[Git][security-tracker-team/security-tracker][master] 2 commits: Process NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Jan 20 21:38:25 GMT 2022



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ad21bc85 by Salvatore Bonaccorso at 2022-01-20T22:37:12+01:00
Process NFUs

- - - - -
a6a192df by Salvatore Bonaccorso at 2022-01-20T22:37:57+01:00
Fix typo in NFU entry

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -855,23 +855,23 @@ CVE-2022-0287
 CVE-2022-0286
 	RESERVED
 CVE-2022-0285 (Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior ...)
-	TODO: check
+	NOT-FOR-US: pimcore
 CVE-2022-0284
 	RESERVED
 CVE-2022-0283
 	RESERVED
 CVE-2022-0282 (Code Injection in Packagist microweber/microweber prior to 1.2.11. ...)
-	TODO: check
+	NOT-FOR-US: microweber
 CVE-2022-0281 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...)
-	TODO: check
+	NOT-FOR-US: microweber
 CVE-2022-0280
 	RESERVED
 CVE-2022-0279
 	RESERVED
 CVE-2022-0278 (Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber ...)
-	TODO: check
+	NOT-FOR-US: microweber
 CVE-2022-0277 (Improper Access Control in Packagist microweber/microweber prior to 1. ...)
-	TODO: check
+	NOT-FOR-US: microweber
 CVE-2021-46401
 	RESERVED
 CVE-2021-46400
@@ -1738,7 +1738,7 @@ CVE-2021-45729
 CVE-2021-44779
 	RESERVED
 CVE-2021-44777 (Cross-Site Request Forgery (CSRF) vulnerabilities leading to single or ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2021-44760
 	RESERVED
 CVE-2021-4207
@@ -4527,7 +4527,7 @@ CVE-2021-46106
 CVE-2021-46105
 	RESERVED
 CVE-2021-46104 (An issue was discovered in webp_server_go 0.4.0. There is a directory  ...)
-	TODO: check
+	NOT-FOR-US: webp_server_go
 CVE-2021-46103
 	RESERVED
 CVE-2021-46102
@@ -4721,13 +4721,13 @@ CVE-2021-46030 (There is a Cross Site Scripting attack (XSS) vulnerability in Ja
 CVE-2021-46029
 	RESERVED
 CVE-2021-46028 (In mblog <= 3.5.0 there is a CSRF vulnerability in the background a ...)
-	TODO: check
+	NOT-FOR-US: mblog
 CVE-2021-46027 (mysiteforme, as of 19-12-2022, has a CSRF vulnerability in the backgro ...)
-	TODO: check
+	NOT-FOR-US: mysiteforme
 CVE-2021-46026 (mysiteforme, as of 19-12-2022, is vulnerable to Cross Site Scripting ( ...)
-	TODO: check
+	NOT-FOR-US: mysiteforme
 CVE-2021-46025 (A Cross SIte Scripting (XSS) vulnerability exists in OneBlog <= 2.2 ...)
-	TODO: check
+	NOT-FOR-US: OneBlog
 CVE-2021-46024
 	RESERVED
 CVE-2021-46023
@@ -8983,7 +8983,7 @@ CVE-2021-44831
 CVE-2021-44830
 	RESERVED
 CVE-2021-44829 (Cross Site Scripting (XSS) vulnerability exists in index.html in AFI W ...)
-	TODO: check
+	NOT-FOR-US: AFI WebACMS
 CVE-2021-44828 (Arm Mali GPU Kernel Driver (Midgard r26p0 through r30p0, Bifrost r0p0  ...)
 	NOT-FOR-US: ARM
 CVE-2021-44827
@@ -9316,15 +9316,15 @@ CVE-2021-XXXX [Rainloop stores passwords in cleartext in logfile]
 	[buster] - rainloop <no-dsa> (Minor issue)
 	NOTE: https://github.com/RainLoop/rainloop-webmail/issues/1872
 CVE-2021-44738 (Buffer overflow vulnerability has been identified in Lexmark devices t ...)
-	TODO: check
+	NOT-FOR-US: Lexmark
 CVE-2021-44737 (PJL directory traversal vulnerability in Lexmark devices through 2021- ...)
