[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri May 20 21:10:33 BST 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
9b3b80d9 by security tracker role at 2022-05-20T20:10:25+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,7 +1,33 @@
-CVE-2022-31246
+CVE-2022-31257
+ RESERVED
+CVE-2022-31256
+ RESERVED
+CVE-2022-31255
+ RESERVED
+CVE-2022-31254
+ RESERVED
+CVE-2022-31253
+ RESERVED
+CVE-2022-31252
+ RESERVED
+CVE-2022-31251
RESERVED
-CVE-2022-31245
+CVE-2022-31250
RESERVED
+CVE-2022-31249
+ RESERVED
+CVE-2022-31248
+ RESERVED
+CVE-2022-31247
+ RESERVED
+CVE-2022-1807
+ RESERVED
+CVE-2022-1806 (Cross-site Scripting (XSS) - Reflected in GitHub repository rtxteam/rt ...)
+ TODO: check
+CVE-2022-31246
+ RESERVED
+CVE-2022-31245 (mailcow before 2022-05d allows a remote authenticated user to inject O ...)
+ TODO: check
CVE-2022-31244
RESERVED
CVE-2022-31243
@@ -78,8 +104,8 @@ CVE-2022-1799
RESERVED
CVE-2022-1798
RESERVED
-CVE-2022-31215
- RESERVED
+CVE-2022-31215 (In certain Goverlan products, the Windows Firewall is temporarily turn ...)
+ TODO: check
CVE-2022-31214
RESERVED
CVE-2022-31213
@@ -556,7 +582,7 @@ CVE-2022-30977
RESERVED
CVE-2022-29496
RESERVED
-CVE-2022-1796 (Use After Free in GitHub repository vim/vim prior to 8.2. ...)
+CVE-2022-1796 (Use After Free in GitHub repository vim/vim prior to 8.2.4979. ...)
- vim <unfixed>
NOTE: https://huntr.dev/bounties/f6739b58-49f9-4056-a843-bf76bbc1253e
NOTE: https://github.com/vim/vim/commit/28d032cc688ccfda18c5bbcab8b50aba6e18cde5 (v8.2.4979)
@@ -582,12 +608,12 @@ CVE-2022-1787
RESERVED
CVE-2022-1786
RESERVED
-CVE-2022-1785 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...)
+CVE-2022-1785 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977. ...)
- vim <unfixed>
NOTE: https://huntr.dev/bounties/8c969cba-eef2-4943-b44a-4e3089599109
NOTE: https://github.com/vim/vim/commit/e2bd8600b873d2cd1f9d667c28cba8b1dba18839 (v8.2.4977)
-CVE-2022-1784
- RESERVED
+CVE-2022-1784 (Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio ...)
+ TODO: check
CVE-2022-1783
RESERVED
CVE-2022-1782 (Cross-site Scripting (XSS) - Generic in GitHub repository erudika/para ...)
@@ -622,7 +648,7 @@ CVE-2022-1773
RESERVED
CVE-2022-1772
RESERVED
-CVE-2022-1771 (Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...)
+CVE-2022-1771 (Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975. ...)
- vim <unfixed> (unimportant)
NOTE: https://huntr.dev/bounties/faa74175-5317-4b71-a363-dfc39094ecbb
NOTE: https://github.com/vim/vim/commit/51f0bfb88a3554ca2dde777d78a59880d1ee37a8 (v8.2.4975)
@@ -631,8 +657,8 @@ CVE-2019-25061 (The random_password_generator (aka RandomPasswordGenerator) gem
NOT-FOR-US: bvsatyaram/random_password_generator
CVE-2022-30973
RESERVED
-CVE-2022-1770
- RESERVED
+CVE-2022-1770 (Improper Privilege Management in GitHub repository polonel/trudesk pri ...)
+ TODO: check
CVE-2022-1769 (Buffer Over-read in GitHub repository vim/vim prior to 8.2.4974. ...)
- vim <unfixed> (unimportant)
NOTE: https://huntr.dev/bounties/522076b2-96cb-4df6-a504-e6e2f64c171c
@@ -1038,10 +1064,10 @@ CVE-2022-30889
RESERVED
CVE-2022-30888
RESERVED
-CVE-2022-30887
- RESERVED
-CVE-2022-30886
- RESERVED
+CVE-2022-30887 (Pharmacy Management System v1.0 was discovered to contain a remote cod ...)
+ TODO: check
+CVE-2022-30886 (School Dormitory Management System v1.0 was discovered to contain a SQ ...)
