[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2022-401{49,50}/libjettison-java
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sun Oct 23 20:12:30 BST 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
afffd8f3 by Salvatore Bonaccorso at 2022-10-23T21:10:15+02:00
Add CVE-2022-401{49,50}/libjettison-java
- - - - -
18073d6c by Salvatore Bonaccorso at 2022-10-23T21:10:17+02:00
Process NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3648,7 +3648,7 @@ CVE-2022-42229 (Wedding Planner v1.0 is vulnerable to Arbitrary code execution v
CVE-2022-42228
RESERVED
CVE-2022-42227 (jsonlint 1.0 is vulnerable to heap-buffer-overflow via /home/hjsz/json ...)
- TODO: check
+ NOT-FOR-US: p-ranav/jsonlint (different from src:jsonlint)
CVE-2022-42226
RESERVED
CVE-2022-42225
@@ -3724,7 +3724,7 @@ CVE-2022-42191
CVE-2022-42190
RESERVED
CVE-2022-42189 (Emlog Pro 1.6.0 plugins upload suffers from a remote code execution (R ...)
- TODO: check
+ NOT-FOR-US: Emlog Pro
CVE-2022-42188 (In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path travers ...)
NOT-FOR-US: Lavalite CMS
CVE-2022-42187
@@ -4818,7 +4818,7 @@ CVE-2022-41711
CVE-2022-41710
RESERVED
CVE-2022-41709 (Markdownify version 1.4.1 allows an external attacker to execute arbit ...)
- TODO: check
+ NOT-FOR-US: Markdownify
CVE-2022-41708 (Relatedcode's Messenger version 7bcd20b allows an authenticated extern ...)
NOT-FOR-US: Relatedcode's Messenger
CVE-2022-41707 (Relatedcode's Messenger version 7bcd20b allows an authenticated extern ...)
@@ -5020,7 +5020,7 @@ CVE-2022-41577 (The kernel server has a vulnerability of not verifying the lengt
CVE-2022-41576 (The rphone module has a script that can be maliciously modified.Succes ...)
NOT-FOR-US: Huawei
CVE-2022-41575 (A credential-exposure vulnerability in the support-bundle mechanism in ...)
- TODO: check
+ NOT-FOR-US: Gradle Enterprise
CVE-2022-41574 (An access-control vulnerability in Gradle Enterprise 2022.4 through 20 ...)
NOT-FOR-US: Gradle Enterprise
CVE-2022-41573
@@ -7051,7 +7051,7 @@ CVE-2022-40800
CVE-2022-40799
RESERVED
CVE-2022-40798 (OcoMon 4.0RC1 is vulnerable to Incorrect Access Control. Through a req ...)
- TODO: check
+ NOT-FOR-US: OcoMon
CVE-2022-40797
RESERVED
CVE-2022-40796
@@ -7507,7 +7507,7 @@ CVE-2022-3204 (A vulnerability named 'Non-Responsive Delegation Attack' (NRDeleg
NOTE: https://www.nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt
NOTE: Fixed by: https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554 (release-1.16.3)
CVE-2022-3203 (On ORing net IAP-420(+) with FW version 2.0m a telnet server is enable ...)
- TODO: check
+ NOT-FOR-US: ORing net IAP-420(+)
CVE-2022-3202 (A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journal ...)
- linux 5.17.3-1
[bullseye] - linux 5.10.113-1
@@ -8642,9 +8642,14 @@ CVE-2022-40151 (Those using Xstream to seralize XML data may be vulnerable to De
- libxstream-java <undetermined>
NOTE: https://github.com/x-stream/xstream/issues/304
CVE-2022-40150 (Those using Jettison to parse untrusted XML or JSON data may be vulner ...)
- TODO: check
+ - libjettison-java <unfixed>
+ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549
+ NOTE: https://github.com/jettison-json/jettison/issues/45
CVE-2022-40149 (Those using Jettison to parse untrusted XML or JSON data may be vulner ...)
- TODO: check
+ - libjettison-java <unfixed>
+ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
+ NOTE: https://github.com/jettison-json/jettison/issues/45
+ NOTE: https://github.com/jettison-json/jettison/commit/395f8625bcf688743872c8e7f59360d372e77811 (jettison-1.5.1)
CVE-2022-40148
RESERVED
CVE-2022-40147 (A vulnerability has been identified in Industrial Edge Management (All ...)
@@ -8834,7 +8839,7 @@ CVE-2022-40086
CVE-2022-40085
RESERVED
CVE-2022-40084 (OpenCRX before v5.2.2 was discovered to be vulnerable to password enum ...)
- TODO: check
+ NOT-FOR-US: OpenCRX
CVE-2022-40083 (Labstack Echo v4.8.0 was discovered to contain an open redirect vulner ...)
