[Git][security-tracker-team/security-tracker][master] Replace some older NFUs with itp'ed entry for snipe-it
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue May 3 11:38:52 BST 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
96b33153 by Salvatore Bonaccorso at 2022-05-03T12:37:09+02:00
Replace some older NFUs with itp'ed entry for snipe-it
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -619,7 +619,7 @@ CVE-2022-1513
CVE-2022-1512
RESERVED
CVE-2022-1511 (Improper Access Control in GitHub repository snipe/snipe-it prior to 5 ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2022-1510
RESERVED
CVE-2022-1509 (Sed Injection Vulnerability in GitHub repository hestiacp/hestiacp pri ...)
@@ -1442,7 +1442,7 @@ CVE-2022-1447
CVE-2022-1446
RESERVED
CVE-2022-1445 (Stored Cross Site Scripting vulnerability in the checked_out_to parame ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2022-1444 (heap-use-after-free in GitHub repository radareorg/radare2 prior to 5. ...)
- radare2 <unfixed>
NOTE: https://huntr.dev/bounties/b438a940-f8a4-4872-b030-59bdd1ab72aa
@@ -2290,7 +2290,7 @@ CVE-2022-29268
CVE-2022-29267
RESERVED
CVE-2022-1380 (Stored Cross Site Scripting vulnerability in Item name parameter in Gi ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2022-1379
RESERVED
CVE-2022-29266 (In APache APISIX before 3.13.1, the jwt-auth plugin has a security iss ...)
@@ -5408,7 +5408,7 @@ CVE-2022-1157 (Missing sanitization of logged exception messages in all versions
CVE-2022-1156 (The Books & Papers WordPress plugin through 0.20210223 does not es ...)
NOT-FOR-US: WordPress plugin
CVE-2022-1155 (Old sessions are not blocked by the login enable function. in GitHub r ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2022-1154 (Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8 ...)
- vim 2:8.2.4659-1
[bullseye] - vim <no-dsa> (Minor issue)
@@ -13584,7 +13584,7 @@ CVE-2022-0623 (Out-of-bounds Read in Homebrew mruby prior to 3.2. ...)
NOTE: https://github.com/mruby/mruby/commit/ff3a5ebed6ffbe3e70481531cfb969b497aa73ad
NOTE: https://huntr.dev/bounties/5b908ac7-d8f1-4fcd-9355-85df565f7580
CVE-2022-0622 (Generation of Error Message Containing Sensitive Information in Packag ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2022-0621 (The dTabs WordPress plugin through 1.4 does not sanitize and escape th ...)
NOT-FOR-US: WordPress plugin
CVE-2022-0620 (The Delete Old Orders WordPress plugin through 0.2 does not sanitize a ...)
@@ -13751,7 +13751,7 @@ CVE-2022-25148 (The WP Statistics WordPress plugin is vulnerable to SQL Injectio
CVE-2022-0612 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...)
NOT-FOR-US: livehelperchat
CVE-2022-0611 (Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3 ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2019-25057 (In Corda before 4.1, the meaning of serialized data can be modified vi ...)
NOT-FOR-US: Corda
CVE-2022-25147
@@ -14257,7 +14257,7 @@ CVE-2022-24978 (Zoho ManageEngine ADAudit Plus before 7055 allows authenticated
CVE-2022-24977 (ImpressCMS before 1.4.2 allows unauthenticated remote code execution v ...)
NOT-FOR-US: ImpressCMS
CVE-2022-0579 (Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3 ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2022-0578
RESERVED
CVE-2022-24976 (Atheme IRC Services before 7.2.12, when used in conjunction with InspI ...)
@@ -14295,7 +14295,7 @@ CVE-2022-0570 (Heap-based Buffer Overflow in Homebrew mruby prior to 3.2. ...)
NOTE: https://huntr.dev/bounties/65a7632e-f95b-4836-b1a7-9cb95e5124f1
NOTE: https://github.com/mruby/mruby/commit/38b164ace7d6ae1c367883a3d67d7f559783faad
CVE-2022-0569 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2022-24975 (The --mirror documentation for Git through 2.35.1 does not mention the ...)
- git <unfixed> (unimportant)
NOTE: https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/
@@ -21241,9 +21241,9 @@ CVE-2022-0181 (Reflected cross-site scripting vulnerability in Quiz And Survey M
CVE-2022-0180 (Cross-site request forgery (CSRF) vulnerability in Quiz And Survey Mas ...)
NOT-FOR-US: Quiz And Survey Master
CVE-2022-0179 (snipe-it is vulnerable to Improper Access Control ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2022-0178 (snipe-it is vulnerable to Improper Access Control ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2022-0177
REJECTED
CVE-2021-4204 [eBPF Improper Input Validation Vulnerability]
@@ -27194,7 +27194,7 @@ CVE-2021-4132 (livehelperchat is vulnerable to Improper Neutralization of Input
CVE-2021-4131 (livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) ...)
NOT-FOR-US: livehelperchat
CVE-2021-4130 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2021-4129
RESERVED
CVE-2021-4128
@@ -27739,7 +27739,7 @@ CVE-2021-4110 (mruby is vulnerable to NULL Pointer Dereference ...)
CVE-2021-4109
RESERVED
CVE-2021-4108 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2022-0010
RESERVED
CVE-2021-45040 (The Spatie media-library-pro library through 1.17.10 and 2.x through 2 ...)