+ TODO: check
CVE-2022-30885
RESERVED
CVE-2022-30884
@@ -1254,7 +1280,7 @@ CVE-2022-30779 (Laravel 9.1.8, when processing attacker-controlled data for dese
TODO: check, issue seems to be in src:guzzle, check details
CVE-2022-30778 (Laravel 9.1.8, when processing attacker-controlled data for deserializ ...)
TODO: check
-CVE-2022-30777 (Parallels H-Sphere 3.6.2 allows XSS via the index_en.php from paramete ...)
+CVE-2022-30777 (Parallels H-Sphere 3.6.1713 allows XSS via the index_en.php from param ...)
NOT-FOR-US: Parallels H-Sphere
CVE-2022-30776 (atmail 6.5.0 allows XSS via the index.php/admin/index/ error parameter ...)
- atmailopen <removed>
@@ -1731,8 +1757,8 @@ CVE-2022-30553
RESERVED
CVE-2022-30552
RESERVED
-CVE-2022-30551
- RESERVED
+CVE-2022-30551 (OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker to cause ...)
+ TODO: check
CVE-2022-30550
RESERVED
CVE-2022-1677
@@ -1973,8 +1999,8 @@ CVE-2022-30520
RESERVED
CVE-2022-30519
RESERVED
-CVE-2022-30518
- RESERVED
+CVE-2022-30518 (ChatBot Application with a Suggestion Feature 1.0 was discovered to co ...)
+ TODO: check
CVE-2022-30517
RESERVED
CVE-2022-30516
@@ -5317,8 +5343,8 @@ CVE-2022-29322 (D-Link DIR-816 A2_v1.10CNB04 was discovered to contain a stack o
NOT-FOR-US: D-Link
CVE-2022-29321 (D-Link DIR-816 A2_v1.10CNB04 was discovered to contain a stack overflo ...)
NOT-FOR-US: D-Link
-CVE-2022-29320
- RESERVED
+CVE-2022-29320 (MiniTool Partition Wizard v12.0 contains an unquoted service path whic ...)
+ TODO: check
CVE-2022-29319
RESERVED
CVE-2022-29318 (An arbitrary file upload vulnerability in the New Entry module of Car ...)
@@ -5698,8 +5724,8 @@ CVE-2022-29179
RESERVED
CVE-2022-29178
RESERVED
-CVE-2022-29177
- RESERVED
+CVE-2022-29177 (Go Ethereum is the official Golang implementation of the Ethereum prot ...)
+ TODO: check
CVE-2022-29176 (Rubygems is a package registry used to supply software for the Ruby la ...)
NOT-FOR-US: rubygems/rubygems.org
CVE-2022-29175
@@ -5716,8 +5742,8 @@ CVE-2022-29172 (Auth0 is an authentication broker that supports both social and
NOT-FOR-US: Auth0
CVE-2022-29171 (Sourcegraph is a fast and featureful code search and navigation engine ...)
NOT-FOR-US: Sourcegraph
-CVE-2022-29170
- RESERVED
+CVE-2022-29170 (Grafana is an open-source platform for monitoring and observability. I ...)
+ TODO: check
CVE-2022-29169
RESERVED
CVE-2022-29168
@@ -5726,13 +5752,12 @@ CVE-2022-29167 (Hawk is an HTTP authentication scheme providing mechanisms for m
NOT-FOR-US: Hawk (mozilla/hawk, different from itp'ed hawk, #634344)
CVE-2022-29166 (matrix-appservice-irc is a Node.js IRC bridge for Matrix. The vulnerab ...)
NOT-FOR-US: Matrix-appservice-bridge
-CVE-2022-29165
- RESERVED
+CVE-2022-29165 (Argo CD is a declarative, GitOps continuous delivery tool for Kubernet ...)
NOT-FOR-US: Argo CD
CVE-2022-29164 (Argo Workflows is an open source container-native workflow engine for ...)
NOT-FOR-US: Argo Workflows
-CVE-2022-29163
- RESERVED
+CVE-2022-29163 (Nextcloud Server is the file server software for Nextcloud, a self-hos ...)
+ TODO: check
CVE-2022-29162 (runc is a CLI tool for spawning and running containers on Linux accord ...)
- runc <unfixed>
[stretch] - runc <not-affected> (Vulnerable code not present)
@@ -5741,10 +5766,10 @@ CVE-2022-29162 (runc is a CLI tool for spawning and running containers on Linux
NOTE: https://github.com/opencontainers/runc/commit/98fe566c527479195ce3c8167136d2a555fe6b65 (main)
CVE-2022-29161 (XWiki Platform is a generic wiki platform offering runtime services fo ...)
