[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Wed Aug 2 21:19:17 BST 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
cbd6d0bb by security tracker role at 2023-08-02T20:19:03+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,31 @@
+CVE-2023-4067 (The Bus Ticket Booking with Seat Reservation plugin for WordPress is v ...)
+ TODO: check
+CVE-2023-3978 (Text nodes not in the HTML namespace are incorrectly literally rendere ...)
+ TODO: check
+CVE-2023-3470 (Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generat ...)
+ TODO: check
+CVE-2023-3426 (The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, ...)
+ TODO: check
+CVE-2023-38423 (A cross-site scripting (XSS) vulnerability exists in an undisclosed pa ...)
+ TODO: check
+CVE-2023-38419 (An authenticated attacker with guest privileges or higher can cause th ...)
+ TODO: check
+CVE-2023-38418 (The BIG-IP Edge Client Installer on macOS does not follow best practic ...)
+ TODO: check
+CVE-2023-38330 (OXID eShop Enterprise Edition 6.5.0 \u2013 6.5.2 before 6.5.3 allows u ...)
+ TODO: check
+CVE-2023-38138 (A reflected cross-site scripting (XSS) vulnerability exists in an undi ...)
+ TODO: check
+CVE-2023-36858 (An insufficient verification of data vulnerability exists in BIG-IP Ed ...)
+ TODO: check
+CVE-2023-36494 (Audit logs on F5OS-A may contain undisclosed sensitive information. No ...)
+ TODO: check
+CVE-2023-36081 (Cross Site Scripting vulnerability in GatesAIr Flexiva FM Transmitter/ ...)
+ TODO: check
+CVE-2023-33383 (Shelly 4PM Pro four-channel smart switch 0.11.0 allows an attacker to ...)
+ TODO: check
+CVE-2023-33257 (Verint Engagement Management 15.3 Update 2023R2 is vulnerable to HTML ...)
+ TODO: check
CVE-2023-4016 (Under some circumstances, this weakness allows a user who has access t ...)
- procps <unfixed> (bug #1042887)
NOTE: https://gitlab.com/procps-ng/procps/-/issues/297
@@ -71,7 +99,7 @@ CVE-2023-3900 (An issue has been discovered in GitLab CE/EE affecting all versio
- gitlab <unfixed>
CVE-2023-3500 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
- gitlab <unfixed>
-CVE-2023-3401
+CVE-2023-3401 (An issue has been discovered in GitLab affecting all versions before 1 ...)
- gitlab <unfixed>
CVE-2023-3385 (An issue has been discovered in GitLab affecting all versions starting ...)
- gitlab <unfixed>
@@ -302,7 +330,7 @@ CVE-2023-34872 (A vulnerability in Outline.cc for Poppler prior to 23.06.0 allow
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399
CVE-2023-34842 (Remote Code Execution vulnerability in DedeCMS through 5.7.109 allows ...)
NOT-FOR-US: DedeCMS
-CVE-2023-34644 (Remote code execution vulnerability in Ruijie Networks Product: RG-EW ...)
+CVE-2023-34644 (A command injection vulnerability exists in the EWEB management system ...)
NOT-FOR-US: Ruijie
CVE-2023-34635 (Wifi Soft Unibox Administration 3.0 and 3.1 is vulnerable to SQL Injec ...)
NOT-FOR-US: Wifi Soft Unibox Administration
@@ -1754,7 +1782,7 @@ CVE-2020-36695 (Incorrect Default Permissions vulnerability in Hitachi Device Ma
NOT-FOR-US: Hitachi
CVE-2015-10122 (A vulnerability was found in wp-donate Plugin up to 1.4 on WordPress. ...)
NOT-FOR-US: WordPress plugin
-CVE-2023-3700 (Improper Access Control in GitHub repository alextselegidis/easyappoin ...)
+CVE-2023-3700 (Authorization Bypass Through User-Controlled Key in GitHub repository ...)
NOT-FOR-US: easyappointments
CVE-2023-3696 (Prototype Pollution in GitHub repository automattic/mongoose prior to ...)
