[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Sun Apr 10 21:27:33 BST 2022
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ff490787 by Moritz Muehlenhoff at 2022-04-10T22:27:07+02:00
NFUs
new gitlab issues
gcc non issue
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,7 +1,7 @@
CVE-2022-1290 (Stored XSS in "Name", "Group Name" & "Title" in GitHub repository ...)
- TODO: check
+ NOT-FOR-US: Trudesk
CVE-2022-1289 (A denial of service vulnerability was found in tildearrow Furnace. It ...)
- TODO: check
+ - furnace <itp> (bug #1008592)
CVE-2022-28890
RESERVED
CVE-2021-4226
@@ -9,9 +9,9 @@ CVE-2021-4226
CVE-2022-28889
RESERVED
CVE-2022-1288 (A vulnerability, which was classified as problematic, has been found i ...)
- TODO: check
+ NOT-FOR-US: School Club Application System
CVE-2022-1287 (A vulnerability classified as critical was found in School Club Applic ...)
- TODO: check
+ NOT-FOR-US: School Club Application System
CVE-2022-1286 (heap-buffer-overflow in mrb_vm_exec in mruby/mruby in GitHub repositor ...)
TODO: check
CVE-2022-28888
@@ -551,7 +551,7 @@ CVE-2022-1244 (heap-buffer-overflow in GitHub repository radareorg/radare2 prior
NOTE: https://huntr.dev/bounties/8ae2c61a-2220-47a5-bfe8-fe6d41ab1f82
NOTE: https://github.com/radareorg/radare2/commit/2b77b277d67ce061ee6ef839e7139ebc2103c1e3
CVE-2022-1243 (CRHTLF can lead to invalid protocol extraction potentially leading to ...)
- TODO: check
+ NOT-FOR-US: URI.js
CVE-2022-1242
RESERVED
CVE-2022-1241
@@ -631,7 +631,7 @@ CVE-2022-1235 (Weak secrethash can be brute-forced in GitHub repository livehelp
CVE-2022-1234 (XSS in livehelperchat in GitHub repository livehelperchat/livehelperch ...)
NOT-FOR-US: livehelperchat
CVE-2022-1233 (URL Confusion When Scheme Not Supplied in GitHub repository medialize/ ...)
- TODO: check
+ NOT-FOR-US: URI.js
CVE-2022-1232
RESERVED
{DSA-5114-1}
@@ -639,7 +639,7 @@ CVE-2022-1232
[buster] - chromium <end-of-life> (see DSA 5046)
[stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2022-28651 (In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get pass ...)
- TODO: check
+ - intellij-idea <itp> (bug #747616)
CVE-2022-28650 (In JetBrains YouTrack before 2022.1.43700 it was possible to inject Ja ...)
NOT-FOR-US: JetBrains YouTrack
CVE-2022-28649 (In JetBrains YouTrack before 2022.1.43563 it was possible to include a ...)
@@ -1232,7 +1232,7 @@ CVE-2022-1212 (Use-After-Free in str_escape in mruby/mruby in GitHub repository
CVE-2022-28381 (Mediaserver.exe in ALLMediaServer 1.6 has a stack-based buffer overflo ...)
NOT-FOR-US: ALLMediaServer
CVE-2022-28380 (The rc-httpd component through 2022-03-31 for 9front (Plan 9 fork) all ...)
- TODO: check
+ NOT-FOR-US: 9front
CVE-2022-28379 (jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item dele ...)
NOT-FOR-US: jc21.com Nginx Proxy Manager
CVE-2022-28378 (Craft CMS before 3.7.29 allows XSS. ...)
@@ -1937,7 +1937,7 @@ CVE-2022-28171
CVE-2022-1163 (Cross-site Scripting (XSS) - Stored in GitHub repository mineweb/minew ...)
NOT-FOR-US: minewebcms
CVE-2022-1162 (A hardcoded password was set for accounts registered using an OmniAuth ...)
- TODO: check
+ - gitlab <unfixed>
CVE-2022-1161
RESERVED
CVE-2022-1160 (heap buffer overflow in get_one_sourceline in GitHub repository vim/vi ...)
@@ -2624,7 +2624,9 @@ CVE-2022-27945 (NETGEAR R8500 1.0.2.158 devices allow remote authenticated users
CVE-2022-27944
RESERVED
CVE-2022-27943 (libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in ...)
- TODO: check
+ - gcc-12 <unfixed> (unimportant)
+ NOTE: Negligible security impact
+ NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039
CVE-2022-27942 (tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in parse_ ...)
