[Git][security-tracker-team/security-tracker][master] 2 commits: Process NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat Mar 12 07:19:07 GMT 2022



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
80883492 by Salvatore Bonaccorso at 2022-03-12T08:18:07+01:00
Process NFUs

- - - - -
f96df1e9 by Salvatore Bonaccorso at 2022-03-12T08:18:37+01:00
Add two CVEs for nextcloud-server

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -4394,19 +4394,19 @@ CVE-2022-25221
 CVE-2022-25220 (PeteReport Version 0.5 allows an authenticated admin user to inject pe ...)
 	NOT-FOR-US: PeteReport
 CVE-2022-25219 (A null byte interaction error has been discovered in the code that the ...)
-	TODO: check
+	NOT-FOR-US: Phicomm
 CVE-2022-25218 (The use of the RSA algorithm without OAEP, or any other padding scheme ...)
-	TODO: check
+	NOT-FOR-US: Phicomm
 CVE-2022-25217 (Use of a hard-coded cryptographic key pair by the telnetd_startup serv ...)
-	TODO: check
+	NOT-FOR-US: Phicomm
 CVE-2022-25216 (An absolute path traversal vulnerability allows a remote attacker to d ...)
-	TODO: check
+	NOT-FOR-US: DVDFab Player
 CVE-2022-25215 (Improper access control on the LocalMACConfig.asp interface allows an  ...)
-	TODO: check
+	NOT-FOR-US: Phicomm
 CVE-2022-25214 (Improper access control on the LocalClientList.asp interface allows an ...)
-	TODO: check
+	NOT-FOR-US: Phicomm
 CVE-2022-25213 (Improper physical access control and use of hard-coded credentials in  ...)
-	TODO: check
+	NOT-FOR-US: Phicomm
 CVE-2022-24915 (The absence of filters when loading some sections in the web applicati ...)
 	NOT-FOR-US: IPCOMM
 CVE-2022-24432 (Persistent cross-site scripting (XSS) in the web interface of ipDIO al ...)
@@ -5603,7 +5603,7 @@ CVE-2022-24752
 CVE-2022-24751
 	RESERVED
 CVE-2022-24750 (UltraVNC is a free and open source remote pc access software. A vulner ...)
-	TODO: check
+	NOT-FOR-US: UltraVNC
 CVE-2022-24749
 	RESERVED
 CVE-2022-24748 (Shopware is an open commerce platform based on the Symfony php Framewo ...)
@@ -5627,7 +5627,7 @@ CVE-2022-24740
 CVE-2022-24739 (alltube is an html front end for youtube-dl. On releases prior to 3.0. ...)
 	NOT-FOR-US: alltube
 CVE-2022-24738 (Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. ...)
-	TODO: check
+	NOT-FOR-US: Evmos
 CVE-2022-24737 (HTTPie is a command-line HTTP client. HTTPie has the practical concept ...)
 	TODO: check
 CVE-2022-24736
@@ -8413,27 +8413,27 @@ CVE-2022-23935 (lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $fil
 	[stretch] - libimage-exiftool-perl <no-dsa> (Minor issue)
 	NOTE: https://github.com/exiftool/exiftool/commit/74dbab1d2766d6422bb05b033ac6634bf8d1f582 (12.38)
 CVE-2022-23934 (Potential vulnerabilities have been identified in the system BIOS of c ...)
-	TODO: check
+	NOT-FOR-US: HP
 CVE-2022-23933 (Potential vulnerabilities have been identified in the system BIOS of c ...)
-	TODO: check
+	NOT-FOR-US: HP
 CVE-2022-23932 (Potential vulnerabilities have been identified in the system BIOS of c ...)
-	TODO: check
+	NOT-FOR-US: HP
 CVE-2022-23931 (Potential vulnerabilities have been identified in the system BIOS of c ...)
-	TODO: check
+	NOT-FOR-US: HP
 CVE-2022-23930 (Potential vulnerabilities have been identified in the system BIOS of c ...)
-	TODO: check
+	NOT-FOR-US: HP
 CVE-2022-23929 (Potential vulnerabilities have been identified in the system BIOS of c ...)
-	TODO: check
+	NOT-FOR-US: HP
 CVE-2022-23928 (Potential vulnerabilities have been identified in the system BIOS of c ...)
