[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Mon Aug 1 21:10:32 BST 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
192d8a79 by security tracker role at 2022-08-01T20:10:23+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,31 @@
+CVE-2022-37304
+ RESERVED
+CVE-2022-37303
+ RESERVED
+CVE-2022-37302
+ RESERVED
+CVE-2022-37301
+ RESERVED
+CVE-2022-37300
+ RESERVED
+CVE-2022-2601
+ RESERVED
+CVE-2022-2600
+ RESERVED
+CVE-2022-2599
+ RESERVED
+CVE-2022-2598 (Undefined Behavior for Input to API in GitHub repository vim/vim prior ...)
+ TODO: check
+CVE-2022-2597
+ RESERVED
+CVE-2022-2596 (Denial of Service in GitHub repository node-fetch/node-fetch prior to ...)
+ TODO: check
+CVE-2022-2595 (Improper Authorization in GitHub repository kromitgmbh/titra prior to ...)
+ TODO: check
+CVE-2022-2594
+ RESERVED
+CVE-2022-2593
+ RESERVED
CVE-2022-37299
RESERVED
CVE-2022-37298
@@ -528,8 +556,8 @@ CVE-2022-37038
RESERVED
CVE-2022-2590
RESERVED
-CVE-2022-2589
- RESERVED
+CVE-2022-2589 (Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/ ...)
+ TODO: check
CVE-2022-37037
RESERVED
CVE-2022-37036
@@ -610,10 +638,10 @@ CVE-2022-37022
RESERVED
CVE-2022-37021
RESERVED
-CVE-2022-2581
- RESERVED
-CVE-2022-2580
- RESERVED
+CVE-2022-2581 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104. ...)
+ TODO: check
+CVE-2022-2580 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...)
+ TODO: check
CVE-2022-2579 (A vulnerability, which was classified as problematic, was found in Sou ...)
NOT-FOR-US: SourceCodester
CVE-2022-2578 (A vulnerability, which was classified as critical, has been found in S ...)
@@ -664,8 +692,8 @@ CVE-2022-37014
RESERVED
CVE-2022-2572
RESERVED
-CVE-2022-2571
- RESERVED
+CVE-2022-2571 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...)
+ TODO: check
CVE-2022-2570
RESERVED
CVE-2022-37013
@@ -2066,8 +2094,8 @@ CVE-2022-36346
RESERVED
CVE-2022-36344
RESERVED
-CVE-2022-36343
- RESERVED
+CVE-2022-36343 (Authenticated (author or higher user role) Stored Cross-Site Scripting ...)
+ TODO: check
CVE-2022-36341
RESERVED
CVE-2022-36296
@@ -2098,8 +2126,8 @@ CVE-2022-34648
RESERVED
CVE-2022-34344
RESERVED
-CVE-2022-34154
- RESERVED
+CVE-2022-34154 (Authenticated (author or higher user role) Arbitrary File Upload vulne ...)
+ TODO: check
CVE-2022-33970 (Authenticated WordPress Options Change vulnerability in Biplob018 Shor ...)
NOT-FOR-US: WordPress plugin
CVE-2022-33969 (Authenticated WordPress Options Change vulnerability in Biplob Adhikar ...)
@@ -2145,8 +2173,7 @@ CVE-2022-32570
RESERVED
CVE-2022-32232
RESERVED
-CVE-2022-2509
- RESERVED
+CVE-2022-2509 (A vulnerability found in gnutls. This security flaw happens because of ...)
- gnutls28 3.7.7-1
NOTE: https://gnutls.org/security-new.html (GNUTLS-SA-2022-07-07)
NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1383 (restricted)
@@ -2398,10 +2425,10 @@ CVE-2022-36304 (Vesta v1.0.0-5 was discovered to contain a cross-site scripting
NOT-FOR-US: Vesta
CVE-2022-36303 (Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) ...)
NOT-FOR-US: Vesta
-CVE-2022-36302
- RESERVED
-CVE-2022-36301
- RESERVED
+CVE-2022-36302 (File path manipulation vulnerability in BF-OS version 3.00 up to and i ...)
+ TODO: check
+CVE-2022-36301 (BF-OS version 3.x up to and including 3.83 do not enforce strong passw ...)
+ TODO: check
CVE-2022-36300
RESERVED
CVE-2022-30706 (Open redirect vulnerability in Booked versions prior to 3.3 allows a r ...)
@@ -4024,10 +4051,10 @@ CVE-2022-2372
RESERVED
CVE-2022-2371
RESERVED
-CVE-2022-2370
- RESERVED
-CVE-2022-2369
- RESERVED
+CVE-2022-2370 (The YaySMTP WordPress plugin before 2.2.1 does not have capability che ...)
+ TODO: check
+CVE-2022-2369 (The YaySMTP WordPress plugin before 2.2.1 does not have capability che ...)
+ TODO: check
CVE-2022-2368 (Business Logic Errors in GitHub repository microweber/microweber prior ...)