NOT-FOR-US: XWiki
-CVE-2022-29160
- RESERVED
-CVE-2022-29159
- RESERVED
+CVE-2022-29160 (Nextcloud Android is the Android client for Nextcloud, a self-hosted p ...)
+ TODO: check
+CVE-2022-29159 (Nextcloud Deck is a Kanban-style project & personal management too ...)
+ TODO: check
CVE-2022-29158
RESERVED
CVE-2022-1344 (Stored XSS due to no sanitization in the filename in GitHub repository ...)
@@ -5801,7 +5826,7 @@ CVE-2022-29156 (drivers/infiniband/ulp/rtrs/rtrs-clt.c in the Linux kernel befor
[stretch] - linux <not-affected> (Vulnerable code not present)
NOTE: Fixedy by: https://git.kernel.org/linus/8700af2cc18c919b2a83e74e0479038fd113c15d (5.17-rc6)
CVE-2022-29155 (In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection ...)
- {DSA-5140-1}
+ {DSA-5140-1 DLA-3017-1}
- openldap 2.5.12+dfsg-1
NOTE: https://bugs.openldap.org/show_bug.cgi?id=9815
NOTE: https://git.openldap.org/openldap/openldap/-/commit/87df6c19915042430540931d199a39105544a134 (master)
@@ -6223,12 +6248,12 @@ CVE-2022-29025
RESERVED
CVE-2022-29024
RESERVED
-CVE-2022-29023
- RESERVED
-CVE-2022-29022
- RESERVED
-CVE-2022-29021
- RESERVED
+CVE-2022-29023 (A buffer overflow in the razermouse driver of OpenRazer v3.3.0 and bel ...)
+ TODO: check
+CVE-2022-29022 (A buffer overflow in the razeraccessory driver of OpenRazer v3.3.0 and ...)
+ TODO: check
+CVE-2022-29021 (A buffer overflow in the razerkbd driver of OpenRazer v3.3.0 and below ...)
+ TODO: check
CVE-2022-29020 (ForestBlog through 2022-02-16 allows admin/profile/save userAvatar XSS ...)
NOT-FOR-US: ForestBlog
CVE-2022-29019
@@ -6283,14 +6308,14 @@ CVE-2022-28995
RESERVED
CVE-2022-28994 (Small HTTP Server version 3.06 suffers from a remote buffer overflow v ...)
NOT-FOR-US: Small HTTP Server
-CVE-2022-28993
- RESERVED
-CVE-2022-28992
- RESERVED
-CVE-2022-28991
- RESERVED
-CVE-2022-28990
- RESERVED
+CVE-2022-28993 (Multi Store Inventory Management System v1.0 allows attackers to perfo ...)
+ TODO: check
+CVE-2022-28992 (A Cross-Site Request Forgery (CSRF) in Online Banquet Booking System v ...)
+ TODO: check
+CVE-2022-28991 (Multi Store Inventory Management System v1.0 was discovered to contain ...)
+ TODO: check
+CVE-2022-28990 (WASM3 v0.5.0 was discovered to contain a heap overflow via the compone ...)
+ TODO: check
CVE-2022-28989
RESERVED
CVE-2022-28988
@@ -6361,6 +6386,7 @@ CVE-2022-28960 (A PHP injection vulnerability in Spip before v3.2.8 allows attac
NOTE: https://github.com/spip/SPIP/commit/0394b44774555ae8331b6e65e35065dfa0bb41e4
NOTE: https://github.com/spip/SPIP/commit/6c1650713fc948318852ace759aab8f1a84791cf
CVE-2022-28959 (Multiple cross-site scripting (XSS) vulnerabilities in the component / ...)
+ {DSA-4798-1}
- spip 3.2.8-1
NOTE: https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-SPIP-3-2-8-et-SPIP-3-1-13.html
NOTE: https://thinkloveshare.com/en/hacking/rce_on_spip_and_root_me/
@@ -7161,8 +7187,8 @@ CVE-2022-1237 (Improper Validation of Array Index in GitHub repository radareorg
NOTE: https://github.com/radareorg/radare2/commit/2d782cdaa2112c10b8dd5e7a93c134b2ada9c1a6
CVE-2022-1236 (Weak Password Requirements in GitHub repository weseek/growi prior to ...)
NOT-FOR-US: GROWI
-CVE-2022-28660
- RESERVED
+CVE-2022-28660 (The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x b ...)
