[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Jan 12 20:10:26 GMT 2022



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
54b8ab80 by security tracker role at 2022-01-12T20:10:17+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,79 @@
+CVE-2022-23205
+	RESERVED
+CVE-2022-23204
+	RESERVED
+CVE-2022-23203
+	RESERVED
+CVE-2022-23202
+	RESERVED
+CVE-2022-23201
+	RESERVED
+CVE-2022-23200
+	RESERVED
+CVE-2022-23199
+	RESERVED
+CVE-2022-23198
+	RESERVED
+CVE-2022-23197
+	RESERVED
+CVE-2022-23196
+	RESERVED
+CVE-2022-23195
+	RESERVED
+CVE-2022-23194
+	RESERVED
+CVE-2022-23193
+	RESERVED
+CVE-2022-23192
+	RESERVED
+CVE-2022-23191
+	RESERVED
+CVE-2022-23190
+	RESERVED
+CVE-2022-23189
+	RESERVED
+CVE-2022-23188
+	RESERVED
+CVE-2022-23187
+	RESERVED
+CVE-2022-23186
+	RESERVED
+CVE-2022-23185
+	RESERVED
+CVE-2022-23184
+	RESERVED
+CVE-2022-23181
+	RESERVED
+CVE-2022-23180
+	RESERVED
+CVE-2022-23179
+	RESERVED
+CVE-2022-21199
+	RESERVED
+CVE-2022-0210
+	RESERVED
+CVE-2022-0209
+	RESERVED
+CVE-2022-0208
+	RESERVED
+CVE-2022-0207
+	RESERVED
+CVE-2022-0206
+	RESERVED
+CVE-2022-0205
+	RESERVED
+CVE-2022-0204
+	RESERVED
+CVE-2022-0203
+	RESERVED
+CVE-2022-0202
+	RESERVED
+CVE-2022-0201
+	RESERVED
+CVE-2022-0200
+	RESERVED
+CVE-2022-0199
+	RESERVED
 CVE-2022-23178
 	RESERVED
 CVE-2022-23177
@@ -132,34 +208,34 @@ CVE-2022-23120
 	RESERVED
 CVE-2022-23119
 	RESERVED
-CVE-2022-23118
-	RESERVED
-CVE-2022-23117
-	RESERVED
-CVE-2022-23116
-	RESERVED
-CVE-2022-23115
-	RESERVED
-CVE-2022-23114
-	RESERVED
-CVE-2022-23113
-	RESERVED
-CVE-2022-23112
-	RESERVED
-CVE-2022-23111
-	RESERVED
-CVE-2022-23110
-	RESERVED
-CVE-2022-23109
-	RESERVED
-CVE-2022-23108
-	RESERVED
-CVE-2022-23107
-	RESERVED
-CVE-2022-23106
-	RESERVED
-CVE-2022-23105
-	RESERVED
+CVE-2022-23118 (Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements fu ...)
+	TODO: check
+CVE-2022-23117 (Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionali ...)
+	TODO: check
+CVE-2022-23116 (Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionali ...)
+	TODO: check
+CVE-2022-23115 (Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch tas ...)
+	TODO: check
+CVE-2022-23114 (Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unenc ...)
+	TODO: check
+CVE-2022-23113 (Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation ...)
+	TODO: check
+CVE-2022-23112 (A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and ...)
+	TODO: check
+CVE-2022-23111 (A cross-site request forgery (CSRF) vulnerability in Jenkins Publish O ...)
+	TODO: check
+CVE-2022-23110 (Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the S ...)
+	TODO: check
+CVE-2022-23109 (Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault c ...)
+	TODO: check
+CVE-2022-23108 (Jenkins Badge Plugin 1.9 and earlier does not escape the description a ...)
+	TODO: check
+CVE-2022-23107 (Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not re ...)
+	TODO: check
+CVE-2022-23106 (Jenkins Configuration as Code Plugin 1.55 and earlier used a non-const ...)
+	TODO: check
+CVE-2022-23105 (Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the  ...)
+	TODO: check
 CVE-2022-23102
 	RESERVED
 CVE-2022-21236
@@ -2879,7 +2955,7 @@ CVE-2021-4197 [cgroup: Use open-time creds and namespace for migration perm chec
 	NOTE: https://lore.kernel.org/lkml/20211209214707.805617-1-tj@kernel.org/T/
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2035652
 CVE-2021-46144 (Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML  ...)
-	{DSA-5037-1}
+	{DSA-5037-1 DLA-2878-1}
 	- roundcube <unfixed> (bug #1003027)
 	NOTE: https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0 (1.5.2)
 	NOTE: https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8 (1.4.13)
@@ -3030,6 +3106,7 @@ CVE-2021-45944 (Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-237.yaml
 	NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7861fcad13c497728189feafb41cd57b5b50ea25
 CVE-2021-45943 (GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::C ...)