NOT-FOR-US: microweber
CVE-2022-2367
@@ -4904,8 +4931,8 @@ CVE-2022-2330
RESERVED
CVE-2022-2329
RESERVED
-CVE-2022-2328
- RESERVED
+CVE-2022-2328 (The Flexi Quote Rotator WordPress plugin through 0.9.4 does not saniti ...)
+ TODO: check
CVE-2022-2327 (io_uring use work_flags to determine which identity need to grab from ...)
- linux 5.14.6-1
[bullseye] - linux 5.10.127-1
@@ -4923,8 +4950,8 @@ CVE-2022-35231
RESERVED
CVE-2022-33896
RESERVED
-CVE-2022-2325
- RESERVED
+CVE-2022-2325 (The Invitation Based Registrations WordPress plugin through 2.2.84 doe ...)
+ TODO: check
CVE-2022-2324 (Improperly Implemented Security Check vulnerability in the SonicWall H ...)
NOT-FOR-US: SonicWall
CVE-2022-2323 (Improper neutralization of special elements used in a user input allow ...)
@@ -4980,8 +5007,8 @@ CVE-2022-2319 [ZDI-CAN-16062: X.Org Server ProcXkbSetGeometry Out-Of-Bounds Acce
NOTE: Fixed by: https://github.com/freedesktop/xorg-xserver/commit/6907b6ea2b4ce949cb07271f5b678d5966d9df42
NOTE: Required for fixes: https://github.com/freedesktop/xorg-xserver/commit/f1070c01d616c5f21f939d5ebc533738779451ac
NOTE: https://www.openwall.com/lists/oss-security/2022/07/12/1
-CVE-2022-2317
- RESERVED
+CVE-2022-2317 (The Simple Membership WordPress plugin before 4.1.3 allows user to cha ...)
+ TODO: check
CVE-2022-2316 (HTML injection vulnerability in secure messages of Devolutions Server ...)
NOT-FOR-US: Devolutions Server
CVE-2022-2315
@@ -5618,8 +5645,8 @@ CVE-2022-34916
RESERVED
CVE-2022-2306 (Old session tokens can be used to authenticate to the application and ...)
NOT-FOR-US: Nakama
-CVE-2022-2305
- RESERVED
+CVE-2022-2305 (The WordPress Popup WordPress plugin through 1.9.3.8 does not sanitise ...)
+ TODO: check
CVE-2022-2304 (Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. ...)
- vim <unfixed> (bug #1015984)
[bullseye] - vim <no-dsa> (Minor issue)
@@ -5781,8 +5808,8 @@ CVE-2022-2279 (NULL Pointer Dereference in GitHub repository bfabiszewski/libmob
- libmobi 0.11+dfsg-1
NOTE: https://huntr.dev/bounties/68c249e2-779d-4871-b7e3-851f03aca2de/
NOTE: https://github.com/bfabiszewski/libmobi/commit/c0699c8693c47f14a2e57dec7292e862ac7adf9c (v0.11)
-CVE-2022-2278
- RESERVED
+CVE-2022-2278 (The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does ...)
+ TODO: check
CVE-2022-2277
RESERVED
CVE-2021-4234 (OpenVPN Access Server 2.10 and prior versions are susceptible to resen ...)
@@ -5918,8 +5945,8 @@ CVE-2022-2274 (The OpenSSL 3.0.4 release introduced a serious bug in the RSA imp
NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4d8a88c134df634ba610ff8db1eb8478ac5fd345
NOTE: https://github.com/openssl/openssl/issues/18625
NOTE: https://www.openssl.org/news/secadv/20220705.txt
-CVE-2022-2273
- RESERVED
+CVE-2022-2273 (The Simple Membership WordPress plugin before 4.1.3 does not properly ...)
+ TODO: check
CVE-2022-2272
RESERVED
CVE-2022-2271
@@ -5947,8 +5974,8 @@ CVE-2022-2262 (A vulnerability has been found in Online Hotel Booking System 1.0
NOT-FOR-US: Online Hotel Booking System
CVE-2022-2261
RESERVED
-CVE-2022-2260
- RESERVED
+CVE-2022-2260 (The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place ...)
+ TODO: check
CVE-2022-34835 (In Das U-Boot through 2022.07-rc5, an integer signedness error and res ...)
- u-boot <unfixed> (bug #1014529)
[bullseye] - u-boot <no-dsa> (Minor issue)
@@ -6197,16 +6224,16 @@ CVE-2022-34736 (The frame scheduling module has a null pointer dereference vulne
NOT-FOR-US: Huawei
CVE-2022-34735 (The frame scheduling module has a null pointer dereference vulnerabili ...)
NOT-FOR-US: Huawei
-CVE-2022-2245
- RESERVED
+CVE-2022-2245 (The Counter Box WordPress plugin before 1.2.1 is lacking CSRF check wh ...)
+ TODO: check
CVE-2022-2244 (An improper authorization vulnerability in GitLab EE/CE affecting all ...)
- gitlab <unfixed>
CVE-2022-2243 (An access control vulnerability in GitLab EE/CE affecting all versions ...)