+ TODO: check
CVE-2022-28659
RESERVED
CVE-2022-28658
@@ -8979,12 +9005,12 @@ CVE-2022-28108 (Selenium Server (Grid) before 4 allows CSRF because it permits n
NOT-FOR-US: Selenium
CVE-2022-28107
RESERVED
-CVE-2022-28106
- RESERVED
-CVE-2022-28105
- RESERVED
-CVE-2022-28104
- RESERVED
+CVE-2022-28106 (Online Sports Complex Booking System v1.0 was discovered to allow atta ...)
+ TODO: check
+CVE-2022-28105 (Online Sports Complex Booking System v1.0 was discovered to contain a ...)
+ TODO: check
+CVE-2022-28104 (Foxit PDF Editor v11.3.1 was discovered to contain an arbitrary file u ...)
+ TODO: check
CVE-2022-28103
RESERVED
CVE-2022-28102 (A cross-site scripting (XSS) vulnerability in PHP MySQL Admin Panel Ge ...)
@@ -11824,14 +11850,14 @@ CVE-2022-27097
RESERVED
CVE-2022-27096
RESERVED
-CVE-2022-27095
- RESERVED
-CVE-2022-27094
- RESERVED
+CVE-2022-27095 (BattlEye v0.9 contains an unquoted service path which allows attackers ...)
+ TODO: check
+CVE-2022-27094 (Sony PlayMemories Home v6.0 contains an unquoted service path which al ...)
+ TODO: check
CVE-2022-27093
RESERVED
-CVE-2022-27092
- RESERVED
+CVE-2022-27092 (Private Internet Access v3.3 contains an unquoted service path which a ...)
+ TODO: check
CVE-2022-27091
RESERVED
CVE-2022-27090 (Cscms Music Portal System v4.2 was discovered to contain a redirection ...)
@@ -12987,12 +13013,12 @@ CVE-2022-26635 (PHP-Memcached v2.2.0 and below contains an improper NULL termina
- php-memcached <unfixed> (bug #1009328)
[stretch] - php-memcached <no-dsa> (Minor issue)
NOTE: https://xhzeem.me/posts/Php5-memcached-Injection-Bypass/read/
-CVE-2022-26634
- RESERVED
-CVE-2022-26633
- RESERVED
-CVE-2022-26632
- RESERVED
+CVE-2022-26634 (HMA VPN v5.3.5913.0 contains an unquoted service path which allows att ...)
+ TODO: check
+CVE-2022-26633 (Simple Student Quarterly Result/Grade System v1.0 was discovered to co ...)
+ TODO: check
+CVE-2022-26632 (Multi-Vendor Online Groceries Management System v1.0 was discovered to ...)
+ TODO: check
CVE-2022-26631 (Automatic Question Paper Generator v1.0 contains a Time-Based Blind SQ ...)
NOT-FOR-US: Automatic Question Paper Generator
CVE-2022-26630 (Jellycms v3.8.1 and below was discovered to contain an arbitrary file ...)
@@ -16888,18 +16914,18 @@ CVE-2022-25235 (xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain
NOTE: https://github.com/libexpat/libexpat/commit/3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6
NOTE: https://github.com/libexpat/libexpat/commit/c85a3025e7a1be086dc34e7559fbc543914d047f
NOTE: https://github.com/libexpat/libexpat/commit/6a5510bc6b7efe743356296724e0b38300f05379
-CVE-2022-25229
- RESERVED
+CVE-2022-25229 (Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)'' fie ...)
+ TODO: check
CVE-2022-25228
RESERVED
-CVE-2022-25227
- RESERVED
+CVE-2022-25227 (Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS ...)
+ TODO: check
CVE-2022-25226 (ThinVNC version 1.0b1 allows an unauthenticated user to bypass the aut ...)
NOT-FOR-US: ThinVNC
CVE-2022-25225 (Network Olympus version 1.8.0 allows an authenticated admin user to in ...)
NOT-FOR-US: Network Olympus
-CVE-2022-25224
- RESERVED
+CVE-2022-25224 (Proton v0.2.0 allows an attacker to create a malicious link inside a m ...)
+ TODO: check
CVE-2022-25223 (Money Transfer Management System Version 1.0 allows an authenticated u ...)
NOT-FOR-US: Money Transfer Management System
CVE-2022-25222 (Money Transfer Management System Version 1.0 allows an unauthenticated ...)
@@ -17824,14 +17850,14 @@ CVE-2022-24908
RESERVED
CVE-2022-24907
RESERVED
-CVE-2022-24906
- RESERVED
-CVE-2022-24905
- RESERVED
-CVE-2022-24904
- RESERVED
+CVE-2022-24906 (Nextcloud Deck is a Kanban-style project & personal management too ...)
