[Git][security-tracker-team/security-tracker][master] 3 commits: Update tracking for CVE-2018-16472/node-cached-path-relative

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue Jan 25 21:01:38 GMT 2022 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cb94ba29 by Salvatore Bonaccorso at 2022-01-25T21:57:31+01:00
Update tracking for CVE-2018-16472/node-cached-path-relative

This old CVE entry was tracked as NFU, but is actually in
node-cached-path-relative and fixed in 1.0.2 upstream. Update tracking.
Versions having fixed CVE-2018-16472 are then prone to CVE-2021-23518.

- - - - -
15ebee4e by Salvatore Bonaccorso at 2022-01-25T21:59:22+01:00
CVE-2021-23518: Remove reference for fix for CVE-2018-16472

- - - - -
4b869692 by Salvatore Bonaccorso at 2022-01-25T22:00:55+01:00
CVE-2021-23518: Add reference back as incomplete fix for CVE-2018-16472

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -66661,8 +66661,8 @@ CVE-2021-23519
 CVE-2021-23518 (The package cached-path-relative before 1.1.0 are vulnerable to Protot ...)
 	- node-cached-path-relative <unfixed> (bug #1004338)
 	NOTE: https://github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760
-	NOTE: https://github.com/ashaffer/cached-path-relative/commit/a43cffec84ed0e9eceecb43b534b6937a8028fc0
 	NOTE: results from incomplete fix for https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
+	NOTE: which was CVE-2018-16472.
 CVE-2021-23517
 	RESERVED
 CVE-2021-23516
@@ -222915,7 +222915,10 @@ CVE-2018-16474 (A stored xss in tianma-static module versions <=1.0.4 allows
 CVE-2018-16473 (A path traversal in takeapeek module versions <=0.2.2 allows an att ...)
 	NOT-FOR-US: takeapeek
 CVE-2018-16472 (A prototype pollution attack in cached-path-relative versions <=1.0 ...)
-	NOT-FOR-US: cached-path-relative
+	- node-cached-path-relative 1.0.2-1
+	NOTE: https://hackerone.com/reports/390847
+	NOTE: https://github.com/ashaffer/cached-path-relative/issues/3
+	NOTE: Fixed by: https://github.com/ashaffer/cached-path-relative/commit/a43cffec84ed0e9eceecb43b534b6937a8028fc0
 CVE-2018-16471 (There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. ...)
 	{DLA-1585-1}
 	- ruby-rack 1.6.4-6 (bug #913005)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b40de7dfd59f6cc14b52c7d4aa0fc6c884cc6223...4b869692313ed417ba575a395e5c9bbf30146f3e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b40de7dfd59f6cc14b52c7d4aa0fc6c884cc6223...4b869692313ed417ba575a395e5c9bbf30146f3e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220125/5ae5e796/attachment.htm>

More information about the debian-security-tracker-commits mailing list