[Git][security-tracker-team/security-tracker][master] 2 commits: Process some NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Nov 19 20:46:11 GMT 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
76168de9 by Salvatore Bonaccorso at 2021-11-19T21:45:49+01:00
Process some NFUs
- - - - -
aedb551d by Salvatore Bonaccorso at 2021-11-19T21:45:49+01:00
Add CVE-2021-39923/wireshark
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -10,9 +10,9 @@ CVE-2021-44038 (An issue was discovered in Quagga through 1.2.4. Unsafe chown/ch
NOTE: Debian installed systemd unit files install the problematic redhat/*.service
NOTE: files with the unsafe chmod/chown calls in the Debian packaging.
CVE-2021-44037 (Team Password Manager (aka TeamPasswordManager) before 10.135.236 allo ...)
- TODO: check
+ NOT-FOR-US: Team Password Manager (aka TeamPasswordManager)
CVE-2021-44036 (Team Password Manager (aka TeamPasswordManager) before 10.135.236 has ...)
- TODO: check
+ NOT-FOR-US: Team Password Manager (aka TeamPasswordManager)
CVE-2021-44035
RESERVED
CVE-2021-3982
@@ -96,7 +96,7 @@ CVE-2021-44000
CVE-2021-43999
RESERVED
CVE-2021-3976 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...)
- TODO: check
+ NOT-FOR-US: kimai2
CVE-2021-3975 [segmentation fault during VM shutdown can lead to vdsm hung]
RESERVED
- libvirt 7.6.0-1
@@ -795,7 +795,7 @@ CVE-2021-43771
CVE-2021-3964
RESERVED
CVE-2021-3963 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...)
- TODO: check
+ NOT-FOR-US: kimai2
CVE-2021-3962 (A flaw was found in ImageMagick 7.1.0-14 where it did not properly san ...)
- imagemagick <undetermined>
NOTE: https://github.com/ImageMagick/ImageMagick/issues/4446
@@ -1652,7 +1652,7 @@ CVE-2021-43747
CVE-2021-43746
RESERVED
CVE-2021-3961 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...)
- TODO: check
+ NOT-FOR-US: snipe-it
CVE-2022-21216
RESERVED
CVE-2022-21204
@@ -1944,7 +1944,7 @@ CVE-2021-43617 (Laravel Framework through 8.70.2 does not sufficiently block the
- php-laravel-framework <unfixed>
NOTE: https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b
CVE-2021-3957 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...)
- TODO: check
+ NOT-FOR-US: kimai2
CVE-2021-43616 (The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an i ...)
- npm <unfixed>
NOTE: https://github.com/npm/cli/issues/2701
@@ -2047,7 +2047,7 @@ CVE-2021-43579 (A stack-based buffer overflow in image_load_bmp() in HTMLDOC bef
NOTE: https://github.com/michaelrsweet/htmldoc/issues/453
NOTE: Crash in CLI tool, no security impact
CVE-2021-3950 (django-helpdesk is vulnerable to Improper Neutralization of Input Duri ...)
- TODO: check
+ NOT-FOR-US: django-helpdesk
CVE-2022-21220
RESERVED
CVE-2022-21207
@@ -2075,11 +2075,11 @@ CVE-2021-43577 (Jenkins OWASP Dependency-Check Plugin 5.1.1 and earlier does not
CVE-2021-43576 (Jenkins pom2config Plugin 1.2 and earlier does not configure its XML p ...)
NOT-FOR-US: Jenkins plugin
CVE-2021-42744 (Philips MRI 1.5T and MRI 3T Version 5.x.x exposes sensitive informatio ...)
- TODO: check
+ NOT-FOR-US: Philips
CVE-2021-26262 (Philips MRI 1.5T and MRI 3T Version 5.x.x does not restrict or incorre ...)
- TODO: check
+ NOT-FOR-US: Philips
CVE-2021-26248 (Philips MRI 1.5T and MRI 3T Version 5.x.x assigns an owner who is outs ...)
- TODO: check
+ NOT-FOR-US: Philips
CVE-2021-3949
RESERVED
CVE-2021-3948
@@ -2160,7 +2160,7 @@ CVE-2021-3940
CVE-2021-43556
RESERVED
CVE-2021-43555 (mySCADA myDESIGNER Versions 8.20.0 and prior fails to properly validat ...)
- TODO: check
+ NOT-FOR-US: mySCADA myDESIGNER
CVE-2021-43554
RESERVED
CVE-2021-43553 (PI Vision could disclose information to a user with insufficient privi ...)
@@ -2497,9 +2497,9 @@ CVE-2021-43410
CVE-2021-3932 (twill is vulnerable to Cross-Site Request Forgery (CSRF) ...)