+ TODO: check
+CVE-2022-24905 (Argo CD is a declarative, GitOps continuous delivery tool for Kubernet ...)
+ TODO: check
+CVE-2022-24904 (Argo CD is a declarative, GitOps continuous delivery tool for Kubernet ...)
NOT-FOR-US: Argo CD
CVE-2022-24903 (Rsyslog is a rocket-fast system for log processing. Modules for TCP sy ...)
+ {DLA-3016-1}
- rsyslog 8.2204.1-1 (bug #1010619)
NOTE: https://www.openwall.com/lists/oss-security/2022/05/05/3
NOTE: https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243
@@ -26857,8 +26883,8 @@ CVE-2022-22367
RESERVED
CVE-2022-22366
RESERVED
-CVE-2022-22365
- RESERVED
+CVE-2022-22365 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, with the Ajax ...)
+ TODO: check
CVE-2022-22364
RESERVED
CVE-2022-22363
@@ -36322,10 +36348,10 @@ CVE-2021-43731
RESERVED
CVE-2021-43730
RESERVED
-CVE-2021-43729
- RESERVED
-CVE-2021-43728
- RESERVED
+CVE-2021-43729 (Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain ...)
+ TODO: check
+CVE-2021-43728 (Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain ...)
+ TODO: check
CVE-2021-43727
RESERVED
CVE-2021-43726
@@ -50493,8 +50519,8 @@ CVE-2021-39045
RESERVED
CVE-2021-39044 (IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site re ...)
NOT-FOR-US: IBM
-CVE-2021-39043
- RESERVED
+CVE-2021-39043 (IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerab ...)
+ TODO: check
CVE-2021-39042
RESERVED
CVE-2021-39041
@@ -73349,8 +73375,8 @@ CVE-2021-30030 (Cross Site Scripting (XSS) in Remote Clinic v2.0 via the Full Na
NOT-FOR-US: Remote Clinic
CVE-2021-30029
RESERVED
-CVE-2021-30028
- RESERVED
+CVE-2021-30028 (SOOTEWAY Wi-Fi Range Extender v1.5 was discovered to use default crede ...)
+ TODO: check
CVE-2021-30027 (md_analyze_line in md4c.c in md4c 0.4.7 allows attackers to trigger us ...)
- md4c 0.4.7-2 (bug #987799)
NOTE: https://github.com/mity/md4c/issues/155
@@ -118542,7 +118568,7 @@ CVE-2020-24656 (Maltego before 4.2.12 allows XXE attacks. ...)
CVE-2020-24655 (A race condition in the Twilio Authy 2-Factor Authentication applicati ...)
NOT-FOR-US: Twilio Authy 2-Factor Authentication app
CVE-2020-24654 (In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can ins ...)
- {DSA-4759-1}
+ {DSA-4759-1 DLA-3015-1}
- ark 4:20.08.1-1 (bug #969437)
NOTE: https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd
NOTE: https://kde.org/info/security/advisory-20200827-1.txt
@@ -136849,7 +136875,7 @@ CVE-2020-16117 (In GNOME evolution-data-server before 3.35.91, a malicious serve
NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/627c3cdbfd077e59aa288c85ff8272950577f1d7
NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/189
CVE-2020-16116 (In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can ...)
- {DSA-4738-1}
+ {DSA-4738-1 DLA-3015-1}
- ark 4:20.04.3-1
NOTE: https://kde.org/info/security/advisory-20200730-1.txt
NOTE: https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
@@ -244749,6 +244775,7 @@ CVE-2018-16882 (A use-after-free issue was found in the way the Linux kernel's K
NOTE: https://marc.info/?l=kvm&m=154514994222809&w=2
NOTE: Fixed by: https://git.kernel.org/linus/c2dd5146e9fe1f22c77c1b011adf84eea0245806
CVE-2018-16881 (A denial of service vulnerability was found in rsyslog in the imptcp m ...)
+ {DLA-3016-1}
- rsyslog 8.27.0-2
[jessie] - rsyslog <not-affected> (Vulnerable code introduced in 8.13.1)
NOTE: Fixed by: https://github.com/rsyslog/rsyslog/commit/0381a0de64a5a048c3d48b79055bd9848d0c7fc2
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b3b80d9b6c7fe3b45e5a2fb61247754f37a1ef1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b3b80d9b6c7fe3b45e5a2fb61247754f37a1ef1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220520/26d95996/attachment.htm>
More information about the debian-security-tracker-commits
mailing list