NOT-FOR-US: Mongoose
@@ -3177,7 +3205,7 @@ CVE-2023-XXXX [spip: Use a dedicated function to clean author data when preparin
[bullseye] - spip <no-dsa> (Minor issue)
[buster] - spip <no-dsa> (Minor issue)
NOTE: https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html
-CVE-2023-3568 (Improper Input Validation in GitHub repository fossbilling/fossbilling ...)
+CVE-2023-3568 (Open Redirect in GitHub repository alextselegidis/easyappointments pri ...)
NOT-FOR-US: fossbilling
CVE-2023-37288 (SmartBPM.NET component has a vulnerability of path traversal within it ...)
NOT-FOR-US: SmartBPM.NET
@@ -8490,6 +8518,7 @@ CVE-2023-33203 (The Linux kernel before 6.2.9 has a race condition and resultant
[buster] - linux 4.19.282-1
NOTE: https://git.kernel.org/linus/6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 (6.3-rc4)
CVE-2023-33201 (Bouncy Castle For Java before 1.74 is affected by an LDAP injection vu ...)
+ {DLA-3514-1}
- bouncycastle <unfixed> (bug #1040050)
[bookworm] - bouncycastle <no-dsa> (Minor issue)
[bullseye] - bouncycastle <no-dsa> (Minor issue)
@@ -12199,8 +12228,7 @@ CVE-2023-2024 (Improper authentication in OpenBlue Enterprise Manager Data Colle
NOT-FOR-US: OpenBlue Enterprise Manager Data Collector
CVE-2023-2023 (The Custom 404 Pro WordPress plugin before 3.7.3 does not escape some ...)
NOT-FOR-US: WordPress plugin
-CVE-2023-2022
- RESERVED
+CVE-2023-2022 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
- gitlab <unfixed>
CVE-2023-2021 (Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassn ...)
- teampass <itp> (bug #730180)
@@ -15231,18 +15259,17 @@ CVE-2023-29411 (A CWE-306: Missing Authentication for Critical Function vulnerab
NOT-FOR-US: Schneider
CVE-2023-29410 (A CWE-20: Improper Input Validation vulnerability exists that could al ...)
NOT-FOR-US: Schneider
-CVE-2023-29409
- RESERVED
+CVE-2023-29409 (Extremely large RSA keys in certificate chains can cause a client/serv ...)
- golang-1.20 1.20.7-1
- golang-1.19 1.19.12-1
- golang-1.15 <removed>
- golang-1.11 <removed>
[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI
-CVE-2023-29408
- RESERVED
-CVE-2023-29407
- RESERVED
+CVE-2023-29408 (The TIFF decoder does not place a limit on the size of compressed tile ...)
+ TODO: check
+CVE-2023-29407 (A maliciously-crafted image can cause excessive CPU consumption in dec ...)
+ TODO: check
CVE-2023-29406 (The HTTP/1 client does not fully validate the contents of the Host hea ...)
- golang-1.20 1.20.6-1
- golang-1.19 1.19.11-1
@@ -24607,34 +24634,34 @@ CVE-2023-26453
RESERVED
CVE-2023-26452
RESERVED
-CVE-2023-26451
- RESERVED
-CVE-2023-26450
- RESERVED
-CVE-2023-26449
- RESERVED
-CVE-2023-26448
- RESERVED
-CVE-2023-26447
- RESERVED
-CVE-2023-26446
- RESERVED
-CVE-2023-26445
- RESERVED
+CVE-2023-26451 (Functions with insufficient randomness were used to generate authoriza ...)
+ TODO: check
+CVE-2023-26450 (The "OX Count" web service did not specify a media-type when processin ...)
+ TODO: check
+CVE-2023-26449 (The "OX Chat" web service did not specify a media-type when processing ...)
+ TODO: check
+CVE-2023-26448 (Custom log-in and log-out locations are used-defined as jslob but were ...)
+ TODO: check
+CVE-2023-26447 (The "upsell" widget for the portal allows to specify a product descrip ...)
+ TODO: check
+CVE-2023-26446 (The users clientID at "application passwords" was not sanitized or esc ...)
+ TODO: check
+CVE-2023-26445 (Frontend themes are defined by user-controllable jslob settings and co ...)