-	TODO: check
+	NOT-FOR-US: Lexmark
 CVE-2021-44736 (The initial admin account setup wizard on Lexmark devices allow unauth ...)
-	TODO: check
+	NOT-FOR-US: Lexmark
 CVE-2021-44735 (Embedded web server command injection vulnerability in Lexmark devices ...)
-	TODO: check
+	NOT-FOR-US: Lexmark
 CVE-2021-44734 (Embedded web server input sanitization vulnerability in Lexmark device ...)
-	TODO: check
+	NOT-FOR-US: Lexmark
 CVE-2021-44733 (A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem  ...)
 	- linux <unfixed>
 	[stretch] - linux <not-affected> (Vulnerable code not present)
@@ -10619,9 +10619,9 @@ CVE-2021-44247
 CVE-2021-44246
 	RESERVED
 CVE-2021-44245 (An SQL Injection vulnerability exists in Courcecodester COVID 19 Testi ...)
-	TODO: check
+	NOT-FOR-US: Sourcecodester COVID 19 Testing Management System (CTMS)
 CVE-2021-44244 (An SQL Injection vulnerabiity exists in Sourcecodester Logistic Hub Pa ...)
-	TODO: check
+	NOT-FOR-US: Sourcecodester Logistic Hub Parcel's Management System
 CVE-2021-44243
 	RESERVED
 CVE-2021-44242
@@ -11175,11 +11175,11 @@ CVE-2021-44094 (ZrLog 2.2.2 has a remote command execution vulnerability at plug
 CVE-2021-44093 (A Remote Command Execution vulnerability on the background in zrlog 2. ...)
 	NOT-FOR-US: zrlog
 CVE-2021-44092 (An SQL Injection vulnerability exists in code-projects Pharmacy Manage ...)
-	TODO: check
+	NOT-FOR-US: code-projects Pharmacy Management
 CVE-2021-44091 (A Cross-Site Scripting (XSS) vulnerability exists in Courcecodester Mu ...)
-	TODO: check
+	NOT-FOR-US: Sourcecodester Multi Restaurant Table Reservation System
 CVE-2021-44090 (An SQL Injection vulnerability exists in Sourcecodester Online Reviewe ...)
-	TODO: check
+	NOT-FOR-US: Sourcecodester Online Reviewer System
 CVE-2021-44089
 	RESERVED
 CVE-2021-44088
@@ -11673,7 +11673,7 @@ CVE-2022-21703
 CVE-2022-21702
 	RESERVED
 CVE-2022-21701 (Istio is an open platform to connect, manage, and secure microservices ...)
-	TODO: check
+	NOT-FOR-US: Istio
 CVE-2022-21700 (Micronaut is a JVM-based, full stack Java framework designed for build ...)
 	TODO: check
 CVE-2022-21699 (IPython (Interactive Python) is a command shell for interactive comput ...)
@@ -11732,7 +11732,7 @@ CVE-2022-21681 (Marked is a markdown parser and compiler. Prior to version 4.0.1
 CVE-2022-21680 (Marked is a markdown parser and compiler. Prior to version 4.0.10, the ...)
 	TODO: check
 CVE-2022-21679 (Istio is an open platform to connect, manage, and secure microservices ...)
-	TODO: check
+	NOT-FOR-US: Istio
 CVE-2022-21678 (Discourse is an open source discussion platform. Prior to version 2.8. ...)
 	NOT-FOR-US: Discourse
 CVE-2022-21677 (Discourse is an open source discussion platform. Discourse groups can  ...)
@@ -14463,7 +14463,7 @@ CVE-2021-43271
 CVE-2021-43270 (Datalust Seq.App.EmailPlus (aka seq-app-htmlemail) 3.1.0-dev-00148, 3. ...)
 	NOT-FOR-US: Datalust Seq.App.HtmlEmail (aka Seq.App.EmailPlus)
 CVE-2021-43269 (In Code42 app before 8.8.0, eval injection allows an attacker to chang ...)
-	TODO: check
+	NOT-FOR-US: Code42 app
 CVE-2021-43268 (An issue was discovered in VxWorks 6.9 through 7. In the IKE component ...)
 	NOT-FOR-US: Wind River VxWorks
 CVE-2021-43266 (In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exporting col ...)