- gitlab <unfixed>
CVE-2022-2242
RESERVED
-CVE-2022-2241
- RESERVED
+CVE-2022-2241 (The Featured Image from URL (FIFU) WordPress plugin before 4.0.0 does ...)
+ TODO: check
CVE-2022-2240 (The Request a Quote WordPress plugin through 2.3.7 does not validate u ...)
NOT-FOR-US: WordPress plugin
CVE-2022-2239 (The Request a Quote WordPress plugin through 2.3.7 does not sanitise a ...)
@@ -6453,8 +6480,8 @@ CVE-2022-2217 (Cross-site Scripting (XSS) - Generic in GitHub repository ionicab
NOT-FOR-US: Node parse-url
CVE-2022-2216 (Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/pa ...)
NOT-FOR-US: Node parse-url
-CVE-2022-2215
- RESERVED
+CVE-2022-2215 (The GiveWP WordPress plugin before 2.21.3 does not properly sanitise a ...)
+ TODO: check
CVE-2020-36553 (Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Resta ...)
NOT-FOR-US: Multi Restaurant Table Reservation System
CVE-2020-36552 (Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Resta ...)
@@ -6683,8 +6710,8 @@ CVE-2022-34568 (SDL v1.2 was discovered to contain a use-after-free via the XFre
[buster] - libsdl1.2 <no-dsa> (Minor issue)
NOTE: https://github.com/libsdl-org/SDL-1.2/issues/863
NOTE: https://github.com/libsdl-org/SDL-1.2/commit/d7e00208738a0bc6af302723fe64908ac35b777b
-CVE-2022-34567
- RESERVED
+CVE-2022-34567 (An issue in \Roaming\Mango\Plugins of University of Texas Multi-image ...)
+ TODO: check
CVE-2022-34566
RESERVED
CVE-2022-34565
@@ -7365,8 +7392,8 @@ CVE-2022-32284 (Use of insufficiently random values vulnerability exists in Vnet
NOT-FOR-US: YOKOGAWA
CVE-2022-2185 (A critical issue has been discovered in GitLab affecting all versions ...)
- gitlab <unfixed>
-CVE-2022-2184
- RESERVED
+CVE-2022-2184 (The CAPTCHA 4WP WordPress plugin before 7.1.0 lets user input reach a ...)
+ TODO: check
CVE-2022-2183 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...)
- vim <unfixed> (unimportant)
NOTE: https://huntr.dev/bounties/d74ca3f9-380d-4c0a-b61c-11113cc98975
@@ -7377,8 +7404,8 @@ CVE-2022-2182 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to
NOTE: https://huntr.dev/bounties/238d8650-3beb-4831-a8f7-6f0b597a6fb8
NOTE: https://github.com/vim/vim/commit/f7c7c3fad6d2135d558f3b36d0d1a943118aeb5e (v8.2.5150)
NOTE: Crash in CLI tool, no security impact
-CVE-2022-2181
- RESERVED
+CVE-2022-2181 (The Advanced WordPress Reset WordPress plugin before 1.6 does not esca ...)
+ TODO: check
CVE-2021-46824 (Cross Site Scripting (XSS) vulnerability in sourcecodester School File ...)
NOT-FOR-US: sourcecodester School File Management System
CVE-2022-34327
@@ -7421,8 +7448,8 @@ CVE-2022-34309
RESERVED
CVE-2022-34308
RESERVED
-CVE-2022-34307
- RESERVED
+CVE-2022-34307 (IBM CICS TX 11.1 does not set the secure attribute on authorization to ...)
+ TODO: check
CVE-2022-34306 (IBM CICS TX Standard and Advanced 11.1 is vulnerable to HTTP header in ...)
NOT-FOR-US: IBM
CVE-2022-34305 (In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 ...)
@@ -7529,10 +7556,10 @@ CVE-2022-2173 (The Advanced Database Cleaner WordPress plugin before 3.1.1 does
NOT-FOR-US: WordPress plugin
CVE-2022-2172
RESERVED
-CVE-2022-2171
- RESERVED
-CVE-2022-2170
- RESERVED
+CVE-2022-2171 (The Progressive License WordPress plugin through 1.1.0 is lacking any ...)
+ TODO: check
+CVE-2022-2170 (The Microsoft Advertising Universal Event Tracking (UET) WordPress plu ...)
+ TODO: check
CVE-2022-2169 (The Loading Page with Loading Screen WordPress plugin before 1.0.83 do ...)
NOT-FOR-US: WordPress plugin
CVE-2022-2168 (The Download Manager WordPress plugin before 3.2.44 does not escape a ...)
@@ -7848,14 +7875,14 @@ CVE-2022-34166 (IBM CICS TX Standard and Advanced 11.1 is vulnerable to cross-si
NOT-FOR-US: IBM
CVE-2022-34165
RESERVED
-CVE-2022-34164
- RESERVED
-CVE-2022-34163
- RESERVED
-CVE-2022-34162
- RESERVED
-CVE-2022-34161
- RESERVED
+CVE-2022-34164 (IBM CICS TX 11.1 could allow a local user to impersonate another legit ...)