+ TODO: check
CVE-2023-26444
RESERVED
-CVE-2023-26443
- RESERVED
-CVE-2023-26442
- RESERVED
-CVE-2023-26441
- RESERVED
-CVE-2023-26440
- RESERVED
-CVE-2023-26439
- RESERVED
-CVE-2023-26438
- RESERVED
+CVE-2023-26443 (Full-text autocomplete search allows user-provided SQL syntax to be in ...)
+ TODO: check
+CVE-2023-26442 (In case Cacheservice was configured to use a sproxyd object-storage ba ...)
+ TODO: check
+CVE-2023-26441 (Cacheservice did not correctly check if relative cache object were poi ...)
+ TODO: check
+CVE-2023-26440 (The cacheservice API could be abused to indirectly inject parameters w ...)
+ TODO: check
+CVE-2023-26439 (The cacheservice API could be abused to inject parameters with SQL syn ...)
+ TODO: check
+CVE-2023-26438 (External service lookups for a number of protocols were vulnerable to ...)
+ TODO: check
CVE-2023-26437 (Denial of service vulnerability in PowerDNS Recursor allows authoritat ...)
- pdns-recursor 4.8.4-1 (bug #1033941)
[bullseye] - pdns-recursor <no-dsa> (Minor issue)
@@ -24655,8 +24682,8 @@ CVE-2023-26432 (When adding an external mail account, processing of SMTP "capabi
NOT-FOR-US: OX App Suite
CVE-2023-26431 (IPv4-mapped IPv6 addresses did not get recognized as "local" by the co ...)
NOT-FOR-US: OX App Suite
-CVE-2023-26430
- RESERVED
+CVE-2023-26430 (Attackers with access to user accounts can inject arbitrary control ch ...)
+ TODO: check
CVE-2023-26429 (Control characters were not removed when exporting user feedback conte ...)
NOT-FOR-US: OX App Suite
CVE-2023-26428 (Attackers can successfully request arbitrary snippet IDs, including E- ...)
@@ -24881,10 +24908,10 @@ CVE-2023-26319
RESERVED
CVE-2023-26318
RESERVED
-CVE-2023-26317
- RESERVED
-CVE-2023-26316
- RESERVED
+CVE-2023-26317 (A vulnerability has been discovered in Xiaomi routers that could allow ...)
+ TODO: check
+CVE-2023-26316 (A XSS vulnerability exists in the Xiaomi cloud service Application pro ...)
+ TODO: check
CVE-2023-26315
RESERVED
CVE-2023-0979 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
@@ -33761,8 +33788,8 @@ CVE-2023-23478
RESERVED
CVE-2023-23477 (IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a ...)
NOT-FOR-US: IBM
-CVE-2023-23476
- RESERVED
+CVE-2023-23476 (IBM Robotic Process Automation 21.0.0 through 21.0.7.latest is vulnera ...)
+ TODO: check
CVE-2023-23475 (IBM Infosphere Information Server 11.7 is vulnerable to cross-site scr ...)
NOT-FOR-US: IBM
CVE-2023-23474
@@ -44213,10 +44240,10 @@ CVE-2022-46487
RESERVED
CVE-2022-46486
RESERVED
-CVE-2022-46485
- RESERVED
-CVE-2022-46484
- RESERVED
+CVE-2022-46485 (Data Illusion Survey Software Solutions ngSurvey version 2.4.28 and be ...)
+ TODO: check
+CVE-2022-46484 (Information disclosure in password protected surveys in Data Illusion ...)
+ TODO: check
CVE-2022-46483
RESERVED
CVE-2022-46482
@@ -58682,7 +58709,7 @@ CVE-2022-3424 (A use-after-free flaw was found in the Linux kernel\u2019s SGI GR
NOTE: https://lore.kernel.org/all/20221006152643.1694235-1-zyytlz.wz@163.com/
NOTE: https://git.kernel.org/linus/643a16a0eb1d6ac23744bb6e90a00fc21148a9dc
NOTE: SGI_GRU not enabled in any Debian kernel
-CVE-2022-3423 (Denial of Service in GitHub repository nocodb/nocodb prior to 0.92.0.)