-	TODO: check
+	NOT-FOR-US: HP
 CVE-2022-23927 (Potential vulnerabilities have been identified in the system BIOS of c ...)
-	TODO: check
+	NOT-FOR-US: HP
 CVE-2022-23926 (Potential vulnerabilities have been identified in the system BIOS of c ...)
-	TODO: check
+	NOT-FOR-US: HP
 CVE-2022-23925 (Potential vulnerabilities have been identified in the system BIOS of c ...)
-	TODO: check
+	NOT-FOR-US: HP
 CVE-2022-23924 (Potential vulnerabilities have been identified in the system BIOS of c ...)
-	TODO: check
+	NOT-FOR-US: HP
 CVE-2022-23919
 	RESERVED
 CVE-2022-23918
@@ -9356,9 +9356,9 @@ CVE-2022-23733
 CVE-2022-23732
 	RESERVED
 CVE-2022-23731 (V8 javascript engine (heap vulnerability) can cause privilege escalati ...)
-	TODO: check
+	NOT-FOR-US: LG
 CVE-2022-23730 (The public API error causes for the attacker to be able to bypass API  ...)
-	TODO: check
+	NOT-FOR-US: LG
 CVE-2022-23729 (When the device is in factory state, it can be access the shell withou ...)
 	NOT-FOR-US: LGE
 CVE-2022-23728 (Attacker can reset the device with AT Command in the process of reboot ...)
@@ -9594,7 +9594,7 @@ CVE-2022-23627 (ArchiSteamFarm (ASF) is a C# application with primary purpose of
 CVE-2022-23626 (m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Erro ...)
 	NOT-FOR-US: m1k1o/blog
 CVE-2022-23625 (Wire-ios is a messaging application using the wire protocol on apple's ...)
-	TODO: check
+	NOT-FOR-US: Wire-ios
 CVE-2022-23624 (Frourio-express is a minimal full stack framework, for TypeScript. Fro ...)
 	NOT-FOR-US: Frourio-express
 CVE-2022-23623 (Frourio is a full stack framework, for TypeScript. Frourio users who u ...)
@@ -10147,7 +10147,7 @@ CVE-2022-0282 (Code Injection in Packagist microweber/microweber prior to 1.2.11
 CVE-2022-0281 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...)
 	NOT-FOR-US: microweber
 CVE-2022-0280 (A race condition vulnerability exists in the QuickClean feature of McA ...)
-	TODO: check
+	NOT-FOR-US: McAfee
 CVE-2022-0279 (The AnyComment WordPress plugin before 0.2.18 is affected by a race co ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2022-0278 (Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber ...)
@@ -11177,7 +11177,7 @@ CVE-2022-23189 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and
 CVE-2022-23188 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...)
 	NOT-FOR-US: Adobe
 CVE-2022-23187 (Adobe Illustrator version 26.0.3 (and earlier) is affected by a buffer ...)
-	TODO: check
+	NOT-FOR-US: Adobe
 CVE-2022-23186 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...)
 	NOT-FOR-US: Adobe
 CVE-2022-23185
@@ -12508,7 +12508,7 @@ CVE-2022-22815 (path_getbbox in path.c in Pillow before 9.0.0 improperly initial
 	NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling
 	NOTE: https://github.com/python-pillow/Pillow/commit/1e092419b6806495c683043ab3feb6ce264f3b9c (9.0.0)
 CVE-2022-22814 (The System Diagnosis service of MyASUS before 3.1.2.0 allows privilege ...)
-	TODO: check
+	NOT-FOR-US: ASUS
 CVE-2022-0155 (follow-redirects is vulnerable to Exposure of Private Personal Informa ...)
 	- node-follow-redirects 1.14.7+~1.13.1-1
 	[bullseye] - node-follow-redirects <no-dsa> (Minor issue)
@@ -18840,7 +18840,7 @@ CVE-2022-21821
 CVE-2022-21820
 	RESERVED
 CVE-2022-21819 (NVIDIA distributions of Jetson Linux contain a vulnerability where an  ...)
-	TODO: check
+	NOT-FOR-US: NVIDIA
 CVE-2022-21818 (NVIDIA License System contains a vulnerability in the installation scr ...)
