[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Aug 2 21:19:17 BST 2023



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cbd6d0bb by security tracker role at 2023-08-02T20:19:03+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,31 @@
+CVE-2023-4067 (The Bus Ticket Booking with Seat Reservation plugin for WordPress is v ...)
+	TODO: check
+CVE-2023-3978 (Text nodes not in the HTML namespace are incorrectly literally rendere ...)
+	TODO: check
+CVE-2023-3470 (Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generat ...)
+	TODO: check
+CVE-2023-3426 (The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, ...)
+	TODO: check
+CVE-2023-38423 (A cross-site scripting (XSS) vulnerability exists in an undisclosed pa ...)
+	TODO: check
+CVE-2023-38419 (An authenticated attacker with guest privileges or higher can cause th ...)
+	TODO: check
+CVE-2023-38418 (The BIG-IP Edge Client Installer on macOS does not follow best practic ...)
+	TODO: check
+CVE-2023-38330 (OXID eShop Enterprise Edition 6.5.0 \u2013 6.5.2 before 6.5.3 allows u ...)
+	TODO: check
+CVE-2023-38138 (A reflected cross-site scripting (XSS) vulnerability exists in an undi ...)
+	TODO: check
+CVE-2023-36858 (An insufficient verification of data vulnerability exists in BIG-IP Ed ...)
+	TODO: check
+CVE-2023-36494 (Audit logs on F5OS-A may contain undisclosed sensitive information. No ...)
+	TODO: check
+CVE-2023-36081 (Cross Site Scripting vulnerability in GatesAIr Flexiva FM Transmitter/ ...)
+	TODO: check
+CVE-2023-33383 (Shelly 4PM Pro four-channel smart switch 0.11.0 allows an attacker to  ...)
+	TODO: check
+CVE-2023-33257 (Verint Engagement Management 15.3 Update 2023R2 is vulnerable to HTML  ...)
+	TODO: check
 CVE-2023-4016 (Under some circumstances, this weakness allows a user who has access t ...)
 	- procps <unfixed> (bug #1042887)
 	NOTE: https://gitlab.com/procps-ng/procps/-/issues/297
@@ -71,7 +99,7 @@ CVE-2023-3900 (An issue has been discovered in GitLab CE/EE affecting all versio
 	- gitlab <unfixed>
 CVE-2023-3500 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
 	- gitlab <unfixed>
-CVE-2023-3401
+CVE-2023-3401 (An issue has been discovered in GitLab affecting all versions before 1 ...)
 	- gitlab <unfixed>
 CVE-2023-3385 (An issue has been discovered in GitLab affecting all versions starting ...)
 	- gitlab <unfixed>
@@ -302,7 +330,7 @@ CVE-2023-34872 (A vulnerability in Outline.cc for Poppler prior to 23.06.0 allow
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399
 CVE-2023-34842 (Remote Code Execution vulnerability in DedeCMS through 5.7.109 allows  ...)
 	NOT-FOR-US: DedeCMS
-CVE-2023-34644 (Remote code execution vulnerability in Ruijie Networks Product: RG-EW  ...)
+CVE-2023-34644 (A command injection vulnerability exists in the EWEB management system ...)
 	NOT-FOR-US: Ruijie
 CVE-2023-34635 (Wifi Soft Unibox Administration 3.0 and 3.1 is vulnerable to SQL Injec ...)
 	NOT-FOR-US: Wifi Soft Unibox Administration
@@ -1754,7 +1782,7 @@ CVE-2020-36695 (Incorrect Default Permissions vulnerability in Hitachi Device Ma
 	NOT-FOR-US: Hitachi
 CVE-2015-10122 (A vulnerability was found in wp-donate Plugin up to 1.4 on WordPress.  ...)
 	NOT-FOR-US: WordPress plugin
-CVE-2023-3700 (Improper Access Control in GitHub repository alextselegidis/easyappoin ...)
+CVE-2023-3700 (Authorization Bypass Through User-Controlled Key in GitHub repository  ...)
 	NOT-FOR-US: easyappointments
 CVE-2023-3696 (Prototype Pollution in GitHub repository automattic/mongoose prior to  ...)