+CVE-2022-3423 (Allocation of Resources Without Limits or Throttling in GitHub reposit ...)
NOT-FOR-US: nocodb
CVE-2022-3422 (Account Takeover :: when see the info i can see the hash pass i can cr ...)
NOT-FOR-US: ToolJet
@@ -63321,7 +63348,7 @@ CVE-2022-3227
RESERVED
CVE-2022-3226 (An OS command injection vulnerability allows admins to execute code vi ...)
NOT-FOR-US: Sophos
-CVE-2022-3225 (Improper Access Control in GitHub repository budibase/budibase prior t ...)
+CVE-2022-3225 (Improper Control of Dynamically-Managed Code Resources in GitHub repos ...)
NOT-FOR-US: budibase
CVE-2022-3224 (Misinterpretation of Input in GitHub repository ionicabizau/parse-url ...)
NOT-FOR-US: Node parse-url
@@ -63732,8 +63759,8 @@ CVE-2022-40611
RESERVED
CVE-2022-40610
RESERVED
-CVE-2022-40609
- RESERVED
+CVE-2022-40609 (IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a re ...)
+ TODO: check
CVE-2022-40608 (IBM Spectrum Protect Plus 10.1.6 through 10.1.11 Microsoft File System ...)
NOT-FOR-US: IBM
CVE-2022-40607 (IBM Spectrum Scale 5.1 could allow users with permissions to create po ...)
@@ -70071,7 +70098,7 @@ CVE-2022-2819 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to
NOTE: https://huntr.dev/bounties/0a9bd71e-66b8-4eb1-9566-7dfd9b097e59
NOTE: https://github.com/vim/vim/commit/d1d8f6bacb489036d0fd479c9dd3c0102c988889 (v9.0.0211)
NOTE: Crash in CLI tool, no security impact
-CVE-2022-2818 (Authentication Bypass by Primary Weakness in GitHub repository cockpit ...)
+CVE-2022-2818 (Improper Removal of Sensitive Information Before Storage or Transfer i ...)
NOT-FOR-US: Cockpit-HQ/Cockpit
CVE-2022-38305 (AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vuln ...)
NOT-FOR-US: AeroCMS
@@ -70809,7 +70836,7 @@ CVE-2022-2734 (Improper Restriction of Rendered UI Layers or Frames in GitHub re
NOT-FOR-US: OpenEMR
CVE-2022-2733 (Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/op ...)
NOT-FOR-US: OpenEMR
-CVE-2022-2732 (Improper Privilege Management in GitHub repository openemr/openemr pri ...)
+CVE-2022-2732 (Missing Authorization in GitHub repository openemr/openemr prior to 7. ...)
NOT-FOR-US: OpenEMR
CVE-2022-2731 (Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/op ...)
NOT-FOR-US: OpenEMR
@@ -84420,7 +84447,7 @@ CVE-2022-2056 (Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attacker
NOTE: https://gitlab.com/libtiff/libtiff/-/commit/dd1bcc7abb26094e93636e85520f0d8f81ab0fab
CVE-2022-2055
RESERVED
-CVE-2022-2054 (Command Injection in GitHub repository nuitka/nuitka prior to 0.9.)
+CVE-2022-2054 (Code Injection in GitHub repository nuitka/nuitka prior to 0.9.)
- nuitka 0.9+ds-1 (bug #1012762)
[bullseye] - nuitka <no-dsa> (Minor issue)
[buster] - nuitka <no-dsa> (Minor issue)
@@ -88311,7 +88338,7 @@ CVE-2022-31620 (In libjpeg before 1.64, BitStream<false>::Get in bitstream.hpp h
NOTE: Crash in CLI tool, no security impact
CVE-2022-30533 (Cross-site scripting vulnerability in Modern Events Calendar Lite vers ...)
NOT-FOR-US: Modern Events Calendar Lite
-CVE-2022-1893 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...)
+CVE-2022-1893 (Improper Removal of Sensitive Information Before Storage or Transfer i ...)