- tcpreplay <unfixed> (unimportant)
NOTE: https://github.com/appneta/tcpreplay/issues/719
@@ -2764,9 +2766,9 @@ CVE-2022-1102
CVE-2022-1101
RESERVED
CVE-2022-1100 (A potential DOS vulnerability was discovered in GitLab CE/EE affecting ...)
- TODO: check
+ - gitlab <unfixed>
CVE-2022-1099 (Adding a very large number of tags to a runner in GitLab CE/EE affecti ...)
- TODO: check
+ - gitlab <unfixed>
CVE-2022-1098 (Delta Electronics DIAEnergie (all versions prior to 1.8.02.004) are vu ...)
NOT-FOR-US: Delta Electronics DIAEnergie
CVE-2021-46742
@@ -8251,7 +8253,7 @@ CVE-2022-0741 (Improper input validation in all versions of GitLab CE/EE using s
- gitlab <unfixed>
NOTE: https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/
CVE-2022-0740 (Incorrect authorization in the Asana integration's branch restriction ...)
- TODO: check
+ - gitlab <unfixed>
CVE-2022-0739 (The BookingPress WordPress plugin before 1.0.11 fails to properly sani ...)
NOT-FOR-US: WordPress plugin
CVE-2022-0738 (An issue has been discovered in GitLab affecting all versions starting ...)
@@ -8829,7 +8831,7 @@ CVE-2022-25596 (ASUS RT-AC56U’s configuration function has a heap-based bu
CVE-2022-25595 (ASUS RT-AC86U has improper user request handling, which allows an unau ...)
NOT-FOR-US: ASUS
CVE-2022-25594 (Microprogram’s parking lot management system is vulnerable to se ...)
- TODO: check
+ NOT-FOR-US: Microprogram parking lot management system
CVE-2022-25593
RESERVED
CVE-2022-25592
@@ -9396,9 +9398,9 @@ CVE-2022-25341
CVE-2022-25340
RESERVED
CVE-2022-25339 (ownCloud owncloud/android 2.20 has Incorrect Access Control for local ...)
- TODO: check
+ NOT-FOR-US: Owncloud client for Android
CVE-2022-25338 (ownCloud owncloud/android before 2.20 has Incorrect Access Control for ...)
- TODO: check
+ NOT-FOR-US: Owncloud client for Android
CVE-2022-24914
RESERVED
CVE-2022-24436
@@ -9479,7 +9481,7 @@ CVE-2022-0679 (The Narnoo Distributor WordPress plugin through 2.5.1 fails to va
CVE-2022-0678 (Cross-site Scripting (XSS) - Reflected in Packagist microweber/microwe ...)
NOT-FOR-US: microweber
CVE-2022-0677 (Improper Handling of Length Parameter Inconsistency vulnerability in t ...)
- TODO: check
+ NOT-FOR-US: Bitdefender
CVE-2021-4221
RESERVED
CVE-2022-25323 (ZEROF Web Server 2.0 allows /admin.back XSS. ...)
@@ -9845,7 +9847,7 @@ CVE-2022-25271 (Drupal core's form API has a vulnerability where certain contrib
NOTE: https://www.drupal.org/sa-core-2022-003
NOTE: https://git.drupalcode.org/project/drupal/-/commit/43c757167380643b5f73287a63a8739731a5b712
CVE-2022-25245 (Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know ...)
- TODO: check
+ NOT-FOR-US: Zoho
CVE-2022-25244 (Vault Enterprise clusters using the tokenization transform feature can ...)
NOT-FOR-US: HashiCorp Vault
CVE-2022-25243 ("Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the ...)
@@ -10598,7 +10600,7 @@ CVE-2022-24980 (An issue was discovered in the Kitodo.Presentation (aka dif) ext
CVE-2022-24979 (An issue was discovered in the Varnishcache extension before 2.0.1 for ...)
NOT-FOR-US: TYPO3 extension
CVE-2022-24978 (Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privil ...)
- TODO: check
+ NOT-FOR-US: Zoho
CVE-2022-24977 (ImpressCMS before 1.4.2 allows unauthenticated remote code execution v ...)
NOT-FOR-US: ImpressCMS
CVE-2022-0579 (Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3 ...)
@@ -10983,13 +10985,13 @@ CVE-2022-24824
CVE-2022-24823
RESERVED
CVE-2022-24822 (Podium is a library for building micro frontends. @podium/layout is a ...)
- TODO: check
+ NOT-FOR-US: Podium#
CVE-2022-24821 (XWiki Platform is a generic wiki platform offering runtime services fo ...)
- TODO: check
+ NOT-FOR-US: XWiki
CVE-2022-24820 (XWiki Platform is a generic wiki platform offering runtime services fo ...)
- TODO: check
+ NOT-FOR-US: XWiki
CVE-2022-24819 (XWiki Platform is a generic wiki platform offering runtime services fo ...)