+ TODO: check
+CVE-2022-34163 (IBM CICS TX 11.1 is vulnerable to HTTP header injection, caused by imp ...)
+ TODO: check
+CVE-2022-34162 (IBM CICS TX 11.1 could allow a remote attacker to hijack the clicking ...)
+ TODO: check
+CVE-2022-34161 (IBM CICS TX 11.1 is vulnerable to cross-site request forgery which cou ...)
+ TODO: check
CVE-2022-34160 (IBM CICS TX Standard and Advanced 11.1 is vulnerable to HTML injection ...)
NOT-FOR-US: IBM
CVE-2022-34159
@@ -7957,7 +7984,7 @@ CVE-2022-34117
RESERVED
CVE-2022-34116
RESERVED
-CVE-2022-34115 (Dataease v1.11.1 was discovered to contain a SQL injection vulnerabili ...)
+CVE-2022-34115 (DataEase v1.11.1 was discovered to contain a arbitrary file write vuln ...)
NOT-FOR-US: Dataease
CVE-2022-34114 (Dataease v1.11.1 was discovered to contain a SQL injection vulnerabili ...)
NOT-FOR-US: Dataease
@@ -8379,8 +8406,8 @@ CVE-2022-33957
RESERVED
CVE-2022-33956
RESERVED
-CVE-2022-33955
- RESERVED
+CVE-2022-33955 (IBM CICS TX 11.1 could allow allow an attacker with physical access to ...)
+ TODO: check
CVE-2022-33954
RESERVED
CVE-2022-33953 (IBM Robotic Process Automation 21.0.1 and 21.0.2 could allow a user wi ...)
@@ -12724,11 +12751,13 @@ CVE-2022-32209 (# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a
NOTE: https://discuss.rubyonrails.org/t/cve-2022-32209-possible-xss-vulnerability-in-rails-sanitizer/80800
NOTE: https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d (v1.4.3)
CVE-2022-32208 (When curl < 7.84.0 does FTP transfers secured by krb5, it handles m ...)
+ {DSA-5197-1}
- curl 7.84.0-1
NOTE: https://curl.se/docs/CVE-2022-32208.html
NOTE: Introduced by: https://github.com/curl/curl/commit/54967d2a3ab5559631407f7b7f67ef48c2dda6dd (curl-7_16_4)
NOTE: Fixed by: https://github.com/curl/curl/commit/6ecdf5136b52af747e7bda08db9a748256b1cd09 (curl-7_84_0)
CVE-2022-32207 (When curl < 7.84.0 saves cookies, alt-svc and hsts data to local fi ...)
+ {DSA-5197-1}
- curl 7.84.0-1
[buster] - curl <not-affected> (Vulnerable code introduced later)
[stretch] - curl <not-affected> (Vulnerable code introduced later)
@@ -12736,11 +12765,13 @@ CVE-2022-32207 (When curl < 7.84.0 saves cookies, alt-svc and hsts data to lo
NOTE: Introduced by: https://github.com/curl/curl/commit/b834890a3fa3f525cd8ef4e99554cdb4558d7e1b (curl-7_69_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f (curl-7_84_0)
CVE-2022-32206 (curl < 7.84.0 supports "chained" HTTP compression algorithms, meani ...)
+ {DSA-5197-1}
- curl 7.84.0-1
NOTE: https://curl.se/docs/CVE-2022-32206.html
NOTE: Introduced by: https://github.com/curl/curl/commit/dbcced8e32b50c068ac297106f0502ee200a1ebd (curl-7_57_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/3a09fbb7f264c67c438d01a30669ce325aa508e2 (curl-7_84_0)
CVE-2022-32205 (A malicious server can serve excessive amounts of `Set-Cookie:` header ...)
+ {DSA-5197-1}
- curl 7.84.0-1
[buster] - curl <not-affected> (Vulnerable code introduced later)
[stretch] - curl <not-affected> (Vulnerable code introduced later)
@@ -13006,8 +13037,8 @@ CVE-2022-1952 (The Free Booking Plugin for Hotels, Restaurant and Car Rental Wor
NOT-FOR-US: WordPress plugin
CVE-2022-1951 (The core plugin for kitestudio WordPress plugin before 2.3.1 does not ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-1950
- RESERVED
+CVE-2022-1950 (The Youzify WordPress plugin before 1.2.0 does not sanitise and escape ...)
+ TODO: check
CVE-2022-1949 (An access control bypass vulnerability found in 389-ds-base. That mish ...)
- 389-ds-base <unfixed> (bug #1016446)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2091781
@@ -13760,9 +13791,9 @@ CVE-2022-1940 (A Stored Cross-Site Scripting vulnerability in Jira integration i
NOTE: https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/
CVE-2022-1939 (The Allow svg files WordPress plugin before 1.1 does not properly vali ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-1938 (The Awin Data Feed WordPress plugin through 1.6 does not sanitise and ...)