NOT-FOR-US: Trudesk
CVE-2022-1892 (A buffer overflow in the SystemBootManagerDxe driver in some Lenovo No ...)
NOT-FOR-US: Lenovo
@@ -91663,7 +91690,7 @@ CVE-2022-1651 (A memory leak flaw was found in the Linux kernel in acrn_dev_ioct
[buster] - linux <not-affected> (Vulnerable code not present)
[stretch] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b (5.18-rc1)
-CVE-2022-1650 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...)
+CVE-2022-1650 (Improper Removal of Sensitive Information Before Storage or Transfer i ...)
{DLA-3235-1}
- node-eventsource 2.0.2+~1.1.8-1
[bullseye] - node-eventsource 1.0.7-1+deb11u1
@@ -96033,7 +96060,7 @@ CVE-2022-1318 (Hills ComNav version 3002-19 suffers from a weak communication ch
NOT-FOR-US: Hills ComNav
CVE-2022-1317
RESERVED
-CVE-2022-1316 (ZeroTierOne for windows local privilege escalation because of incorrec ...)
+CVE-2022-1316 (Incorrect Permission Assignment for Critical Resource in GitHub reposi ...)
NOT-FOR-US: ZeroTierOne
CVE-2022-29063 (The Solr plugin of Apache OFBiz is configured by default to automatica ...)
NOT-FOR-US: Apache OFBiz
@@ -97110,7 +97137,7 @@ CVE-2022-1253 (Heap-based Buffer Overflow in GitHub repository strukturag/libde2
[stretch] - libde265 <not-affected> (Vulnerable code introduced later)
NOTE: https://huntr.dev/bounties/1-other-strukturag/libde265/
NOTE: https://github.com/strukturag/libde265/commit/8e89fe0e175d2870c39486fdd09250b230ec10b8
-CVE-2022-1252 (Exposure of Private Personal Information to an Unauthorized Actor in G ...)
+CVE-2022-1252 (Use of a Broken or Risky Cryptographic Algorithm in GitHub repository ...)
NOT-FOR-US: gnuboard5
CVE-2022-1251 (The Ask me WordPress theme before 6.8.4 does not perform nonce checks ...)
NOT-FOR-US: WordPress theme
@@ -97337,7 +97364,7 @@ CVE-2022-1225 (Incorrect Privilege Assignment in GitHub repository phpipam/phpip
- phpipam <itp> (bug #731713)
CVE-2022-1224 (Improper Authorization in GitHub repository phpipam/phpipam prior to 1 ...)
- phpipam <itp> (bug #731713)
-CVE-2022-1223 (Improper Access Control in GitHub repository phpipam/phpipam prior to ...)
+CVE-2022-1223 (Incorrect Authorization in GitHub repository phpipam/phpipam prior to ...)
- phpipam <itp> (bug #731713)
CVE-2022-1222 (Inf loop in GitHub repository gpac/gpac prior to 2.1.0-DEV.)
{DSA-5411-1}
@@ -104778,7 +104805,7 @@ CVE-2022-0764 (Arbitrary Command Injection in GitHub repository strapi/strapi pr
NOT-FOR-US: strapi
CVE-2022-0763 (Cross-site Scripting (XSS) - Stored in GitHub repository microweber/mi ...)
NOT-FOR-US: microweber
-CVE-2022-0762 (Business Logic Errors in GitHub repository microweber/microweber prior ...)
+CVE-2022-0762 (Incorrect Authorization in GitHub repository microweber/microweber pri ...)
NOT-FOR-US: microweber
CVE-2021-4224
RESERVED
@@ -107448,7 +107475,7 @@ CVE-2022-25148 (The WP Statistics WordPress plugin is vulnerable to SQL Injectio
NOT-FOR-US: WordPress plugin
CVE-2022-0612 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...)
NOT-FOR-US: livehelperchat
-CVE-2022-0611 (Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3 ...)
+CVE-2022-0611 (Missing Authorization in Packagist snipe/snipe-it prior to 5.3.11.)
- snipe-it <itp> (bug #1005172)
CVE-2019-25057 (In Corda before 4.1, the meaning of serialized data can be modified vi ...)