 	NOT-FOR-US: NVIDIA License System
 CVE-2022-21817 (NVIDIA Omniverse Launcher contains a Cross-Origin Resource Sharing (CO ...)
@@ -19300,7 +19300,7 @@ CVE-2021-4071
 CVE-2021-44674 (An information exposure issue has been discovered in Opmantek Open-Aud ...)
 	NOT-FOR-US: Open-AudIT
 CVE-2021-44673 (A Remote Code Execution (RCE) vulnerability exists in Croogo 3.0.2via  ...)
-	TODO: check
+	NOT-FOR-US: Croogo
 CVE-2021-44672
 	RESERVED
 CVE-2021-44671
@@ -19312,7 +19312,7 @@ CVE-2021-44669
 CVE-2021-44668
 	RESERVED
 CVE-2021-44667 (A Cross Site Scripting (XSS) vulnerability exists in Nacos 2.0.3 in au ...)
-	TODO: check
+	NOT-FOR-US: Nacos
 CVE-2021-44666
 	RESERVED
 CVE-2021-44665 (A Directory Traversal vulnerability exists in the Xerte Project Xerte  ...)
@@ -19417,11 +19417,11 @@ CVE-2021-44622 (A Buffer Overflow vulnerability exists in TP-LINK WR-886N 201908
 CVE-2021-44621
 	RESERVED
 CVE-2021-44620 (A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2 ...)
-	TODO: check
+	NOT-FOR-US: TOTOLINK
 CVE-2021-44619
 	RESERVED
 CVE-2021-44618 (A Server-side Template Injection (SSTI) vulnerability exists in Nystud ...)
-	TODO: check
+	NOT-FOR-US: Nystudio107 Seomatic
 CVE-2021-44617
 	RESERVED
 CVE-2021-44616
@@ -19463,7 +19463,7 @@ CVE-2021-44599 (The id parameter from Online Enrollment Management System 1.0 sy
 CVE-2021-44598 (Attendance Management System 1.0 is affected by a Cross Site Scripting ...)
 	NOT-FOR-US: Attendance Management System
 CVE-2021-44597 (An Access Control vunerabiity exists in Gerapy v 0.9.7 via the spider  ...)
-	TODO: check
+	NOT-FOR-US: Gerapy
 CVE-2021-44596
 	RESERVED
 CVE-2021-44595
@@ -19489,7 +19489,7 @@ CVE-2021-44587
 CVE-2021-44586 (An issue was discovered in dst-admin v1.3.0. The product has an unauth ...)
 	NOT-FOR-US: dst-admin
 CVE-2021-44585 (A Cross Site Scripting (XSS) vulnerabilitiy exits in jeecg-boot 3.0 in ...)
-	TODO: check
+	NOT-FOR-US: jeecg-boot 
 CVE-2021-44584 (Cross-site scripting (XSS) vulnerability in index.php in emlog version ...)
 	NOT-FOR-US: emlog
 CVE-2021-44583
@@ -26462,15 +26462,15 @@ CVE-2021-42859
 CVE-2021-42858
 	RESERVED
 CVE-2021-42857 (It was discovered that the SteelCentral AppInternals Dynamic Sampling  ...)
-	TODO: check
+	NOT-FOR-US: SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentDaServlet
 CVE-2021-42856 (It was discovered that the /DsaDataTest endpoint is susceptible to Cro ...)
 	TODO: check
 CVE-2021-42855 (It was discovered that the SteelCentral AppInternals Dynamic Sampling  ...)
-	TODO: check
+	NOT-FOR-US: SteelCentral AppInternals Dynamic Sampling Agent (DSA)
 CVE-2021-42854 (It was discovered that the SteelCentral AppInternals Dynamic Sampling  ...)
-	TODO: check
+	NOT-FOR-US: SteelCentral AppInternals Dynamic Sampling Agent (DSA)
 CVE-2021-42853 (It was discovered that the SteelCentral AppInternals Dynamic Sampling  ...)
-	TODO: check
+	NOT-FOR-US: SteelCentral AppInternals Dynamic Sampling Agent (DSA)
 CVE-2021-3902
 	RESERVED
 CVE-2021-3901 (firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) ...)