+	{DLA-2877-1}
 	[experimental] - gdal 3.4.1~rc1+dfsg-1~exp1
 	- gdal <unfixed>
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41993
@@ -3347,14 +3424,14 @@ CVE-2022-0017
 	RESERVED
 CVE-2022-0016
 	RESERVED
-CVE-2022-0015
-	RESERVED
-CVE-2022-0014
-	RESERVED
-CVE-2022-0013
-	RESERVED
-CVE-2022-0012
-	RESERVED
+CVE-2022-0015 (A local privilege escalation (PE) vulnerability exists in the Palo Alt ...)
+	TODO: check
+CVE-2022-0014 (An untrusted search path vulnerability exists in the Palo Alto Network ...)
+	TODO: check
+CVE-2022-0013 (A file information exposure vulnerability exists in the Palo Alto Netw ...)
+	TODO: check
+CVE-2022-0012 (An improper link resolution before file access vulnerability exists in ...)
+	TODO: check
 CVE-2022-0011
 	RESERVED
 CVE-2021-45918
@@ -4102,7 +4179,7 @@ CVE-2021-45610 (Certain NETGEAR devices are affected by a buffer overflow by an
 	NOT-FOR-US: Netgear
 CVE-2021-45609 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...)
 	NOT-FOR-US: Netgear
-CVE-2021-45608 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...)
+CVE-2021-45608 (Certain D-Link, Edimax, NETGEAR, TP-Link, Tenda, and Western Digital d ...)
 	NOT-FOR-US: Netgear
 CVE-2021-45607 (Certain NETGEAR devices are affected by a stack-based buffer overflow  ...)
 	NOT-FOR-US: Netgear
@@ -4972,8 +5049,8 @@ CVE-2021-45447
 	RESERVED
 CVE-2021-45446
 	RESERVED
-CVE-2021-45445
-	RESERVED
+CVE-2021-45445 (Unisys ClearPath MCP TCP/IP Networking Services 59.1, 60.0, and 62.0 h ...)
+	TODO: check
 CVE-2021-45444
 	RESERVED
 CVE-2021-45443
@@ -5050,8 +5127,8 @@ CVE-2021-45413
 	RESERVED
 CVE-2021-45412
 	RESERVED
-CVE-2021-45411
-	RESERVED
+CVE-2021-45411 (In Sourcecodetester Printable Staff ID Card Creator System 1.0 after c ...)
+	TODO: check
 CVE-2021-45410
 	RESERVED
 CVE-2021-45409
@@ -5097,7 +5174,7 @@ CVE-2021-45390
 CVE-2021-45389 (StarWind SAN & NAS build 1578 and StarWind Command Center Build 68 ...)
 	NOT-FOR-US: StarWind
 CVE-2021-45388
-	RESERVED
+	REJECTED
 CVE-2021-45387
 	RESERVED
 CVE-2021-45386
@@ -6071,21 +6148,25 @@ CVE-2021-45090 (Stormshield Endpoint Security before 2.1.2 allows remote code ex
 CVE-2021-45089 (Stormshield Endpoint Security 2.x before 2.1.2 has Incorrect Access Co ...)
 	NOT-FOR-US: Stormshield Endpoint Security
 CVE-2021-45088 (XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before  ...)
+	{DSA-5042-1}
 	- epiphany-browser 41.2-1
 	[stretch] - epiphany-browser <ignored> (WebKit browser, not covered by security support in stretch)
 	NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612
 	NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045
 CVE-2021-45087 (XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before  ...)
+	{DSA-5042-1}
 	- epiphany-browser 41.2-1
 	[stretch] - epiphany-browser <ignored> (WebKit browser, not covered by security support in stretch)
 	NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612
 	NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045
 CVE-2021-45086 (XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before  ...)
+	{DSA-5042-1}
 	- epiphany-browser 41.2-1
 	[stretch] - epiphany-browser <ignored> (WebKit browser, not covered by security support in stretch)
 	NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612
 	NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045
 CVE-2021-45085 (XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before  ...)
+	{DSA-5042-1}
 	- epiphany-browser 41.2-1
 	[stretch] - epiphany-browser <ignored> (WebKit browser, not covered by security support in stretch)
 	NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612
@@ -7306,8 +7387,8 @@ CVE-2021-44454
 	RESERVED
 CVE-2021-43351
 	RESERVED
-CVE-2021-4080
-	RESERVED
+CVE-2021-4080 (crater is vulnerable to Unrestricted Upload of File with Dangerous Typ ...)
+	TODO: check
 CVE-2021-26946
 	RESERVED
 CVE-2021-26254
@@ -7552,16 +7633,16 @@ CVE-2021-44654
 	RESERVED
 CVE-2021-44653 (Online Magazine Management System 1.0 contains a SQL injection authent ...)