NOT-FOR-US: Corda
@@ -107533,7 +107560,7 @@ CVE-2022-0590 (The BulletProof Security WordPress plugin before 5.8 does not san
NOT-FOR-US: WordPress plugin
CVE-2022-0589 (Cross-site Scripting (XSS) - Stored in Packagist librenms/librenms pri ...)
NOT-FOR-US: LibreNMS
-CVE-2022-0588 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...)
+CVE-2022-0588 (Missing Authorization in Packagist librenms/librenms prior to 22.2.0.)
NOT-FOR-US: LibreNMS
CVE-2022-0587 (Improper Authorization in Packagist librenms/librenms prior to 22.2.0.)
NOT-FOR-US: LibreNMS
@@ -107955,7 +107982,7 @@ CVE-2022-0581 (Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 a
[buster] - wireshark 2.6.20-0+deb10u4
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17935
NOTE: https://www.wireshark.org/security/wnpa-sec-2022-05.html
-CVE-2022-0580 (Improper Access Control in Packagist librenms/librenms prior to 22.2.0 ...)
+CVE-2022-0580 (Incorrect Authorization in Packagist librenms/librenms prior to 22.2.0 ...)
NOT-FOR-US: LibreNMS
CVE-2022-24980 (An issue was discovered in the Kitodo.Presentation (aka dif) extension ...)
NOT-FOR-US: TYPO3 extension
@@ -107965,7 +107992,7 @@ CVE-2022-24978 (Zoho ManageEngine ADAudit Plus before 7055 allows authenticated
NOT-FOR-US: Zoho
CVE-2022-24977 (ImpressCMS before 1.4.2 allows unauthenticated remote code execution v ...)
NOT-FOR-US: ImpressCMS
-CVE-2022-0579 (Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3 ...)
+CVE-2022-0579 (Missing Authorization in Packagist snipe/snipe-it prior to 5.3.9.)
- snipe-it <itp> (bug #1005172)
CVE-2022-0578 (Code Injection in GitHub repository publify/publify prior to 9.2.8.)
NOT-FOR-US: Publify
@@ -108004,7 +108031,7 @@ CVE-2022-0570 (Heap-based Buffer Overflow in Homebrew mruby prior to 3.2.)
- mruby <not-affected> (Vulnerable code introduced later)
NOTE: https://huntr.dev/bounties/65a7632e-f95b-4836-b1a7-9cb95e5124f1
NOTE: https://github.com/mruby/mruby/commit/38b164ace7d6ae1c367883a3d67d7f559783faad
-CVE-2022-0569 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...)
+CVE-2022-0569 (Observable Discrepancy in Packagist snipe/snipe-it prior to v5.3.9.)
- snipe-it <itp> (bug #1005172)
CVE-2022-24975 (The --mirror documentation for Git through 2.35.1 does not mention the ...)
- git <unfixed> (unimportant)
@@ -108049,7 +108076,7 @@ CVE-2022-0566 (It may be possible for an attacker to craft an email message that
{DSA-5086-1 DLA-2930-1}
- thunderbird 1:91.6.1-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-07/#CVE-2022-0566
-CVE-2022-0565 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...)
+CVE-2022-0565 (Cross-site Scripting in Packagist pimcore/pimcore prior to 10.3.1.)
NOT-FOR-US: pimcore
CVE-2021-22590
RESERVED
@@ -109132,7 +109159,7 @@ CVE-2022-0538 (Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom
- jenkins <removed>
CVE-2022-0537 (The MapPress Maps for WordPress plugin before 2.73.13 allows a high pr ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-0536 (Exposure of Sensitive Information to an Unauthorized Actor in NPM foll ...)
+CVE-2022-0536 (Improper Removal of Sensitive Information Before Storage or Transfer i ...)
- node-follow-redirects 1.14.8+~1.14.0-1
[bullseye] - node-follow-redirects 1.13.1-1+deb11u1
[buster] - node-follow-redirects <ignored> (Minor issue, too intrusive to backport)
@@ -111788,7 +111815,7 @@ CVE-2022-21201 (A stack-based buffer overflow vulnerability exists in the confer
NOT-FOR-US: TCL LinkHub Mesh Wi-Fi
CVE-2022-21178 (An os command injection vulnerability exists in the confsrv ucloud_add ...)