- TODO: check
+ NOT-FOR-US: XWiki
CVE-2022-24818
RESERVED
CVE-2022-24817
@@ -11005,7 +11007,7 @@ CVE-2022-24813 (CreateWiki is Miraheze's MediaWiki extension for requesting &
CVE-2022-24812
RESERVED
CVE-2022-24811 (Combodi iTop is a web based IT Service Management tool. Prior to versi ...)
- TODO: check
+ NOT-FOR-US: Combodi
CVE-2022-24810
RESERVED
CVE-2022-24809
@@ -11081,7 +11083,7 @@ CVE-2022-24782 (Discourse is an open source discussion platform. Versions 2.8.2
CVE-2022-24781 (Geon is a board game based on solving questions about the Pythagorean ...)
NOT-FOR-US: Geon
CVE-2022-24780 (Combodo iTop is a web based IT Service Management tool. In versions pr ...)
- TODO: check
+ NOT-FOR-US: Combodi
CVE-2022-24779
RESERVED
CVE-2022-24778 (The imgcrypt library provides API exensions for containerd to support ...)
@@ -11435,7 +11437,7 @@ CVE-2022-24683 (HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.1
CVE-2022-24682 (An issue was discovered in the Calendar feature in Zimbra Collaboratio ...)
NOT-FOR-US: Zimbra
CVE-2022-24681 (Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the we ...)
- TODO: check
+ NOT-FOR-US: Zoho
CVE-2022-24680 (A security link following local privilege escalation vulnerability in ...)
NOT-FOR-US: Trend Micro
CVE-2022-24679 (A security link following local privilege escalation vulnerability in ...)
@@ -11915,7 +11917,7 @@ CVE-2022-24525 (Windows Update Stack Elevation of Privilege Vulnerability. ...)
CVE-2022-24524
RESERVED
CVE-2022-24523 (Microsoft Edge (Chromium-based) Spoofing Vulnerability. ...)
- TODO: check
+ NOT-FOR-US: Microsoft
CVE-2022-24522 (Skype Extension for Chrome Information Disclosure Vulnerability. ...)
NOT-FOR-US: Skype Extension for Chrome
CVE-2022-24521
@@ -12011,7 +12013,7 @@ CVE-2022-24477
CVE-2022-24476
RESERVED
CVE-2022-24475 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. ...)
- TODO: check
+ NOT-FOR-US: Microsoft
CVE-2022-24474
RESERVED
CVE-2022-24473
@@ -12081,7 +12083,7 @@ CVE-2022-24443
CVE-2022-24442 (JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server- ...)
NOT-FOR-US: JetBrains YouTrack
CVE-2022-24428 (Dell PowerScale OneFS, versions 8.2.x, 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2. ...)
- TODO: check
+ NOT-FOR-US: Dell
CVE-2022-24427
RESERVED
CVE-2022-24426 (Dell Command | Update, Dell Update, and Alienware Update versions prio ...)
@@ -12927,11 +12929,11 @@ CVE-2022-24233
CVE-2022-24232 (A local file inclusion in Hospital Patient Record Management System v1 ...)
NOT-FOR-US: Hospital Patient Record Management System
CVE-2022-24231 (Simple Student Information System v1.0 was discovered to contain a SQL ...)
- TODO: check
+ NOT-FOR-US: Simple Student Information System
CVE-2022-24230
RESERVED
CVE-2022-24229 (A cross-site scripting (XSS) vulnerability in ONLYOFFICE Document Serv ...)
- TODO: check
+ NOT-FOR-US: ONLYOFFICE
CVE-2022-24228
RESERVED
CVE-2022-24227 (A cross-site scripting (XSS) vulnerability in BoltWire v7.10 allows at ...)
@@ -13527,7 +13529,7 @@ CVE-2022-0391 (A flaw was found in Python, specifically within the urllib.parse
NOTE: Fixed by: https://github.com/python/cpython/commit/f4dac7ec55477a6c5d965e594e74bd6bda786903 (v3.7.11)
NOTE: Fixed by: https://github.com/python/cpython/commit/6c472d3a1d334d4eeb4a25eba7bf3b01611bf667 (v3.6.14)
CVE-2022-0390 (Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 ...)
- TODO: check
+ - gitlab <unfixed>
CVE-2022-0389 (The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not ...)
NOT-FOR-US: WordPress plugin
CVE-2022-0388 (The Interactive Medical Drawing of Human Body WordPress plugin through ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff490787be4d8ac591c56419702d275cea3917ea
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff490787be4d8ac591c56419702d275cea3917ea
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220410/1fc3b6e3/attachment.htm>
More information about the debian-security-tracker-commits
mailing list