NOT-FOR-US: twill
CVE-2021-43409 (The "WPO365 | LOGIN" WordPress plugin (up to and including version 15. ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2021-43408 (The Duplicate Post WordPress plugin up to and including version 1.1.9 ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2021-43407
RESERVED
CVE-2021-43406 (An issue was discovered in FusionPBX before 4.5.30. The fax_post_size ...)
@@ -6940,7 +6940,7 @@ CVE-2021-42365
CVE-2021-42364
RESERVED
CVE-2021-42363 (The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2021-42362 (The WordPress Popular Posts WordPress plugin is vulnerable to arbitrar ...)
NOT-FOR-US: WordPress plugin
CVE-2021-42361 (The Contact Form Email WordPress plugin is vulnerable to Stored Cross- ...)
@@ -7025,7 +7025,7 @@ CVE-2020-36479
CVE-2021-42339
RESERVED
CVE-2021-42338 (4MOSAn GCB Doctor’s login page has improper validation of Cookie ...)
- TODO: check
+ NOT-FOR-US: 4MOSAn GCB Doctor
CVE-2021-42337 (The permission control of AIFU cashier management salary query functio ...)
NOT-FOR-US: AIFU cashier management salary
CVE-2021-42336 (The learning history page of the Easytest is vulnerable by permission ...)
@@ -7415,7 +7415,7 @@ CVE-2021-3878 (corenlp is vulnerable to Improper Restriction of XML External Ent
CVE-2021-42255
RESERVED
CVE-2021-42254 (BeyondTrust Privilege Management prior to version 21.6 creates a Tempo ...)
- TODO: check
+ NOT-FOR-US: BeyondTrust Privilege Management
CVE-2021-42253
RESERVED
CVE-2021-42252 (An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/ ...)
@@ -9049,7 +9049,7 @@ CVE-2021-41571
CVE-2021-41570
RESERVED
CVE-2021-41569 (SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. Th ...)
- TODO: check
+ NOT-FOR-US: SAS/Intrnet
CVE-2021-3826
RESERVED
CVE-2021-41568 (Tad Web is vulnerable to authorization bypass, thus remote attackers c ...)
@@ -9355,9 +9355,9 @@ CVE-2021-41438
CVE-2021-41437
RESERVED
CVE-2021-41436 (An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX ...)
- TODO: check
+ NOT-FOR-US: ASUS
CVE-2021-41435 (A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapt ...)
- TODO: check
+ NOT-FOR-US: ASUS
CVE-2021-41434
RESERVED
CVE-2021-41433
@@ -12944,7 +12944,9 @@ CVE-2021-39924 (Large loop in the Bluetooth DHT dissector in Wireshark 3.4.0 to
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17677
NOTE: https://www.wireshark.org/security/wnpa-sec-2021-10.html
CVE-2021-39923 (NULL pointer exception in the IPPUSB dissector in Wireshark 3.4.0 to 3 ...)
- TODO: check
+ - wireshark <unfixed>
+ NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17705
+ NOTE: https://www.wireshark.org/security/wnpa-sec-2021-15.html
CVE-2021-39922 (Buffer overflow in the C12.22 dissector in Wireshark 3.4.0 to 3.4.9 an ...)
- wireshark <unfixed>
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17636
@@ -14240,7 +14242,7 @@ CVE-2021-39355 (The Indeed Job Importer WordPress plugin is vulnerable to Stored
CVE-2021-39354 (The Easy Digital Downloads WordPress plugin is vulnerable to Reflected ...)
NOT-FOR-US: WordPress plugin
CVE-2021-39353 (The Easy Registration Forms WordPress plugin is vulnerable to Cross-Si ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2021-39352 (The Catch Themes Demo Import WordPress plugin is vulnerable to arbitra ...)
NOT-FOR-US: WordPress plugin
CVE-2021-39351 (The WP Bannerize WordPress plugin is vulnerable to authenticated SQL i ...)
@@ -20290,7 +20292,7 @@ CVE-2021-36886
CVE-2021-36885
RESERVED
CVE-2021-36884 (Authenticated Persistent Cross-Site Scripting (XSS) vulnerability disc ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2021-36883
RESERVED
CVE-2021-36882
@@ -22478,7 +22480,7 @@ CVE-2021-36005 (Adobe Photoshop versions 21.2.9 (and earlier) and 22.4.2 (and ea
CVE-2021-36004 (Adobe InDesign version 16.0 (and earlier) is affected by an Out-of-bou ...)