NOT-FOR-US: TCL LinkHub Mesh Wi-Fi
-CVE-2022-0355 (Exposure of Sensitive Information to an Unauthorized Actor in NPM simp ...)
+CVE-2022-0355 (Improper Removal of Sensitive Information Before Storage or Transfer i ...)
NOT-FOR-US: simple-get nodejs module
CVE-2022-0354 (A vulnerability was reported in Lenovo System Update that could allow ...)
NOT-FOR-US: Lenovo
@@ -112322,7 +112349,7 @@ CVE-2022-23849 (The biometric lock in Devolutions Password Hub for iOS before 20
NOT-FOR-US: Devolutions Password Hub for iOS
CVE-2022-0339 (Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.)
- calibre-web <itp> (bug #982690)
-CVE-2022-0338 (Improper Privilege Management in Conda loguru prior to 0.5.3.)
+CVE-2022-0338 (Insertion of Sensitive Information into Log File in Conda loguru prior ...)
- loguru <unfixed> (unimportant)
NOTE: https://huntr.dev/bounties/359bea50-2bc6-426a-b2f9-175d401b1ed0/
NOTE: Document best practices for security: https://github.com/delgan/loguru/commit/ea39375e62f9b8f18e2ca798a5c0fb8c972b7eaa
@@ -113620,7 +113647,7 @@ CVE-2022-0284 (A heap-based-buffer-over-read flaw was found in ImageMagick's Get
CVE-2022-0283 (An issue has been discovered affecting GitLab versions prior to 13.5. ...)
- gitlab 15.10.8+ds1-2
NOTE: https://gitlab.com/gitlab-org/gitlab/-/issues/349422
-CVE-2022-0282 (Code Injection in Packagist microweber/microweber prior to 1.2.11.)
+CVE-2022-0282 (Cross-site Scripting in Packagist microweber/microweber prior to 1.2.1 ...)
NOT-FOR-US: microweber
CVE-2022-0281 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...)
NOT-FOR-US: microweber
@@ -115307,7 +115334,7 @@ CVE-2022-0180 (Cross-site request forgery (CSRF) vulnerability in Quiz And Surve
NOT-FOR-US: Quiz And Survey Master
CVE-2022-0179 (snipe-it is vulnerable to Missing Authorization)
- snipe-it <itp> (bug #1005172)
-CVE-2022-0178 (snipe-it is vulnerable to Improper Access Control)
+CVE-2022-0178 (Missing Authorization vulnerability in snipe snipe/snipe-it.This issue ...)
- snipe-it <itp> (bug #1005172)
CVE-2022-0177
REJECTED
@@ -115655,7 +115682,7 @@ CVE-2022-0175 (A flaw was found in the VirGL virtual OpenGL renderer (virglrende
NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654
NOTE: Code refactored in https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/7899e057327848300b18d8f03aa3789e00ed0221 (0.9.0)
NOTE: Fixed by: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c
-CVE-2022-0174 (dolibarr is vulnerable to Business Logic Errors)
+CVE-2022-0174 (Improper Validation of Specified Quantity in Input vulnerability in do ...)
- dolibarr <removed>
CVE-2022-0173 (radare2 is vulnerable to Out-of-bounds Read)
- radare2 <unfixed> (bug #1014478)
@@ -116950,7 +116977,7 @@ CVE-2022-22568
RESERVED
CVE-2022-0122 (forge is vulnerable to URL Redirection to Untrusted Site)
NOT-FOR-US: forge
-CVE-2022-0121 (hoppscotch is vulnerable to Exposure of Sensitive Information to an Un ...)
+CVE-2022-0121 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
NOT-FOR-US: hoppscotch
CVE-2022-22567 (Select Dell Client Commercial and Consumer platforms are vulnerable to ...)
NOT-FOR-US: Dell
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbd6d0bb0836a914562a60a22c3f052c8f4d56bb
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbd6d0bb0836a914562a60a22c3f052c8f4d56bb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230802/5787030f/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list