+CVE-2022-1938 (The Awin Data Feed WordPress plugin before 1.8 does not sanitise and e ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-1937 (The Awin Data Feed WordPress plugin through 1.6 does not sanitise and ...)
+CVE-2022-1937 (The Awin Data Feed WordPress plugin before 1.8 does not sanitise and e ...)
NOT-FOR-US: WordPress plugin
CVE-2022-XXXX [Sanitizing and other XSS protections]
- spip 4.1.2+dfsg-1
@@ -13960,8 +13991,8 @@ CVE-2022-1907 (Buffer Over-read in GitHub repository bfabiszewski/libmobi prior
- libmobi 0.11+dfsg-1 (bug #1011971)
NOTE: https://huntr.dev/bounties/4eb0fa3e-4480-4fb5-8ec0-fbcd71de6012
NOTE: https://github.com/bfabiszewski/libmobi/commit/1e0378e6f9e4ae415cedc9eb10850888897c5dba (v0.11)
-CVE-2022-1906
- RESERVED
+CVE-2022-1906 (The Copyright Proof WordPress plugin through 4.16 does not sanitise an ...)
+ TODO: check
CVE-2022-1905 (The Events Made Easy WordPress plugin before 2.2.81 does not properly ...)
NOT-FOR-US: WordPress plugin
CVE-2022-1904 (The Pricing Tables WordPress Plugin WordPress plugin before 3.2.1 does ...)
@@ -15729,8 +15760,8 @@ CVE-2022-31150 (undici is an HTTP/1.1 client, written from scratch for Node.js.
NOTE: https://github.com/nodejs/undici/releases/tag/v5.8.0
CVE-2022-31149
RESERVED
-CVE-2022-31148
- RESERVED
+CVE-2022-31148 (Shopware is an open source e-commerce software. In versions from 5.7.0 ...)
+ TODO: check
CVE-2022-31147 (The jQuery Validation Plugin (jquery-validation) provides drop-in vali ...)
NOT-FOR-US: jquery-validation
CVE-2022-31146 (Wasmtime is a standalone runtime for WebAssembly. There is a bug in th ...)
@@ -15776,8 +15807,8 @@ CVE-2022-31129 (moment is a JavaScript date library for parsing, validating, man
NOTE: https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 (2.29.4)
NOTE: https://github.com/moment/moment/pull/6015#issuecomment-1152961973
NOTE: https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
-CVE-2022-31128
- RESERVED
+CVE-2022-31128 (Tuleap is a Free & Open Source Suite to improve management of soft ...)
+ TODO: check
CVE-2022-31127 (NextAuth.js is a complete open source authentication solution for Next ...)
NOT-FOR-US: NextAuth.js
CVE-2022-31126 (Roxy-wi is an open source web interface for managing Haproxy, Nginx, A ...)
@@ -15822,8 +15853,8 @@ CVE-2022-31111 (Frontier is Substrate's Ethereum compatibility layer. In affecte
NOT-FOR-US: Frontier
CVE-2022-31110 (RSSHub is an open source, extensible RSS feed generator. In commits pr ...)
NOT-FOR-US: RSSHub
-CVE-2022-31109
- RESERVED
+CVE-2022-31109 (laminas-diactoros is a PHP package containing implementations of the P ...)
+ TODO: check
CVE-2022-31108 (Mermaid is a JavaScript based diagramming and charting tool that uses ...)
- node-mermaid <unfixed> (bug #1014540)
[bullseye] - node-mermaid <no-dsa> (Minor issue)
@@ -17016,13 +17047,11 @@ CVE-2022-30701 (An uncontrolled search path element vulnerability in Trend Micro
NOT-FOR-US: Trend Micro
CVE-2022-30700 (An incorrect permission assignment vulnerability in Trend Micro Apex O ...)
NOT-FOR-US: Trend Micro
-CVE-2022-30699
- RESERVED
+CVE-2022-30699 (NLnet Labs Unbound, up to and including version 1.16.1, is vulnerable ...)
- unbound <unfixed> (bug #1016493)
NOTE: https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt
NOTE: https://github.com/NLnetLabs/unbound/commit/f6753a0f1018133df552347a199e0362fc1dac68 (release-1.16.2)
-CVE-2022-30698
- RESERVED
+CVE-2022-30698 (NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable t ...)
- unbound <unfixed> (bug #1016493)
NOTE: https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-30698_CVE-2022-30699.txt
NOTE: https://github.com/NLnetLabs/unbound/commit/f6753a0f1018133df552347a199e0362fc1dac68 (release-1.16.2)
@@ -18358,8 +18387,8 @@ CVE-2022-1602
RESERVED
CVE-2022-1601
RESERVED
-CVE-2022-1600
- RESERVED
+CVE-2022-1600 (The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visit ...)
+ TODO: check
CVE-2022-1599 (The Admin Management Xtended WordPress plugin before 2.4.5 does not ha ...)
NOT-FOR-US: WordPress plugin
CVE-2022-1598 (The WPQA Builder WordPress plugin before 5.4 which is a companion to t ...)