 	NOT-FOR-US: Mongoose
@@ -3177,7 +3205,7 @@ CVE-2023-XXXX [spip: Use a dedicated function to clean author data when preparin
 	[bullseye] - spip <no-dsa> (Minor issue)
 	[buster] - spip <no-dsa> (Minor issue)
 	NOTE: https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html
-CVE-2023-3568 (Improper Input Validation in GitHub repository fossbilling/fossbilling ...)
+CVE-2023-3568 (Open Redirect in GitHub repository alextselegidis/easyappointments pri ...)
 	NOT-FOR-US: fossbilling
 CVE-2023-37288 (SmartBPM.NET component has a vulnerability of path traversal within it ...)
 	NOT-FOR-US: SmartBPM.NET
@@ -8490,6 +8518,7 @@ CVE-2023-33203 (The Linux kernel before 6.2.9 has a race condition and resultant
 	[buster] - linux 4.19.282-1
 	NOTE: https://git.kernel.org/linus/6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 (6.3-rc4)
 CVE-2023-33201 (Bouncy Castle For Java before 1.74 is affected by an LDAP injection vu ...)
+	{DLA-3514-1}
 	- bouncycastle <unfixed> (bug #1040050)
 	[bookworm] - bouncycastle <no-dsa> (Minor issue)
 	[bullseye] - bouncycastle <no-dsa> (Minor issue)
@@ -12199,8 +12228,7 @@ CVE-2023-2024 (Improper authentication in OpenBlue Enterprise Manager Data Colle
 	NOT-FOR-US: OpenBlue Enterprise Manager Data Collector
 CVE-2023-2023 (The Custom 404 Pro WordPress plugin before 3.7.3 does not escape some  ...)
 	NOT-FOR-US: WordPress plugin
-CVE-2023-2022
-	RESERVED
+CVE-2023-2022 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
 	- gitlab <unfixed>
 CVE-2023-2021 (Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassn ...)
 	- teampass <itp> (bug #730180)
@@ -15231,18 +15259,17 @@ CVE-2023-29411 (A CWE-306: Missing Authentication for Critical Function vulnerab
 	NOT-FOR-US: Schneider
 CVE-2023-29410 (A CWE-20: Improper Input Validation vulnerability exists that could al ...)
 	NOT-FOR-US: Schneider
-CVE-2023-29409
-	RESERVED
+CVE-2023-29409 (Extremely large RSA keys in certificate chains can cause a client/serv ...)
 	- golang-1.20 1.20.7-1
 	- golang-1.19 1.19.12-1
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI
-CVE-2023-29408
-	RESERVED
-CVE-2023-29407
-	RESERVED
+CVE-2023-29408 (The TIFF decoder does not place a limit on the size of compressed tile ...)
+	TODO: check
+CVE-2023-29407 (A maliciously-crafted image can cause excessive CPU consumption in dec ...)
+	TODO: check
 CVE-2023-29406 (The HTTP/1 client does not fully validate the contents of the Host hea ...)
 	- golang-1.20 1.20.6-1
 	- golang-1.19 1.19.11-1
@@ -24607,34 +24634,34 @@ CVE-2023-26453
 	RESERVED
 CVE-2023-26452
 	RESERVED
-CVE-2023-26451
-	RESERVED
-CVE-2023-26450
-	RESERVED
-CVE-2023-26449
-	RESERVED
-CVE-2023-26448
-	RESERVED
-CVE-2023-26447
-	RESERVED
-CVE-2023-26446
-	RESERVED
-CVE-2023-26445
-	RESERVED
+CVE-2023-26451 (Functions with insufficient randomness were used to generate authoriza ...)
+	TODO: check
+CVE-2023-26450 (The "OX Count" web service did not specify a media-type when processin ...)
+	TODO: check
+CVE-2023-26449 (The "OX Chat" web service did not specify a media-type when processing ...)
+	TODO: check
+CVE-2023-26448 (Custom log-in and log-out locations are used-defined as jslob but were ...)
+	TODO: check
+CVE-2023-26447 (The "upsell" widget for the portal allows to specify a product descrip ...)
+	TODO: check
+CVE-2023-26446 (The users clientID at "application passwords" was not sanitized or esc ...)
+	TODO: check
+CVE-2023-26445 (Frontend themes are defined by user-controllable jslob settings and co ...)
