2021-29494
RESERVED
CVE-2021-29493 (Kennnyshiwa-cogs contains cogs for Red Discordbot. An RCE exploit has ...)
NOT-FOR-US: Kennnyshiwa-cogs
-CVE-2021-29492 (### Description Envoy does not decode escaped slash sequences `%2F` an ...)
+CVE-2021-29492 (Envoy is a cloud-native edge/middle/service proxy. Envoy does not deco ...)
- envoyproxy <itp> (bug #987544)
CVE-2021-29491 (Mixme is a library for recursive merging of Javascript objects. In Nod ...)
NOT-FOR-US: mixme nodejs module
@@ -10619,7 +10641,7 @@ CVE-2021-29462 (The Portable SDK for UPnP Devices is an SDK for development of U
NOTE: https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg
NOTE: https://github.com/pupnp/pupnp/commit/21fd85815da7ed2578d0de7cac4c433008f0ecd4
NOTE: https://www.openwall.com/lists/oss-security/2021/04/20/4
-CVE-2021-29461 (### Impact - This issue could be exploited to read internal files from ...)
+CVE-2021-29461 (Discord Recon Server is a bot that allows one to do one's reconnaissan ...)
NOT-FOR-US: Discord-Recon
CVE-2021-29460 (Kirby is an open source CMS. An editor with write access to the Kirby ...)
NOT-FOR-US: Kirby CMS
@@ -10698,7 +10720,7 @@ CVE-2021-29435 (trestle-auth is an authentication plugin for the Trestle admin f
NOT-FOR-US: trestle-auth
CVE-2021-29434 (Wagtail is a Django content management system. In affected versions of ...)
NOT-FOR-US: wagtail
-CVE-2021-29433 (### Impact Missing input validation of some parameters on the endpoint ...)
+CVE-2021-29433 (Sydent is a reference Matrix identity server. In Sydent versions 2.2.0 ...)
NOT-FOR-US: Matrix Sydent
CVE-2021-29432 (Sydent is a reference matrix identity server. A malicious user could a ...)
NOT-FOR-US: Matrix Sydent
@@ -11495,8 +11517,8 @@ CVE-2021-29101 (ArcGIS GeoEvent Server versions 10.8.1 and below has a read-only
NOT-FOR-US: ArcGIS GeoEvent Server
CVE-2021-29100 (A path traversal vulnerability exists in Esri ArcGIS Earth versions 1. ...)
NOT-FOR-US: Esri
-CVE-2021-29099
- RESERVED
+CVE-2021-29099 (A SQL injection vulnerability exists in some configurations of ArcGIS ...)
+ TODO: check
CVE-2021-29098 (Multiple uninitialized pointer vulnerabilities when parsing a speciall ...)
NOT-FOR-US: Esri (various ArcGIS products)
CVE-2021-29097 (Multiple buffer overflow vulnerabilities when parsing a specially craf ...)
@@ -13162,8 +13184,8 @@ CVE-2021-28384
RESERVED
CVE-2021-28383
RESERVED
-CVE-2021-28382
- RESERVED
+CVE-2021-28382 (Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on th ...)
+ TODO: check
CVE-2021-28381 (The vhs (aka VHS: Fluid ViewHelpers) extension before 5.1.1 for TYPO3 ...)
NOT-FOR-US: vhs (aka VHS: Fluid ViewHelpers) extension for TYPO3
CVE-2021-28380 (The aimeos (aka Aimeos shop and e-commerce framework) extension before ...)
@@ -22782,24 +22804,24 @@ CVE-2021-24346
RESERVED
CVE-2021-24345
RESERVED
-CVE-2021-24344
- RESERVED
-CVE-2021-24343
- RESERVED
-CVE-2021-24342
- RESERVED
+CVE-2021-24344 (The Easy Preloader WordPress plugin through 1.0.0 does not sanitise it ...)
+ TODO: check
+CVE-2021-24343 (The iFlyChat - WordPress Chat plugin through 4.6.4 does not sanitise i ...)
+ TODO: check
+CVE-2021-24342 (The JNews WordPress theme before 8.0.6 did not sanitise the cat_id par ...)
+ TODO: check
CVE-2021-24341
RESERVED
-CVE-2021-24340
- RESERVED
+CVE-2021-24340 (The WP Statistics WordPress plugin before 13.0.8 relied on using the W ...)