@@ -18473,8 +18502,8 @@ CVE-2022-1586 (An out-of-bounds read vulnerability was discovered in the PCRE2 l
[stretch] - pcre2 <no-dsa> (Minor issue)
NOTE: https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a (pcre2-10.40)
NOTE: https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc388f89095b184ba6d99422cfc676c (pcre2-10.40)
-CVE-2022-1585
- RESERVED
+CVE-2022-1585 (The Project Source Code Download WordPress plugin through 1.0.0 does n ...)
+ TODO: check
CVE-2022-30259
RESERVED
CVE-2022-30258
@@ -18827,8 +18856,8 @@ CVE-2022-1563
RESERVED
CVE-2022-1562 (The Enable SVG WordPress plugin before 1.4.0 does not sanitise uploade ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-1561
- RESERVED
+CVE-2022-1561 (Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions ...)
+ TODO: check
CVE-2022-1560 (The Amministrazione Aperta WordPress plugin before 3.8 does not valida ...)
NOT-FOR-US: WordPress plugin
CVE-2022-1559 (The Clipr WordPress plugin through 1.2.3 does not sanitise and escape ...)
@@ -20772,7 +20801,7 @@ CVE-2022-1393 (The WP Subtitle WordPress plugin before 3.4.1 adds a subtitle fie
NOT-FOR-US: WordPress plugin
CVE-2022-1392 (The Videos sync PDF WordPress plugin through 1.7.4 does not validate t ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-1391 (The Cab fare calculator WordPress plugin through 1.0.3 does not valida ...)
+CVE-2022-1391 (The Cab fare calculator WordPress plugin before 1.0.4 does not validat ...)
NOT-FOR-US: WordPress plugin
CVE-2022-1390 (The Admin Word Count Column WordPress plugin through 2.2 does not vali ...)
NOT-FOR-US: WordPress plugin
@@ -21954,8 +21983,8 @@ CVE-2022-1326 (The Form - Contact Form WordPress plugin through 1.2.0 does not s
NOT-FOR-US: WordPress plugin
CVE-2022-1325
RESERVED
-CVE-2022-1324
- RESERVED
+CVE-2022-1324 (The Event Timeline WordPress plugin through 1.1.5 does not sanitize an ...)
+ TODO: check
CVE-2022-1323
RESERVED
CVE-2022-1322
@@ -25835,12 +25864,14 @@ CVE-2022-26346
CVE-2022-1060
RESERVED
CVE-2022-27782 (libcurl would reuse a previously created connection even when a TLS or ...)
+ {DSA-5197-1}
- curl 7.83.1-1
NOTE: https://www.openwall.com/lists/oss-security/2022/05/11/5
NOTE: https://curl.se/docs/CVE-2022-27782.html
NOTE: Fixed by: https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c (curl-7_83_1)
NOTE: Fixed by: https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5 (curl-7_83_1)
CVE-2022-27781 (libcurl provides the `CURLOPT_CERTINFO` option to allow applications t ...)
+ {DSA-5197-1}
- curl 7.83.1-1
NOTE: https://www.openwall.com/lists/oss-security/2022/05/11/4
NOTE: https://curl.se/docs/CVE-2022-27781.html
@@ -25882,10 +25913,12 @@ CVE-2022-27777 (A XSS Vulnerability in Action View tag helpers >= 5.2.0 and &
NOTE: Fixed by: https://github.com/rails/rails/commit/1278c0f0b4a18ea199f92b666b8b94954a74c20b (v5.2.7.1)
NOTE: Regression fix: https://github.com/rails/rails/commit/a1b8a9b5e5a905d0aeabf532e3f6b74116d5cce6 (v5.2.8)
CVE-2022-27776 (A insufficiently protected credentials vulnerability in fixed in curl ...)
+ {DSA-5197-1}
- curl 7.83.0-1 (bug #1010252)
NOTE: https://curl.se/docs/CVE-2022-27776.html
NOTE: Fixed by: https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258 (curl-7_83_0)
CVE-2022-27775 (An information disclosure vulnerability exists in curl 7.65.0 to 7.82. ...)
+ {DSA-5197-1}
- curl 7.83.0-1 (bug #1010253)
[buster] - curl <not-affected> (Vulnerable code introduced later)
[stretch] - curl <not-affected> (Vulnerable code introduced later)
@@ -25893,6 +25926,7 @@ CVE-2022-27775 (An information disclosure vulnerability exists in curl 7.65.0 to
NOTE: Introduced by: https://github.com/curl/curl/commit/2d0e9b40d3237b1450cbbfbcb996da244d964898 (curl-7_65_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705 (curl-7_83_0)
CVE-2022-27774 (An insufficiently protected credentials vulnerability exists in curl 4 ...)