+	TODO: check
 CVE-2023-26444
 	RESERVED
-CVE-2023-26443
-	RESERVED
-CVE-2023-26442
-	RESERVED
-CVE-2023-26441
-	RESERVED
-CVE-2023-26440
-	RESERVED
-CVE-2023-26439
-	RESERVED
-CVE-2023-26438
-	RESERVED
+CVE-2023-26443 (Full-text autocomplete search allows user-provided SQL syntax to be in ...)
+	TODO: check
+CVE-2023-26442 (In case Cacheservice was configured to use a sproxyd object-storage ba ...)
+	TODO: check
+CVE-2023-26441 (Cacheservice did not correctly check if relative cache object were poi ...)
+	TODO: check
+CVE-2023-26440 (The cacheservice API could be abused to indirectly inject parameters w ...)
+	TODO: check
+CVE-2023-26439 (The cacheservice API could be abused to inject parameters with SQL syn ...)
+	TODO: check
+CVE-2023-26438 (External service lookups for a number of protocols were vulnerable to  ...)
+	TODO: check
 CVE-2023-26437 (Denial of service vulnerability in PowerDNS Recursor allows authoritat ...)
 	- pdns-recursor 4.8.4-1 (bug #1033941)
 	[bullseye] - pdns-recursor <no-dsa> (Minor issue)
@@ -24655,8 +24682,8 @@ CVE-2023-26432 (When adding an external mail account, processing of SMTP "capabi
 	NOT-FOR-US: OX App Suite
 CVE-2023-26431 (IPv4-mapped IPv6 addresses did not get recognized as "local" by the co ...)
 	NOT-FOR-US: OX App Suite
-CVE-2023-26430
-	RESERVED
+CVE-2023-26430 (Attackers with access to user accounts can inject arbitrary control ch ...)
+	TODO: check
 CVE-2023-26429 (Control characters were not removed when exporting user feedback conte ...)
 	NOT-FOR-US: OX App Suite
 CVE-2023-26428 (Attackers can successfully request arbitrary snippet IDs, including E- ...)
@@ -24881,10 +24908,10 @@ CVE-2023-26319
 	RESERVED
 CVE-2023-26318
 	RESERVED
-CVE-2023-26317
-	RESERVED
-CVE-2023-26316
-	RESERVED
+CVE-2023-26317 (A vulnerability has been discovered in Xiaomi routers that could allow ...)
+	TODO: check
+CVE-2023-26316 (A XSS vulnerability exists in the Xiaomi cloud service Application pro ...)
+	TODO: check
 CVE-2023-26315
 	RESERVED
 CVE-2023-0979 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
@@ -33761,8 +33788,8 @@ CVE-2023-23478
 	RESERVED
 CVE-2023-23477 (IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a ...)
 	NOT-FOR-US: IBM
-CVE-2023-23476
-	RESERVED
+CVE-2023-23476 (IBM Robotic Process Automation 21.0.0 through 21.0.7.latest is vulnera ...)
+	TODO: check
 CVE-2023-23475 (IBM Infosphere Information Server 11.7 is vulnerable to cross-site scr ...)
 	NOT-FOR-US: IBM
 CVE-2023-23474
@@ -44213,10 +44240,10 @@ CVE-2022-46487
 	RESERVED
 CVE-2022-46486
 	RESERVED
-CVE-2022-46485
-	RESERVED
-CVE-2022-46484
-	RESERVED
+CVE-2022-46485 (Data Illusion Survey Software Solutions ngSurvey version 2.4.28 and be ...)
+	TODO: check
+CVE-2022-46484 (Information disclosure in password protected surveys in Data Illusion  ...)
+	TODO: check
 CVE-2022-46483
 	RESERVED
 CVE-2022-46482
@@ -58682,7 +58709,7 @@ CVE-2022-3424 (A use-after-free flaw was found in the Linux kernel\u2019s SGI GR
 	NOTE: https://lore.kernel.org/all/20221006152643.1694235-1-zyytlz.wz@163.com/
 	NOTE: https://git.kernel.org/linus/643a16a0eb1d6ac23744bb6e90a00fc21148a9dc
 	NOTE: SGI_GRU not enabled in any Debian kernel
-CVE-2022-3423 (Denial of Service in GitHub repository nocodb/nocodb prior to 0.92.0.)