@@ -19702,7 +19702,7 @@ CVE-2021-42010
 CVE-2021-42009 (An authenticated Apache Traffic Control Traffic Ops user with Portal-l ...)
 	NOT-FOR-US: Apache Traffic Control
 CVE-2021-3862 (icecoder is vulnerable to Improper Neutralization of Input During Web  ...)
-	TODO: check
+	NOT-FOR-US: icecoder
 CVE-2021-3861
 	RESERVED
 CVE-2021-3860 (JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), is vul ...)
@@ -19793,7 +19793,7 @@ CVE-2021-41974 (Tad Book3 editing book page does not perform identity verificati
 CVE-2021-3858 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...)
 	NOT-FOR-US: snipe-it
 CVE-2021-3857 (chaskiq is vulnerable to Improper Neutralization of Input During Web P ...)
-	TODO: check
+	NOT-FOR-US: chaskiq
 CVE-2021-41973 (In Apache MINA, a specifically crafted, malformed HTTP request may cau ...)
 	NOT-FOR-US: Apache MINA
 CVE-2021-41972 (Apache Superset up to and including 1.3.1 allowed for database connect ...)
@@ -20026,7 +20026,7 @@ CVE-2021-41867 (An information disclosure vulnerability in OnionShare 2.3 before
 CVE-2021-41866 (MyBB before 1.8.28 allows stored XSS because the displayed Template Na ...)
 	NOT-FOR-US: MyBB
 CVE-2021-3853 (chaskiq is vulnerable to Improper Neutralization of Input During Web P ...)
-	TODO: check
+	NOT-FOR-US: chaskiq
 CVE-2021-3852 (growi is vulnerable to Authorization Bypass Through User-Controlled Ke ...)
 	TODO: check
 CVE-2021-41865 (HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authe ...)
@@ -35236,15 +35236,15 @@ CVE-2021-35689
 CVE-2021-35688
 	RESERVED
 CVE-2021-35687 (Vulnerability in the Oracle Financial Services Analytical Applications ...)
-	TODO: check
+	NOT-FOR-US: Oracle
 CVE-2021-35686 (Vulnerability in the Oracle Financial Services Analytical Applications ...)
-	TODO: check
+	NOT-FOR-US: Oracle
 CVE-2021-35685
 	RESERVED
 CVE-2021-35684
 	RESERVED
 CVE-2021-35683 (Vulnerability in the Oracle Essbase Administration Services product of ...)
-	TODO: check
+	NOT-FOR-US: Oracle
 CVE-2021-35682
 	RESERVED
 CVE-2021-35681
@@ -35447,7 +35447,7 @@ CVE-2021-35588 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition
 	{DLA-2814-1}
 	- openjdk-8 8u312-b07-1
 CVE-2021-35587 (Vulnerability in the Oracle Access Manager product of Oracle Fusion Mi ...)
-	TODO: check
+	NOT-FOR-US: Oracle
 CVE-2021-35586 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...)
 	{DSA-5000-2 DSA-5012-1 DSA-5000-1 DLA-2814-1}
 	- openjdk-17 17.0.1+12-1
@@ -37143,7 +37143,7 @@ CVE-2021-34860 (This vulnerability allows network-adjacent attackers to disclose
 CVE-2021-34859 (This vulnerability allows remote attackers to execute arbitrary code o ...)
 	NOT-FOR-US: TeamViewer
 CVE-2021-34858 (This vulnerability allows remote attackers to execute arbitrary code o ...)
-	TODO: check
+	NOT-FOR-US: TeamViewer
 CVE-2021-34857 (This vulnerability allows local attackers to escalate privileges on af ...)
 	NOT-FOR-US: Parallels Desktop
 CVE-2021-34856 (This vulnerability allows local attackers to escalate privileges on af ...)
@@ -37755,7 +37755,7 @@ CVE-2021-34602
 CVE-2021-34601
 	RESERVED
 CVE-2021-34600 (Telenot CompasX versions prior to 32.0 use a weak seed for random numb ...)
-	TODO: check
+	NOT-FOR-US: Telenot CompasX
 CVE-2021-34599 (Affected versions of CODESYS Git in Versions prior to V1.1.0.0 lack ce ...)
 	NOT-FOR-US: CODESYS
 CVE-2021-34598 (In Phoenix Contact FL MGUARD 1102 and 1105 in Versions 1.4.0, 1.4.1 an ...)