+ {DSA-5197-1}
- curl 7.83.0-1 (bug #1010254)
NOTE: https://curl.se/docs/CVE-2022-27774.html
NOTE: Fixed by: https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79 (curl-7_83_0)
@@ -27187,8 +27221,8 @@ CVE-2022-27257 (A PHP Local File Inclusion vulneraility in the default Redbasic
NOT-FOR-US: Redbasic theme for Hubzilla
CVE-2022-27256 (A PHP Local File inclusion vulnerability in the Redbasic theme for Hub ...)
NOT-FOR-US: Redbasic theme for Hubzilla
-CVE-2022-27255
- RESERVED
+CVE-2022-27255 (In Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function th ...)
+ TODO: check
CVE-2022-27254 (The remote keyless system on Honda Civic 2018 vehicles sends the same ...)
NOT-FOR-US: Honda
CVE-2022-27253
@@ -29504,46 +29538,46 @@ CVE-2022-26447
RESERVED
CVE-2022-26446
RESERVED
-CVE-2022-26445
- RESERVED
-CVE-2022-26444
- RESERVED
-CVE-2022-26443
- RESERVED
-CVE-2022-26442
- RESERVED
-CVE-2022-26441
- RESERVED
-CVE-2022-26440
- RESERVED
-CVE-2022-26439
- RESERVED
-CVE-2022-26438
- RESERVED
-CVE-2022-26437
- RESERVED
-CVE-2022-26436
- RESERVED
-CVE-2022-26435
- RESERVED
-CVE-2022-26434
- RESERVED
-CVE-2022-26433
- RESERVED
-CVE-2022-26432
- RESERVED
-CVE-2022-26431
- RESERVED
-CVE-2022-26430
- RESERVED
-CVE-2022-26429
- RESERVED
-CVE-2022-26428
- RESERVED
-CVE-2022-26427
- RESERVED
-CVE-2022-26426
- RESERVED
+CVE-2022-26445 (In wifi driver, there is a possible out of bounds write due to a missi ...)
+ TODO: check
+CVE-2022-26444 (In wifi driver, there is a possible out of bounds write due to a missi ...)
+ TODO: check
+CVE-2022-26443 (In wifi driver, there is a possible out of bounds write due to a missi ...)
+ TODO: check
+CVE-2022-26442 (In wifi driver, there is a possible out of bounds write due to a missi ...)
+ TODO: check
+CVE-2022-26441 (In wifi driver, there is a possible out of bounds write due to a missi ...)
+ TODO: check
+CVE-2022-26440 (In wifi driver, there is a possible out of bounds write due to a missi ...)
+ TODO: check
+CVE-2022-26439 (In wifi driver, there is a possible out of bounds write due to a missi ...)
+ TODO: check
+CVE-2022-26438 (In wifi driver, there is a possible out of bounds write due to a missi ...)
+ TODO: check
+CVE-2022-26437 (In httpclient, there is a possible out of bounds write due to uninitia ...)
+ TODO: check
+CVE-2022-26436 (In emi mpu, there is a possible out of bounds read due to a missing bo ...)
+ TODO: check
+CVE-2022-26435 (In mailbox, there is a possible out of bounds write due to type confus ...)
+ TODO: check
+CVE-2022-26434 (In mailbox, there is a possible out of bounds write due to a missing b ...)
+ TODO: check
+CVE-2022-26433 (In mailbox, there is a possible out of bounds write due to type confus ...)
+ TODO: check
+CVE-2022-26432 (In mailbox, there is a possible out of bounds write due to a missing b ...)
+ TODO: check
+CVE-2022-26431 (In mailbox, there is a possible out of bounds write due to a missing b ...)
+ TODO: check
+CVE-2022-26430 (In mailbox, there is a possible out of bounds write due to type confus ...)
+ TODO: check
+CVE-2022-26429 (In cta, there is a possible way to write permission usage records of a ...)
+ TODO: check
+CVE-2022-26428 (In video codec, there is a possible memory corruption due to a race co ...)
+ TODO: check
+CVE-2022-26427 (In camera isp, there is a possible out of bounds write due to a missin ...)
+ TODO: check
+CVE-2022-26426 (In camera isp, there is a possible out of bounds write due to a missin ...)
+ TODO: check
CVE-2022-26418
RESERVED
CVE-2022-26416
@@ -30026,12 +30060,12 @@ CVE-2022-26312
RESERVED
CVE-2022-26311 (Couchbase Operator 2.2.x before 2.2.3 exposes Sensitive Information to ...)
NOT-FOR-US: Couchbase Operator
-CVE-2022-26310
- RESERVED
-CVE-2022-26309
- RESERVED
-CVE-2022-26308
- RESERVED
+CVE-2022-26310 (Pandora FMS v7.0NG.760 and below allows an improper authorization in U ...)
+ TODO: check
+CVE-2022-26309 (Pandora FMS v7.0NG.759 allows Cross-Site Request Forgery in Bulk opera ...)
+ TODO: check
+CVE-2022-26308 (Pandora FMS v7.0NG.760 and below allows an improper access control in ...)
+ TODO: check
CVE-2022-26307 (LibreOffice supports the storage of passwords for web connections in t ...)