+CVE-2022-3423 (Allocation of Resources Without Limits or Throttling in GitHub reposit ...)
 	NOT-FOR-US: nocodb
 CVE-2022-3422 (Account Takeover :: when see the info i can see the hash pass i can cr ...)
 	NOT-FOR-US: ToolJet
@@ -63321,7 +63348,7 @@ CVE-2022-3227
 	RESERVED
 CVE-2022-3226 (An OS command injection vulnerability allows admins to execute code vi ...)
 	NOT-FOR-US: Sophos
-CVE-2022-3225 (Improper Access Control in GitHub repository budibase/budibase prior t ...)
+CVE-2022-3225 (Improper Control of Dynamically-Managed Code Resources in GitHub repos ...)
 	NOT-FOR-US: budibase
 CVE-2022-3224 (Misinterpretation of Input in GitHub repository ionicabizau/parse-url  ...)
 	NOT-FOR-US: Node parse-url
@@ -63732,8 +63759,8 @@ CVE-2022-40611
 	RESERVED
 CVE-2022-40610
 	RESERVED
-CVE-2022-40609
-	RESERVED
+CVE-2022-40609 (IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a re ...)
+	TODO: check
 CVE-2022-40608 (IBM Spectrum Protect Plus 10.1.6 through 10.1.11 Microsoft File System ...)
 	NOT-FOR-US: IBM
 CVE-2022-40607 (IBM Spectrum Scale 5.1 could allow users with permissions to create po ...)
@@ -70071,7 +70098,7 @@ CVE-2022-2819 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to
 	NOTE: https://huntr.dev/bounties/0a9bd71e-66b8-4eb1-9566-7dfd9b097e59
 	NOTE: https://github.com/vim/vim/commit/d1d8f6bacb489036d0fd479c9dd3c0102c988889 (v9.0.0211)
 	NOTE: Crash in CLI tool, no security impact
-CVE-2022-2818 (Authentication Bypass by Primary Weakness in GitHub repository cockpit ...)
+CVE-2022-2818 (Improper Removal of Sensitive Information Before Storage or Transfer i ...)
 	NOT-FOR-US: Cockpit-HQ/Cockpit
 CVE-2022-38305 (AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vuln ...)
 	NOT-FOR-US: AeroCMS
@@ -70809,7 +70836,7 @@ CVE-2022-2734 (Improper Restriction of Rendered UI Layers or Frames in GitHub re
 	NOT-FOR-US: OpenEMR
 CVE-2022-2733 (Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/op ...)
 	NOT-FOR-US: OpenEMR
-CVE-2022-2732 (Improper Privilege Management in GitHub repository openemr/openemr pri ...)
+CVE-2022-2732 (Missing Authorization in GitHub repository openemr/openemr prior to 7. ...)
 	NOT-FOR-US: OpenEMR
 CVE-2022-2731 (Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/op ...)
 	NOT-FOR-US: OpenEMR
@@ -84420,7 +84447,7 @@ CVE-2022-2056 (Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attacker
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/dd1bcc7abb26094e93636e85520f0d8f81ab0fab
 CVE-2022-2055
 	RESERVED
-CVE-2022-2054 (Command Injection in GitHub repository nuitka/nuitka prior to 0.9.)
+CVE-2022-2054 (Code Injection in GitHub repository nuitka/nuitka prior to 0.9.)
 	- nuitka 0.9+ds-1 (bug #1012762)
 	[bullseye] - nuitka <no-dsa> (Minor issue)
 	[buster] - nuitka <no-dsa> (Minor issue)
@@ -88311,7 +88338,7 @@ CVE-2022-31620 (In libjpeg before 1.64, BitStream<false>::Get in bitstream.hpp h
 	NOTE: Crash in CLI tool, no security impact
 CVE-2022-30533 (Cross-site scripting vulnerability in Modern Events Calendar Lite vers ...)
 	NOT-FOR-US: Modern Events Calendar Lite
-CVE-2022-1893 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...)
+CVE-2022-1893 (Improper Removal of Sensitive Information Before Storage or Transfer i ...)
 	NOT-FOR-US: Trudesk
 CVE-2022-1892 (A buffer overflow in the SystemBootManagerDxe driver in some Lenovo No ...)