+ TODO: check
CVE-2021-24339
RESERVED
CVE-2021-24338
RESERVED
-CVE-2021-24337
- RESERVED
-CVE-2021-24336
- RESERVED
+CVE-2021-24337 (The id GET parameter of one of the Video Embed WordPress plugin throug ...)
+ TODO: check
+CVE-2021-24336 (The FlightLog WordPress plugin through 3.0.2 does not sanitise, valida ...)
+ TODO: check
CVE-2021-24335 (The Car Repair Services & Auto Mechanic WordPress theme before 4.0 ...)
NOT-FOR-US: WordPress theme
CVE-2021-24334 (The Instant Images – One Click Unsplash Uploads WordPress plugin ...)
@@ -27582,8 +27604,8 @@ CVE-2021-22224
RESERVED
CVE-2021-22223
RESERVED
-CVE-2021-22222
- RESERVED
+CVE-2021-22222 (Infinite loop in DVB-S2-BB dissector in Wireshark 3.4.0 to 3.4.5 allow ...)
+ TODO: check
CVE-2021-22221
RESERVED
CVE-2021-22220
@@ -32573,10 +32595,10 @@ CVE-2021-20701
RESERVED
CVE-2021-20700
RESERVED
-CVE-2021-20699
- RESERVED
-CVE-2021-20698
- RESERVED
+CVE-2021-20699 (Sharp NEC Displays (UN462A R1.300 and prior to it, UN462VA R1.300 and ...)
+ TODO: check
+CVE-2021-20698 (Sharp NEC Displays (UN462A R1.300 and prior to it, UN462VA R1.300 and ...)
+ TODO: check
CVE-2021-20697 (Missing authentication for critical function in DAP-1880AC firmware ve ...)
NOT-FOR-US: DAP-1880AC firmware
CVE-2021-20696 (DAP-1880AC firmware version 1.21 and earlier allows a remote authentic ...)
@@ -32937,8 +32959,8 @@ CVE-2021-20519 (IBM Jazz Team Server products are vulnerable to cross-site scrip
NOT-FOR-US: IBM
CVE-2021-20518 (IBM Jazz Foundation Products are vulnerable to cross-site scripting. T ...)
NOT-FOR-US: IBM
-CVE-2021-20517
- RESERVED
+CVE-2021-20517 (IBM WebSphere Application Server Network Deployment 8.5 and 9.0 could ...)
+ TODO: check
CVE-2021-20516
RESERVED
CVE-2021-20515 (IBM Informix Dynamic Server 14.10 is vulnerable to a stack based buffe ...)
@@ -65816,16 +65838,16 @@ CVE-2020-18270
RESERVED
CVE-2020-18269
RESERVED
-CVE-2020-18268
- RESERVED
+CVE-2020-18268 (Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers ...)
+ TODO: check
CVE-2020-18267
RESERVED
CVE-2020-18266
RESERVED
-CVE-2020-18265
- RESERVED
-CVE-2020-18264
- RESERVED
+CVE-2020-18265 (Cross Site Request Forgery (CSRF) in Simple-Log v1.6 allows remote att ...)
+ TODO: check
+CVE-2020-18264 (Cross Site Request Forgery (CSRF) in Simple-Log v1.6 allows remote att ...)
+ TODO: check
CVE-2020-18263
RESERVED
CVE-2020-18262
@@ -101379,8 +101401,8 @@ CVE-2020-5010
RESERVED
CVE-2020-5009
RESERVED
-CVE-2020-5008
- RESERVED
+CVE-2020-5008 (IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through ...)
+ TODO: check
CVE-2020-5007
RESERVED
CVE-2020-5006
@@ -110786,8 +110808,7 @@ CVE-2020-1720 (A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION"
NOTE: https://www.postgresql.org/about/news/2011/
NOTE: Fixed in 12.2, 11.7, 10.12, 9.6.17, 9.5.21, and 9.4.26
NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=b048f558dd7c26a0c630a2cff29d3d8981eaf6b9
-CVE-2020-1719
- RESERVED
+CVE-2020-1719 (A flaw was found in wildfly. The EJBContext principle is not popped ba ...)
- wildfly <itp> (bug #752018)
CVE-2020-1718 (A flaw was found in the reset credential flow in all Keycloak versions ...)
NOT-FOR-US: Keycloak
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/383233577c1fa17b54973218d06feee0b78be9b0
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/383233577c1fa17b54973218d06feee0b78be9b0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210607/88de0869/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list