- libreoffice 1:7.3.3~rc1-2
[bullseye] - libreoffice <no-dsa> (Minor issue)
@@ -33319,8 +33353,8 @@ CVE-2022-0600 (The Conference Scheduler WordPress plugin before 2.4.3 does not s
NOT-FOR-US: WordPress plugin
CVE-2022-0599 (The Mapping Multiple URLs Redirect Same Page WordPress plugin through ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-0598
- RESERVED
+CVE-2022-0598 (The Login with phone number WordPress plugin through 1.3.7 do not sani ...)
+ TODO: check
CVE-2022-0597 (Open Redirect in Packagist microweber/microweber prior to 1.2.11. ...)
NOT-FOR-US: microweber
CVE-2022-0596 (Business Logic Errors in Packagist microweber/microweber prior to 1.2. ...)
@@ -42572,6 +42606,7 @@ CVE-2022-22577 (An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 t
NOTE: https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508 (v6.0.4.8)
NOTE: https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809 (v5.2.7.1)
CVE-2022-22576 (An improper authentication vulnerability exists in curl 7.33.0 to and ...)
+ {DSA-5197-1}
- curl 7.83.0-1 (bug #1010295)
NOTE: https://curl.se/docs/CVE-2022-22576.html
NOTE: Fixed by: https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 (curl-7_83_0)
@@ -49979,16 +50014,16 @@ CVE-2021-44232 (SAF-T Framework Transaction SAFTN_G allows an attacker to exploi
NOT-FOR-US: SAP
CVE-2021-44231 (Internally used text extraction reports allow an attacker to inject co ...)
NOT-FOR-US: SAP
-CVE-2022-21792
- RESERVED
-CVE-2022-21791
- RESERVED
-CVE-2022-21790
- RESERVED
-CVE-2022-21789
- RESERVED
-CVE-2022-21788
- RESERVED
+CVE-2022-21792 (In camera isp, there is a possible out of bounds write due to a missin ...)
+ TODO: check
+CVE-2022-21791 (In camera isp, there is a possible out of bounds read due to a missing ...)
+ TODO: check
+CVE-2022-21790 (In camera isp, there is a possible out of bounds read due to a missing ...)
+ TODO: check
+CVE-2022-21789 (In audio ipi, there is a possible memory corruption due to a race cond ...)
+ TODO: check
+CVE-2022-21788 (In scp, there is a possible undefined behavior due to incorrect error ...)
+ TODO: check
CVE-2022-21787 (In audio DSP, there is a possible out of bounds write due to a missing ...)
NOT-FOR-US: MediaTek driver for Android
CVE-2022-21786 (In audio DSP, there is a possible memory corruption due to improper ca ...)
@@ -107433,18 +107468,19 @@ CVE-2021-22949 (A CSRF in Concrete CMS version 8.5.5 and below allows an attacke
CVE-2021-22948 (Vulnerability in the generation of session IDs in revive-adserver < ...)
NOT-FOR-US: revive-adserver
CVE-2021-22947 (When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 se ...)
- {DLA-2773-1}
+ {DSA-5197-1 DLA-2773-1}
- curl 7.79.1-1
[buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2021-22947.html
NOTE: Fixed by: https://github.com/curl/curl/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68 (curl-7_79_0)
CVE-2021-22946 (A user can tell curl >= 7.20.0 and <= 7.78.0 to require a succes ...)
- {DLA-2773-1}
+ {DSA-5197-1 DLA-2773-1}
- curl 7.79.1-1
[buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2021-22946.html
NOTE: Fixed by: https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca (curl-7_79_0)
CVE-2021-22945 (When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 c ...)
+ {DSA-5197-1}
- curl 7.79.1-1
[buster] - curl <not-affected> (Vulnerable code introduced later)
[stretch] - curl <not-affected> (Vulnerable code introduced later)
@@ -107516,7 +107552,7 @@ CVE-2021-22925 (curl supports the `-t` command line option, known as `CURLOPT_TE
NOTE: CVE is assigned because previous attempt to address CVE-2021-22898 resulted to be
NOTE: insufficient and the security vulnerability remained.
CVE-2021-22924 (libcurl keeps previously used connections in a connection pool for sub ...)
- {DLA-2734-1}
+ {DSA-5197-1 DLA-2734-1}
- curl 7.79.1-1 (bug #991492)
[buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2021-22924.html
@@ -107601,7 +107637,7 @@ CVE-2021-22900 (A vulnerability allowed multiple unrestricted uploads in Pulse C
CVE-2021-22899 (A command injection vulnerability exists in Pulse Connect Secure befor ...)
NOT-FOR-US: Pulse Connect Secure
CVE-2021-22898 (curl 7.7 through 7.76.1 suffers from an information disclosure when th ...)
- {DLA-2734-1}
+ {DSA-5197-1 DLA-2734-1}
- curl 7.79.1-1 (bug #989228)
[buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2021-22898.html
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/192d8a79b6324f7febfd1b1e07f567c860789e40
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/192d8a79b6324f7febfd1b1e07f567c860789e40
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220801/b224ac29/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list