 	NOT-FOR-US: Online Magazine Management System
-CVE-2021-44652
-	RESERVED
-CVE-2021-44651
-	RESERVED
-CVE-2021-44650
-	RESERVED
-CVE-2021-44649
-	RESERVED
-CVE-2021-44648
-	RESERVED
+CVE-2021-44652 (Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote co ...)
+	TODO: check
+CVE-2021-44651 (Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote co ...)
+	TODO: check
+CVE-2021-44650 (Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote co ...)
+	TODO: check
+CVE-2021-44649 (Django CMS 3.7.3 does not validate the plugin_type parameter while gen ...)
+	TODO: check
+CVE-2021-44648 (GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulner ...)
+	TODO: check
 CVE-2021-44647 (Lua 5.4.4 and 5.4.2 are affected by SEGV by type confusion in funcname ...)
 	TODO: check
 CVE-2021-44646
@@ -9508,8 +9589,8 @@ CVE-2021-43962
 	RESERVED
 CVE-2021-43961
 	RESERVED
-CVE-2021-43960
-	RESERVED
+CVE-2021-43960 (** DISPUTED ** Lorensbergs Connect2 3.13.7647.20190 is affected by an  ...)
+	TODO: check
 CVE-2021-3974 (vim is vulnerable to Use After Free ...)
 	- vim 2:8.2.3995-1 (bug #1001897)
 	[bullseye] - vim <no-dsa> (Minor issue)
@@ -9669,10 +9750,10 @@ CVE-2022-21678
 	RESERVED
 CVE-2022-21677
 	RESERVED
-CVE-2022-21676
-	RESERVED
-CVE-2022-21675
-	RESERVED
+CVE-2022-21676 (Engine.IO is the implementation of transport-based cross-browser/cross ...)
+	TODO: check
+CVE-2022-21675 (Bytecode Viewer (BCV) is a Java/Android reverse engineering suite. Ver ...)
+	TODO: check
 CVE-2022-21674
 	RESERVED
 CVE-2022-21673
@@ -11934,8 +12015,8 @@ CVE-2021-43438 (Stored XSS in Signup Form in iResturant 1.0 Allows Remote Attack
 	NOT-FOR-US: iResturant
 CVE-2021-43437 (In sourcecodetester Engineers Online Portal as of 10-21-21, an attacke ...)
 	NOT-FOR-US: sourcecodetester Engineers Online Portal
-CVE-2021-43436
-	RESERVED
+CVE-2021-43436 (MartDevelopers Inc iResturant v1.0 allows Stored XSS by placing a payl ...)
+	TODO: check
 CVE-2021-43435
 	RESERVED
 CVE-2021-43434
@@ -13822,26 +13903,26 @@ CVE-2021-43063 (A improper neutralization of input during web page generation ('
 	NOT-FOR-US: FortiGuard
 CVE-2021-43062
 	RESERVED
-CVE-2022-20621
-	RESERVED
-CVE-2022-20620
-	RESERVED
-CVE-2022-20619
-	RESERVED
-CVE-2022-20618
-	RESERVED
-CVE-2022-20617
-	RESERVED
-CVE-2022-20616
-	RESERVED
-CVE-2022-20615
-	RESERVED
-CVE-2022-20614
-	RESERVED
-CVE-2022-20613
-	RESERVED
-CVE-2022-20612
-	RESERVED
+CVE-2022-20621 (Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencr ...)
+	TODO: check
+CVE-2022-20620 (Missing permission checks in Jenkins SSH Agent Plugin 1.23 and earlier ...)
+	TODO: check
+CVE-2022-20619 (A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket ...)
+	TODO: check
+CVE-2022-20618 (A missing permission check in Jenkins Bitbucket Branch Source Plugin 7 ...)
+	TODO: check
+CVE-2022-20617 (Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the n ...)
+	TODO: check
+CVE-2022-20616 (Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a ...)
+	TODO: check
+CVE-2022-20615 (Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML me ...)
+	TODO: check
+CVE-2022-20614 (A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4 ...)
+	TODO: check
+CVE-2022-20613 (A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Pl ...)
+	TODO: check
+CVE-2022-20612 (A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and ...)
+	TODO: check
 CVE-2021-43061
 	RESERVED
 CVE-2021-43060
@@ -15012,16 +15093,16 @@ CVE-2021-42563 (There is an Unquoted Service Path in NI Service Locator (nisvclo
 	NOT-FOR-US: NI Service Locator
 CVE-2021-3893
 	RESERVED
-CVE-2021-42562
-	RESERVED
-CVE-2021-42561
-	RESERVED
-CVE-2021-42560
-	RESERVED
+CVE-2021-42562 (An issue was discovered in CALDERA 2.8.1. It does not properly segrega ...)