@@ -41530,7 +41530,7 @@ CVE-2021-33042
 CVE-2021-33041 (vmd through 1.34.0 allows 'div class="markdown-body"' XSS, as demonstr ...)
 	NOT-FOR-US: vmd
 CVE-2021-33040 (managers/views/iframe.js in FuturePress EPub.js before 0.3.89 allows X ...)
-	TODO: check
+	NOT-FOR-US: FuturePress EPub.js
 CVE-2021-33039
 	RESERVED
 CVE-2021-33038 (An issue was discovered in management/commands/hyperkitty_import.py in ...)
@@ -44684,7 +44684,7 @@ CVE-2021-31855 (KDE Messagelib through 5.17.0 reveals cleartext of encrypted mes
 	NOTE: https://kde.org/info/security/advisory-20210429-1.txt
 	NOTE: https://commits.kde.org/messagelib/3b5b171e91ce78b966c98b1292a1bcbc8d984799
 CVE-2021-31854 (A command Injection Vulnerability in McAfee Agent (MA) for Windows pri ...)
-	TODO: check
+	NOT-FOR-US: McAfee
 CVE-2021-31853 (DLL Search Order Hijacking Vulnerability in McAfee Drive Encryption (M ...)
 	NOT-FOR-US: McAfee
 CVE-2021-31852 (A Reflected Cross-Site Scripting vulnerability in McAfee Policy Audito ...)
@@ -51759,7 +51759,7 @@ CVE-2021-29217
 CVE-2021-29216
 	RESERVED
 CVE-2021-29215 (A potential security vulnerability in HPE Ezmeral Data Fabric that may ...)
-	TODO: check
+	NOT-FOR-US: HPE
 CVE-2021-29214 (A security vulnerability has been identified in HPE StoreServ Manageme ...)
 	NOT-FOR-US: HPE
 CVE-2021-29213 (A potential local bypass of security restrictions vulnerability has be ...)
@@ -64895,7 +64895,7 @@ CVE-2021-23845 (This vulnerability could allow an attacker to hijack a session w
 CVE-2021-23844
 	RESERVED
 CVE-2021-23843 (The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are us ...)
-	TODO: check
+	NOT-FOR-US: Bosch
 CVE-2021-23842 (Communication to the AMC2 uses a state-of-the-art cryptographic algori ...)
 	TODO: check
 CVE-2021-23841 (The OpenSSL public API function X509_issuer_and_serial_hash() attempts ...)
@@ -87696,7 +87696,7 @@ CVE-2020-27430
 CVE-2020-27429
 	RESERVED
 CVE-2020-27428 (A DOM-based cross-site scripting (XSS) vulnerability in Scratch-Svg-Re ...)
-	TODO: check
+	NOT-FOR-US: Scratch-Svg-Renderer
 CVE-2020-27427
 	RESERVED
 CVE-2020-27426
@@ -108498,7 +108498,7 @@ CVE-2020-18079
 CVE-2020-18078 (A vulnerability in /include/web_check.php of SEMCMS v3.8 allows attack ...)
 	NOT-FOR-US: SEMCMS
 CVE-2020-18077 (A buffer overflow vulnerability in the Virtual Path Mapping component  ...)
-	TODO: check
+	NOT-FOR-US: FTPShell Server
 CVE-2020-18076
 	RESERVED
 CVE-2020-18075
@@ -118393,7 +118393,7 @@ CVE-2020-14112
 CVE-2020-14111
 	RESERVED
 CVE-2020-14110 (AX3600 router sensitive information leaked.There is an unauthorized in ...)
-	TODO: check
+	NOT-FOR-US: AX3600 router
 CVE-2020-14109 (There is command injection in the meshd program in the routing system, ...)
 	NOT-FOR-US: Xiaomi
 CVE-2020-14108



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/df873965d9a7fc874cbd9029f79af5fb1121227f...a6a192dfc7137cb149c0d9c1a030146d8daf7221

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/df873965d9a7fc874cbd9029f79af5fb1121227f...a6a192dfc7137cb149c0d9c1a030146d8daf7221
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220120/6e5b4c64/attachment.htm>


More information about the debian-security-tracker-commits mailing list