NOT-FOR-US: Labstack Echo
CVE-2022-40082 (Hertz v0.3.0 ws discovered to contain a path traversal vulnerability v ...)
@@ -9418,7 +9423,7 @@ CVE-2022-39825
CVE-2022-39824 (Server-side JavaScript injection in Appsmith through 1.7.14 allows rem ...)
NOT-FOR-US: Appsmith
CVE-2022-39823 (An issue was discovered in Softing OPC UA C++ SDK 5.66 through 6.x bef ...)
- TODO: check
+ NOT-FOR-US: Softing
CVE-2022-39822
RESERVED
CVE-2022-39821 (In NOKIA 1350 OMS R14.2, an Insertion of Sensitive Information into an ...)
@@ -15681,7 +15686,7 @@ CVE-2022-37454 (The Keccak XKCP SHA-3 reference implementation before fdc6fef ha
NOTE: https://mouha.be/sha-3-buffer-overflow/
TODO: check affected packages
CVE-2022-37453 (An issue was discovered in Softing OPC UA C++ SDK before 6.10. A buffe ...)
- TODO: check
+ NOT-FOR-US: Softing
CVE-2022-2708 (A vulnerability, which was classified as critical, was found in Source ...)
NOT-FOR-US: SourceCodester Gym Management System
CVE-2022-2707 (A vulnerability classified as critical was found in SourceCodester Onl ...)
@@ -48758,9 +48763,9 @@ CVE-2022-25751 (A vulnerability has been identified in SCALANCE X302-7 EEC (230V
CVE-2022-25750 (Memory corruption in BTHOST due to double free while music playback an ...)
NOT-FOR-US: Qualcomm
CVE-2022-25749 (Transient Denial-of-Service in WLAN due to buffer over-read while pars ...)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2022-25748 (Memory corruption in WLAN due to integer overflow to buffer overflow w ...)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2022-25747
RESERVED
CVE-2022-25746
@@ -48784,7 +48789,7 @@ CVE-2022-25738
CVE-2022-25737
RESERVED
CVE-2022-25736 (Denial of service in WLAN due to out-of-bound read happens while proce ...)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2022-25735
RESERVED
CVE-2022-25734
@@ -48816,11 +48821,11 @@ CVE-2022-25722
CVE-2022-25721
RESERVED
CVE-2022-25720 (Memory corruption in WLAN due to out of bound array access during conn ...)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2022-25719 (Information disclosure in WLAN due to improper length check while proc ...)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2022-25718 (Cryptographic issue in WLAN due to improper check on return value whil ...)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2022-25717
RESERVED
CVE-2022-25716
@@ -48882,7 +48887,7 @@ CVE-2022-25689
CVE-2022-25688 (Memory corruption in video due to buffer overflow while parsing ps vid ...)
NOT-FOR-US: Qualcomm
CVE-2022-25687 (memory corruption in video due to buffer overflow while parsing asf cl ...)
- TODO: check
+ NOT-FOR-US: Snapdragon
CVE-2022-25686 (Memory corruption in video module due to buffer overflow while process ...)
NOT-FOR-US: Qualcomm
CVE-2022-25685
@@ -56312,7 +56317,7 @@ CVE-2022-23464 (Nepxion Discovery is a solution for Spring Cloud. Discovery is v
CVE-2022-23463 (Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerab ...)
NOT-FOR-US: Nepxion
CVE-2022-23462 (IOWOW is a C utility library and persistent key/value storage engine. ...)
- TODO: check
+ NOT-FOR-US: IOWOW
CVE-2022-23461 (Jodit Editor is a WYSIWYG editor written in pure TypeScript without th ...)
NOT-FOR-US: Jodit Editor
CVE-2022-23460 (Jsonxx or Json++ is a JSON parser, writer and reader written in C++. I ...)
@@ -74330,7 +74335,7 @@ CVE-2022-0001 (Non-transparent sharing of branch predictor selectors between con
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html
NOTE: https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/technical-documentation/branch-history-injection.html
CVE-2021-42553 (A buffer overflow vulnerability in stm32_mw_usb_host of STMicroelectro ...)
- TODO: check
+ NOT-FOR-US: STMicroelectronics
CVE-2021-42552 (Cross-site Scripting (XSS) vulnerability in ArchivistaBox webclient al ...)
NOT-FOR-US: ArchivistaBox
CVE-2021-42551 (Cross-site Scripting (XSS) vulnerability in the search functionality o ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3c660b8add95c68dfc060298c966ae4b674524b4...18073d6c1fc8daeb6e67c07661e7614f6c2514cf
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3c660b8add95c68dfc060298c966ae4b674524b4...18073d6c1fc8daeb6e67c07661e7614f6c2514cf
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221023/22a0b996/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list