 	NOT-FOR-US: Lenovo
@@ -91663,7 +91690,7 @@ CVE-2022-1651 (A memory leak flaw was found in the Linux kernel in acrn_dev_ioct
 	[buster] - linux <not-affected> (Vulnerable code not present)
 	[stretch] - linux <not-affected> (Vulnerable code not present)
 	NOTE: https://git.kernel.org/linus/ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b (5.18-rc1)
-CVE-2022-1650 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...)
+CVE-2022-1650 (Improper Removal of Sensitive Information Before Storage or Transfer i ...)
 	{DLA-3235-1}
 	- node-eventsource 2.0.2+~1.1.8-1
 	[bullseye] - node-eventsource 1.0.7-1+deb11u1
@@ -96033,7 +96060,7 @@ CVE-2022-1318 (Hills ComNav version 3002-19 suffers from a weak communication ch
 	NOT-FOR-US: Hills ComNav
 CVE-2022-1317
 	RESERVED
-CVE-2022-1316 (ZeroTierOne for windows local privilege escalation because of incorrec ...)
+CVE-2022-1316 (Incorrect Permission Assignment for Critical Resource in GitHub reposi ...)
 	NOT-FOR-US: ZeroTierOne
 CVE-2022-29063 (The Solr plugin of Apache OFBiz is configured by default to automatica ...)
 	NOT-FOR-US: Apache OFBiz
@@ -97110,7 +97137,7 @@ CVE-2022-1253 (Heap-based Buffer Overflow in GitHub repository strukturag/libde2
 	[stretch] - libde265 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://huntr.dev/bounties/1-other-strukturag/libde265/
 	NOTE: https://github.com/strukturag/libde265/commit/8e89fe0e175d2870c39486fdd09250b230ec10b8
-CVE-2022-1252 (Exposure of Private Personal Information to an Unauthorized Actor in G ...)
+CVE-2022-1252 (Use of a Broken or Risky Cryptographic Algorithm in GitHub repository  ...)
 	NOT-FOR-US: gnuboard5
 CVE-2022-1251 (The Ask me WordPress theme before 6.8.4 does not perform nonce checks  ...)
 	NOT-FOR-US: WordPress theme
@@ -97337,7 +97364,7 @@ CVE-2022-1225 (Incorrect Privilege Assignment in GitHub repository phpipam/phpip
 	- phpipam <itp> (bug #731713)
 CVE-2022-1224 (Improper Authorization in GitHub repository phpipam/phpipam prior to 1 ...)
 	- phpipam <itp> (bug #731713)
-CVE-2022-1223 (Improper Access Control in GitHub repository phpipam/phpipam prior to  ...)
+CVE-2022-1223 (Incorrect Authorization in GitHub repository phpipam/phpipam prior to  ...)
 	- phpipam <itp> (bug #731713)
 CVE-2022-1222 (Inf loop in GitHub repository gpac/gpac prior to 2.1.0-DEV.)
 	{DSA-5411-1}
@@ -104778,7 +104805,7 @@ CVE-2022-0764 (Arbitrary Command Injection in GitHub repository strapi/strapi pr
 	NOT-FOR-US: strapi
 CVE-2022-0763 (Cross-site Scripting (XSS) - Stored in GitHub repository microweber/mi ...)
 	NOT-FOR-US: microweber
-CVE-2022-0762 (Business Logic Errors in GitHub repository microweber/microweber prior ...)
+CVE-2022-0762 (Incorrect Authorization in GitHub repository microweber/microweber pri ...)
 	NOT-FOR-US: microweber
 CVE-2021-4224
 	RESERVED
@@ -107448,7 +107475,7 @@ CVE-2022-25148 (The WP Statistics WordPress plugin is vulnerable to SQL Injectio
 	NOT-FOR-US: WordPress plugin
 CVE-2022-0612 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...)
 	NOT-FOR-US: livehelperchat
-CVE-2022-0611 (Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3 ...)
+CVE-2022-0611 (Missing Authorization in Packagist snipe/snipe-it prior to 5.3.11.)
 	- snipe-it <itp> (bug #1005172)
 CVE-2019-25057 (In Corda before 4.1, the meaning of serialized data can be modified vi ...)