@@ -28581,7 +28581,7 @@ CVE-2021-44780
CVE-2021-44764
RESERVED
CVE-2021-4089 (snipe-it is vulnerable to Improper Access Control ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2021-37408
RESERVED
CVE-2021-31565
@@ -28885,7 +28885,7 @@ CVE-2021-44676 (Zoho ManageEngine Access Manager Plus before 4203 allows anyone
CVE-2021-44675 (Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vuln ...)
NOT-FOR-US: Zoho ManageEngine
CVE-2021-4075 (snipe-it is vulnerable to Server-Side Request Forgery (SSRF) ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2021-4074 (The WHMCS Bridge WordPress plugin is vulnerable to Stored Cross-Site S ...)
NOT-FOR-US: WordPress plugin
CVE-2021-4073 (The RegistrationMagic WordPress plugin made it possible for unauthenti ...)
@@ -30388,7 +30388,7 @@ CVE-2021-44208 (OX App Suite through 7.10.5 allows XSS via an unknown system mes
CVE-2021-44207 (Acclaim USAHERDS through 7.4.0.1 uses hard-coded credentials. ...)
NOT-FOR-US: Acclaim USAHERDS
CVE-2021-4018 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2021-4017 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...)
NOT-FOR-US: ShowDoc
CVE-2021-44206 (Local privilege escalation due to DLL hijacking vulnerability in Acron ...)
@@ -32867,7 +32867,7 @@ CVE-2021-43747 (Adobe Premiere Rush version 1.5.16 (and earlier) is affected by
CVE-2021-43746 (Adobe Premiere Rush versions 1.5.16 (and earlier) allows access to an ...)
NOT-FOR-US: Adobe
CVE-2021-3961 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2022-21216
RESERVED
CVE-2022-21204 (Improper permissions for Intel(R) Quartus(R) Prime Pro Edition before ...)
@@ -33553,7 +33553,7 @@ CVE-2021-3939 (Ubuntu-specific modifications to accountsservice (in patch file d
- accountsservice <not-affected> (Ubuntu specific patch)
NOTE: https://ubuntu.com/security/CVE-2021-3939
CVE-2021-3938 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2021-3937
REJECTED
CVE-2021-3936
@@ -33856,7 +33856,7 @@ CVE-2021-43402
CVE-2021-43401
RESERVED
CVE-2021-3931 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2021-3930 (An off-by-one error was found in the SCSI device emulation in QEMU. It ...)
{DLA-2970-1}
- qemu 1:6.2+dfsg-1
@@ -38954,7 +38954,7 @@ CVE-2021-3881 (libmobi is vulnerable to Out-of-bounds Read ...)
CVE-2021-3880
REJECTED
CVE-2021-3879 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2021-42262 (An issue was discovered in Softing OPC UA C++ SDK before 5.70. An inva ...)
NOT-FOR-US: Softing OPC UA C++ SDK
CVE-2021-42261 (Revisor Video Management System (VMS) before 2.0.0 has a directory tra ...)
@@ -39579,7 +39579,7 @@ CVE-2021-42012 (A stack-based buffer overflow vulnerability in Trend Micro Apex
CVE-2021-42011 (An incorrect permission assignment vulnerability in Trend Micro Apex O ...)
NOT-FOR-US: Trend Micro
CVE-2021-3863 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2021-42010
RESERVED
CVE-2021-42009 (An authenticated Apache Traffic Control Traffic Ops user with Portal-l ...)
@@ -39677,7 +39677,7 @@ CVE-2021-41975 (TadTools special page is vulnerable to authorization bypass, thu
CVE-2021-41974 (Tad Book3 editing book page does not perform identity verification. Re ...)
NOT-FOR-US: Tad Book3
CVE-2021-3858 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...)
- NOT-FOR-US: snipe-it
+ - snipe-it <itp> (bug #1005172)
CVE-2021-3857 (chaskiq is vulnerable to Improper Neutralization of Input During Web P ...)
NOT-FOR-US: chaskiq
CVE-2021-41973 (In Apache MINA, a specifically crafted, malformed HTTP request may cau ...)
@@ -205342,7 +205342,7 @@ CVE-2019-10120 (On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices be
CVE-2019-10119 (eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43 ...)
NOT-FOR-US: eQ-3 HomeMatic CCU2 and CCU3 devices
CVE-2019-10118 (Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and ...)
- NOT-FOR-US: Snipe-IT
+ - snipe-it <itp> (bug #1005172)
CVE-2019-10117 (An Open Redirect issue was discovered in GitLab Community and Enterpri ...)
- gitlab <not-affected> (Only affects 11.9 and later)
NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
@@ -205402,7 +205402,7 @@ CVE-2016-10749 (parse_string in cJSON.c in cJSON before 2016-10-02 has a buffer
NOTE: https://www.openwall.com/lists/oss-security/2016/11/07/2
NOTE: https://github.com/DaveGamble/cJSON/commit/94df772485c92866ca417d92137747b2e3b0a917
CVE-2016-10744 (In Select2 through 4.0.5, as used in Snipe-IT and other products, rich ...)
- NOT-FOR-US: Snipe-IT
+ - snipe-it <itp> (bug #1005172)
CVE-2019-10099 (Prior to Spark 2.3.3, in certain situations Spark would write user dat ...)
- apache-spark <itp> (bug #802194)
CVE-2019-10098 (In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_r ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96b331536c82de23c2c192a2c4a6e33c529f9549
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96b331536c82de23c2c192a2c4a6e33c529f9549
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220503/918d71d1/attachment.htm>
More information about the debian-security-tracker-commits
mailing list