@@ -26620,9 +26620,9 @@ CVE-2021-42789
 CVE-2021-42788
 	RESERVED
 CVE-2021-42787 (It was discovered that the SteelCentral AppInternals Dynamic Sampling  ...)
-	TODO: check
+	NOT-FOR-US: SteelCentral AppInternals Dynamic Sampling Agent (DSA)
 CVE-2021-42786 (It was discovered that the SteelCentral AppInternals Dynamic Sampling  ...)
-	TODO: check
+	NOT-FOR-US: SteelCentral AppInternals Dynamic Sampling Agent (DSA)
 CVE-2021-42785 (Buffer Overflow vulnerability in tvnviewer.exe of TightVNC Viewer allo ...)
 	NOT-FOR-US: TightVNC Viewer
 CVE-2021-42784 (OS Command Injection vulnerability in debug_fcgi of D-Link DWR-932C E1 ...)
@@ -28864,33 +28864,33 @@ CVE-2022-20062
 CVE-2022-20061
 	RESERVED
 CVE-2022-20060 (In preloader (usb), there is a possible permission bypass due to a mis ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-20059 (In preloader (usb), there is a possible out of bounds write due to a m ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-20058 (In preloader (usb), there is a possible out of bounds write due to a m ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-20057 (In btif, there is a possible memory corruption due to incorrect error  ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-20056 (In preloader (usb), there is a possible out of bounds write due to a m ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-20055 (In preloader (usb), there is a possible out of bounds write due to a m ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-20054 (In ims service, there is a possible AT command injection due to a miss ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-20053 (In ims service, there is a possible escalation of privilege due to a m ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-20052
 	RESERVED
 CVE-2022-20051 (In ims service, there is a possible unexpected application behavior du ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-20050 (In connsyslogger, there is a possible symbolic link following due to i ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-20049 (In vpu, there is a possible escalation of privilege due to a missing p ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-20048 (In video decoder, there is a possible out of bounds write due to a mis ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-20047 (In video decoder, there is a possible out of bounds write due to a mis ...)
-	TODO: check
+	NOT-FOR-US: Mediatek
 CVE-2022-20046 (In Bluetooth, there is a possible memory corruption due to a logic err ...)
 	NOT-FOR-US: MediaTek
 CVE-2022-20045 (In Bluetooth, there is a possible service crash due to a use after fre ...)
@@ -31606,11 +31606,11 @@ CVE-2021-41243 (There is a Potential Zip Slip Vulnerability and OS Command Injec
 CVE-2021-41242 (OpenOlat is a web-basedlearning management system. A path traversal vu ...)
 	NOT-FOR-US: OpenOlat
 CVE-2021-41241 (Nextcloud server is a self hosted system designed to provide cloud sty ...)
-	TODO: check
+	- nextcloud-server <itp> (bug #941708)
 CVE-2021-41240
 	RESERVED
 CVE-2021-41239 (Nextcloud server is a self hosted system designed to provide cloud sty ...)
-	TODO: check
+	- nextcloud-server <itp> (bug #941708)
 CVE-2021-41238 (Hangfire is an open source system to perform background job processing ...)
 	NOT-FOR-US: Hangfire
 CVE-2021-41237
@@ -46436,7 +46436,7 @@ CVE-2021-35253
 CVE-2021-35252
 	RESERVED
 CVE-2021-35251 (Sensitive information could be displayed when a detailed technical err ...)
-	TODO: check
+	NOT-FOR-US: Solarwinds
 CVE-2021-35250
 	RESERVED
 CVE-2021-35249
@@ -49014,7 +49014,7 @@ CVE-2021-34124
 CVE-2021-34123
 	RESERVED
 CVE-2021-34122 (The function bitstr_tell at bitstr.c in ffjpeg commit 4ab404e has a NU ...)
-	TODO: check
+	NOT-FOR-US: ffjpeg
 CVE-2021-34121
 	RESERVED
 CVE-2021-34120



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4c013dc4882528a35f0bead9f3048b99ea337f10...f96df1e9b050349dd1d8cc1d017545734ee0bbcc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4c013dc4882528a35f0bead9f3048b99ea337f10...f96df1e9b050349dd1d8cc1d017545734ee0bbcc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220312/8d28c3c8/attachment.htm>


More information about the debian-security-tracker-commits mailing list