+	TODO: check
+CVE-2021-42561 (An issue was discovered in CALDERA 2.8.1. When activated, the Human pl ...)
+	TODO: check
+CVE-2021-42560 (An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives  ...)
+	TODO: check
 CVE-2021-42559
 	RESERVED
-CVE-2021-42558
-	RESERVED
+CVE-2021-42558 (An issue was discovered in CALDERA 2.8.1. It contains multiple reflect ...)
+	TODO: check
 CVE-2021-42557 (In Jeedom through 4.1.19, a bug allows a remote attacker to bypass API ...)
 	NOT-FOR-US: Jeedom
 CVE-2021-42556 (Rasa X before 0.42.4 allows Directory Traversal during archive extract ...)
@@ -17906,8 +17987,8 @@ CVE-2021-41866 (MyBB before 1.8.28 allows stored XSS because the displayed Templ
 	NOT-FOR-US: MyBB
 CVE-2021-3853
 	RESERVED
-CVE-2021-3852
-	RESERVED
+CVE-2021-3852 (growi is vulnerable to Authorization Bypass Through User-Controlled Ke ...)
+	TODO: check
 CVE-2021-41865 (HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authe ...)
 	- nomad <not-affected> (Only affects 1.1.x)
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2021-26-nomad-denial-of-service-via-submission-of-incomplete-job-specification-using-consul-mesh-gateway-host-network/30311
@@ -25184,8 +25265,8 @@ CVE-2021-38894 (IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 could allow a
 	NOT-FOR-US: IBM
 CVE-2021-38893 (IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation W ...)
 	NOT-FOR-US: IBM
-CVE-2021-38892
-	RESERVED
+CVE-2021-38892 (IBM Planning Analytics 2.0 and IBM Planning Analytics Workspace 2.0 DQ ...)
+	TODO: check
 CVE-2021-38891 (IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses weaker than  ...)
 	NOT-FOR-US: IBM
 CVE-2021-38890 (IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses an inadequat ...)
@@ -31198,8 +31279,8 @@ CVE-2021-36419
 	RESERVED
 CVE-2021-36418
 	RESERVED
-CVE-2021-36417
-	RESERVED
+CVE-2021-36417 (A heap-based buffer overflow vulnerability exists in GPAC v1.0.1 in th ...)
+	TODO: check
 CVE-2021-36416
 	RESERVED
 CVE-2021-36415
@@ -33448,8 +33529,8 @@ CVE-2021-3620
 	[buster] - ansible <postponed> (Minor issue, revisit when/if fixed upstream)
 	- ansible-base <removed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975767
-CVE-2021-35500
-	RESERVED
+CVE-2021-35500 (The Data Virtualization Server component of TIBCO Software Inc.'s TIBC ...)
+	TODO: check
 CVE-2021-35499 (The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus cont ...)
 	NOT-FOR-US: TIBCO
 CVE-2021-35498 (The TIBCO EBX Web Server component of TIBCO Software Inc.'s TIBCO EBX, ...)
@@ -51434,10 +51515,10 @@ CVE-2021-28379 (web/upload/UploadHandler.php in Vesta Control Panel (aka VestaCP
 	NOT-FOR-US: Vesta Control Panel
 CVE-2021-28378 (Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue dat ...)
 	- gitea <removed>
-CVE-2021-28377
-	RESERVED
-CVE-2021-28376
-	RESERVED
+CVE-2021-28377 (ChronoForums 2.0.11 allows av Directory Traversal to read arbitrary fi ...)
+	TODO: check
+CVE-2021-28376 (ChronoForms 7.0.7 allows fname Directory Traversal to read arbitrary f ...)
+	TODO: check
 CVE-2021-28373 (The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03- ...)
 	- tt-rss <not-affected> (Vulnerable code introduced later)
 	NOTE: https://community.tt-rss.org/t/check-password-not-called-if-otp-is-enabled-update-asap-if-youre-using-2fa/4502
@@ -159175,7 +159256,7 @@ CVE-2019-17546 (tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL throug
 	NOTE: https://gitlab.com/libtiff/libtiff/commit/4bb584a35f87af42d6cf09d15e9ce8909a839145
 	NOTE: gdal uses system libtiff libraries since 2.0.1+dfsg-1~exp1 (#684233)
 CVE-2019-17545 (GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ...)
-	{DLA-1984-1}
+	{DLA-2877-1 DLA-1984-1}
 	- gdal 2.4.2+dfsg-2 (low)
 	[buster] - gdal <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16178



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54b8ab80c74c47ca0c7682a910675745474c9a27

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54b8ab80c74c47ca0c7682a910675745474c9a27
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220112/139372c6/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list