 	NOT-FOR-US: Corda
@@ -107533,7 +107560,7 @@ CVE-2022-0590 (The BulletProof Security WordPress plugin before 5.8 does not san
 	NOT-FOR-US: WordPress plugin
 CVE-2022-0589 (Cross-site Scripting (XSS) - Stored in Packagist librenms/librenms pri ...)
 	NOT-FOR-US: LibreNMS
-CVE-2022-0588 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...)
+CVE-2022-0588 (Missing Authorization in Packagist librenms/librenms prior to 22.2.0.)
 	NOT-FOR-US: LibreNMS
 CVE-2022-0587 (Improper Authorization in Packagist librenms/librenms prior to 22.2.0.)
 	NOT-FOR-US: LibreNMS
@@ -107955,7 +107982,7 @@ CVE-2022-0581 (Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 a
 	[buster] - wireshark 2.6.20-0+deb10u4
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17935
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2022-05.html
-CVE-2022-0580 (Improper Access Control in Packagist librenms/librenms prior to 22.2.0 ...)
+CVE-2022-0580 (Incorrect Authorization in Packagist librenms/librenms prior to 22.2.0 ...)
 	NOT-FOR-US: LibreNMS
 CVE-2022-24980 (An issue was discovered in the Kitodo.Presentation (aka dif) extension ...)
 	NOT-FOR-US: TYPO3 extension
@@ -107965,7 +107992,7 @@ CVE-2022-24978 (Zoho ManageEngine ADAudit Plus before 7055 allows authenticated
 	NOT-FOR-US: Zoho
 CVE-2022-24977 (ImpressCMS before 1.4.2 allows unauthenticated remote code execution v ...)
 	NOT-FOR-US: ImpressCMS
-CVE-2022-0579 (Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3 ...)
+CVE-2022-0579 (Missing Authorization in Packagist snipe/snipe-it prior to 5.3.9.)
 	- snipe-it <itp> (bug #1005172)
 CVE-2022-0578 (Code Injection in GitHub repository publify/publify prior to 9.2.8.)
 	NOT-FOR-US: Publify
@@ -108004,7 +108031,7 @@ CVE-2022-0570 (Heap-based Buffer Overflow in Homebrew mruby prior to 3.2.)
 	- mruby <not-affected> (Vulnerable code introduced later)
 	NOTE: https://huntr.dev/bounties/65a7632e-f95b-4836-b1a7-9cb95e5124f1
 	NOTE: https://github.com/mruby/mruby/commit/38b164ace7d6ae1c367883a3d67d7f559783faad
-CVE-2022-0569 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...)
+CVE-2022-0569 (Observable Discrepancy in Packagist snipe/snipe-it prior to v5.3.9.)
 	- snipe-it <itp> (bug #1005172)
 CVE-2022-24975 (The --mirror documentation for Git through 2.35.1 does not mention the ...)
 	- git <unfixed> (unimportant)
@@ -108049,7 +108076,7 @@ CVE-2022-0566 (It may be possible for an attacker to craft an email message that
 	{DSA-5086-1 DLA-2930-1}
 	- thunderbird 1:91.6.1-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-07/#CVE-2022-0566
-CVE-2022-0565 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...)
+CVE-2022-0565 (Cross-site Scripting in Packagist pimcore/pimcore prior to 10.3.1.)
 	NOT-FOR-US: pimcore
 CVE-2021-22590
 	RESERVED
@@ -109132,7 +109159,7 @@ CVE-2022-0538 (Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom
 	- jenkins <removed>
 CVE-2022-0537 (The MapPress Maps for WordPress plugin before 2.73.13 allows a high pr ...)
 	NOT-FOR-US: WordPress plugin
-CVE-2022-0536 (Exposure of Sensitive Information to an Unauthorized Actor in NPM foll ...)
+CVE-2022-0536 (Improper Removal of Sensitive Information Before Storage or Transfer i ...)
 	- node-follow-redirects 1.14.8+~1.14.0-1
 	[bullseye] - node-follow-redirects 1.13.1-1+deb11u1
 	[buster] - node-follow-redirects <ignored> (Minor issue, too intrusive to backport)
@@ -111788,7 +111815,7 @@ CVE-2022-21201 (A stack-based buffer overflow vulnerability exists in the confer
 	NOT-FOR-US: TCL LinkHub Mesh Wi-Fi
 CVE-2022-21178 (An os command injection vulnerability exists in the confsrv ucloud_add ...)