NOT-FOR-US: Adobe
CVE-2021-36003 (Adobe Audition version 14.2 (and earlier) is affected by an out-of-bou ...)
- TODO: check
+ NOT-FOR-US: Adobe
CVE-2021-36002 (Adobe Captivate version 11.5.5 (and earlier) is affected by an Creatio ...)
NOT-FOR-US: Adobe
CVE-2021-36001 (Adobe Character Animator version 4.2 (and earlier) is affected by an o ...)
@@ -27388,7 +27390,7 @@ CVE-2021-33852
CVE-2021-33851
RESERVED
CVE-2021-33850 (There is a Cross-Site Scripting vulnerability in Microsoft Clarity ver ...)
- TODO: check
+ NOT-FOR-US: Microsoft
CVE-2021-33849 (A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScri ...)
NOT-FOR-US: Zoho
CVE-2021-3581 (Buffer Access with Incorrect Length Value in zephyr. Zephyr versions & ...)
@@ -39222,19 +39224,19 @@ CVE-2021-29331
CVE-2021-29330
RESERVED
CVE-2021-29329 (OpenSource Moddable v10.5.0 was discovered to contain a stack overflow ...)
- TODO: check
+ NOT-FOR-US: OpenSource Moddable
CVE-2021-29328 (OpenSource Moddable v10.5.0 was discovered to contain buffer over-read ...)
- TODO: check
+ NOT-FOR-US: OpenSource Moddable
CVE-2021-29327 (OpenSource Moddable v10.5.0 was discovered to contain a heap buffer ov ...)
- TODO: check
+ NOT-FOR-US: OpenSource Moddable
CVE-2021-29326 (OpenSource Moddable v10.5.0 was discovered to contain a heap buffer ov ...)
- TODO: check
+ NOT-FOR-US: OpenSource Moddable
CVE-2021-29325 (OpenSource Moddable v10.5.0 was discovered to contain a heap buffer ov ...)
- TODO: check
+ NOT-FOR-US: OpenSource Moddable
CVE-2021-29324 (OpenSource Moddable v10.5.0 was discovered to contain a stack overflow ...)
- TODO: check
+ NOT-FOR-US: OpenSource Moddable
CVE-2021-29323 (OpenSource Moddable v10.5.0 was discovered to contain a heap buffer ov ...)
- TODO: check
+ NOT-FOR-US: OpenSource Moddable
CVE-2021-29322
RESERVED
CVE-2021-29321
@@ -54425,17 +54427,17 @@ CVE-2021-22972
CVE-2021-22971
RESERVED
CVE-2021-22970 (Concrete CMS (formerly concrete5) versions 8.5.6 and below and version ...)
- TODO: check
+ NOT-FOR-US: Concrete CMS
CVE-2021-22969 (Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF miti ...)
- TODO: check
+ NOT-FOR-US: Concrete CMS
CVE-2021-22968 (A bypass of adding remote files in Concrete CMS (previously concrete5) ...)
- TODO: check
+ NOT-FOR-US: Concrete CMS
CVE-2021-22967 (In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthe ...)
- TODO: check
+ NOT-FOR-US: Concrete CMS
CVE-2021-22966 (Privilege escalation from Editor to Admin using Groups in Concrete CMS ...)
- TODO: check
+ NOT-FOR-US: Concrete CMS
CVE-2021-22965 (A vulnerability in Pulse Connect Secure before 9.1R12.1 could allow an ...)
- TODO: check
+ NOT-FOR-US: Pulse Connect Secure
CVE-2021-22964 (A redirect vulnerability in the `fastify-static` module version >= ...)
NOT-FOR-US: fastify-static
CVE-2021-22963 (A redirect vulnerability in the fastify-static module version < 4.2 ...)
@@ -54467,7 +54469,7 @@ CVE-2021-22953 (A CSRF in Concrete CMS version 8.5.5 and below allows an attacke
CVE-2021-22952 (A vulnerability found in UniFi Talk application V1.12.3 and earlier pe ...)
NOT-FOR-US: UniFI Talk
CVE-2021-22951 (Unauthorized individuals could view password protected files using vie ...)
- TODO: check
+ NOT-FOR-US: Concrete CMS
CVE-2021-22950 (Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachme ...)
NOT-FOR-US: Concrete CMS
CVE-2021-22949 (A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to d ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6c4b663d0005495aeff0f2bdc1bbffbdffbf38fb...aedb551d683181667af6871b8219c46b2caf4a23
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6c4b663d0005495aeff0f2bdc1bbffbdffbf38fb...aedb551d683181667af6871b8219c46b2caf4a23
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211119/ea11d50a/attachment.htm>
More information about the debian-security-tracker-commits
mailing list