 	NOT-FOR-US: TCL LinkHub Mesh Wi-Fi
-CVE-2022-0355 (Exposure of Sensitive Information to an Unauthorized Actor in NPM simp ...)
+CVE-2022-0355 (Improper Removal of Sensitive Information Before Storage or Transfer i ...)
 	NOT-FOR-US: simple-get nodejs module
 CVE-2022-0354 (A vulnerability was reported in Lenovo System Update that could allow  ...)
 	NOT-FOR-US: Lenovo
@@ -112322,7 +112349,7 @@ CVE-2022-23849 (The biometric lock in Devolutions Password Hub for iOS before 20
 	NOT-FOR-US: Devolutions Password Hub for iOS
 CVE-2022-0339 (Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.)
 	- calibre-web <itp> (bug #982690)
-CVE-2022-0338 (Improper Privilege Management in Conda loguru prior to 0.5.3.)
+CVE-2022-0338 (Insertion of Sensitive Information into Log File in Conda loguru prior ...)
 	- loguru <unfixed> (unimportant)
 	NOTE: https://huntr.dev/bounties/359bea50-2bc6-426a-b2f9-175d401b1ed0/
 	NOTE: Document best practices for security: https://github.com/delgan/loguru/commit/ea39375e62f9b8f18e2ca798a5c0fb8c972b7eaa
@@ -113620,7 +113647,7 @@ CVE-2022-0284 (A heap-based-buffer-over-read flaw was found in ImageMagick's Get
 CVE-2022-0283 (An issue has been discovered affecting GitLab versions prior to 13.5.  ...)
 	- gitlab 15.10.8+ds1-2
 	NOTE: https://gitlab.com/gitlab-org/gitlab/-/issues/349422
-CVE-2022-0282 (Code Injection in Packagist microweber/microweber prior to 1.2.11.)
+CVE-2022-0282 (Cross-site Scripting in Packagist microweber/microweber prior to 1.2.1 ...)
 	NOT-FOR-US: microweber
 CVE-2022-0281 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...)
 	NOT-FOR-US: microweber
@@ -115307,7 +115334,7 @@ CVE-2022-0180 (Cross-site request forgery (CSRF) vulnerability in Quiz And Surve
 	NOT-FOR-US: Quiz And Survey Master
 CVE-2022-0179 (snipe-it is vulnerable to Missing Authorization)
 	- snipe-it <itp> (bug #1005172)
-CVE-2022-0178 (snipe-it is vulnerable to Improper Access Control)
+CVE-2022-0178 (Missing Authorization vulnerability in snipe snipe/snipe-it.This issue ...)
 	- snipe-it <itp> (bug #1005172)
 CVE-2022-0177
 	REJECTED
@@ -115655,7 +115682,7 @@ CVE-2022-0175 (A flaw was found in the VirGL virtual OpenGL renderer (virglrende
 	NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654
 	NOTE: Code refactored in https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/7899e057327848300b18d8f03aa3789e00ed0221 (0.9.0)
 	NOTE: Fixed by: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c
-CVE-2022-0174 (dolibarr is vulnerable to Business Logic Errors)
+CVE-2022-0174 (Improper Validation of Specified Quantity in Input vulnerability in do ...)
 	- dolibarr <removed>
 CVE-2022-0173 (radare2 is vulnerable to Out-of-bounds Read)
 	- radare2 <unfixed> (bug #1014478)
@@ -116950,7 +116977,7 @@ CVE-2022-22568
 	RESERVED
 CVE-2022-0122 (forge is vulnerable to URL Redirection to Untrusted Site)
 	NOT-FOR-US: forge
-CVE-2022-0121 (hoppscotch is vulnerable to Exposure of Sensitive Information to an Un ...)
+CVE-2022-0121 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
 	NOT-FOR-US: hoppscotch
 CVE-2022-22567 (Select Dell Client Commercial and Consumer platforms are vulnerable to ...)
 	NOT-FOR-US: Dell



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbd6d0bb0836a914562a60a22c3f052c8f4d56bb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbd6d0bb0836a914562a60a22c3f052c8f4d56bb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230802/5787030f/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list