[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Jan 31 08:10:28 GMT 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
14a1bfef by security tracker role at 2023-01-31T08:10:17+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,15 @@
+CVE-2023-24833
+ RESERVED
+CVE-2023-24832
+ RESERVED
+CVE-2023-0587
+ RESERVED
+CVE-2023-0586
+ RESERVED
+CVE-2023-0585
+ RESERVED
+CVE-2016-15023
+ RESERVED
CVE-2023-24831
RESERVED
CVE-2023-24828
@@ -475,8 +487,8 @@ CVE-2023-0573
RESERVED
CVE-2023-0572 (Unchecked Error Condition in GitHub repository froxlor/froxlor prior t ...)
- froxlor <itp> (bug #581792)
-CVE-2022-4898
- RESERVED
+CVE-2022-4898 (In affected versions of Octopus Server the help sidebar can be customi ...)
+ TODO: check
CVE-2022-48304
RESERVED
CVE-2022-48303 (GNU Tar through 1.34 has a one-byte out-of-bounds read that results in ...)
@@ -1083,16 +1095,16 @@ CVE-2023-24467
RESERVED
CVE-2023-24466
RESERVED
-CVE-2023-24020
- RESERVED
-CVE-2023-23582
- RESERVED
-CVE-2023-22389
- RESERVED
+CVE-2023-24020 (Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior could bypass ...)
+ TODO: check
+CVE-2023-23582 (Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior are vulnerab ...)
+ TODO: check
+CVE-2023-22389 (Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior store passwo ...)
+ TODO: check
CVE-2023-22371
RESERVED
-CVE-2023-22315
- RESERVED
+CVE-2023-22315 (Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior use a propri ...)
+ TODO: check
CVE-2023-0456
RESERVED
CVE-2023-0455 (Unrestricted Upload of File with Dangerous Type in GitHub repository u ...)
@@ -1952,7 +1964,7 @@ CVE-2023-0435 (Excessive Attack Surface in GitHub repository pyload/pyload prior
CVE-2022-4895
RESERVED
CVE-2022-48281 (processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has ...)
- {DSA-5333-1}
+ {DSA-5333-1 DLA-3297-1}
- tiff 4.5.0-4 (bug #1029653)
NOTE: https://gitlab.com/libtiff/libtiff/-/commit/d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/488
@@ -2048,6 +2060,7 @@ CVE-2023-24040 (** UNSUPPORTED WHEN ASSIGNED ** dtprintinfo in Common Desktop En
CVE-2023-24039 (** UNSUPPORTED WHEN ASSIGNED ** A stack-based buffer overflow in Parse ...)
NOT-FOR-US: Oracle
CVE-2023-24038 (The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_ ...)
+ {DLA-3296-1}
- libhtml-stripscripts-perl 1.06-4 (bug #1029400)
NOTE: https://github.com/clintongormley/perl-html-stripscripts/issues/3
NOTE: https://github.com/clintongormley/perl-html-stripscripts/pull/4
@@ -6140,8 +6153,8 @@ CVE-2023-0099
RESERVED
CVE-2023-0098
RESERVED
-CVE-2023-0097
- RESERVED
+CVE-2023-0097 (The Post Grid, Post Carousel, & List Category Posts WordPress plug ...)
+ TODO: check
CVE-2023-0096
RESERVED
CVE-2023-0095
@@ -6382,14 +6395,14 @@ CVE-2023-0076
RESERVED
CVE-2023-0075
RESERVED
-CVE-2023-0074
- RESERVED
+CVE-2023-0074 (The WP Social Widget WordPress plugin before 2.2.4 does not validate a ...)
+ TODO: check
CVE-2023-0073
RESERVED
CVE-2023-0072
RESERVED
-CVE-2023-0071
- RESERVED
+CVE-2023-0071 (The WP Tabs WordPress plugin before 2.1.17 does not validate and escap ...)
+ TODO: check
CVE-2023-0070
RESERVED
CVE-2023-0069
@@ -6506,8 +6519,8 @@ CVE-2022-4874 (Authentication bypass in Netcomm router models NF20MESH, NF20, an
NOT-FOR-US: Netcomm
CVE-2022-4873 (On Netcomm router models NF20MESH, NF20, and NL1902 a stack based buff ...)
NOT-FOR-US: Netcomm
-CVE-2022-4872
- RESERVED
+CVE-2022-4872 (The Chained Products WordPress plugin before 2.12.0 does not have auth ...)
+ TODO: check
CVE-2022-48217 (** DISPUTED ** The tf_remapper_node component 1.1.1 for Robot Operatin ...)
NOT-FOR-US: ROS tf_remapper_node
CVE-2022-48216 (Uniswap Universal Router before 1.1.0 mishandles reentrancy. This woul ...)
@@ -6617,8 +6630,8 @@ CVE-2012-10002 (A vulnerability was found in ahmyi RivetTracker. It has been dec
NOT-FOR-US: ahmyi RivetTracker
CVE-2023-0034
RESERVED
-CVE-2023-0033
- RESERVED
+CVE-2023-0033 (The PDF Viewer WordPress plugin before 1.0.0 does not validate and esc ...)
+ TODO: check
CVE-2022-4870
RESERVED
CVE-2015-10011 (A vulnerability classified as problematic has been found in OpenDNS Op ...)
@@ -6986,20 +6999,20 @@ CVE-2023-22488 (Flarum is a forum software for building communities. Using the n
CVE-2023-22487 (Flarum is a forum software for building communities. Using the mention ...)
NOT-FOR-US: Flarum
CVE-2023-22486 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...)
- - cmark-gfm <unfixed>
+ - cmark-gfm <unfixed>
NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p
NOTE: https://github.com/github/cmark-gfm/commit/ece074cc3378f7a8dec0395f00123e9fa6981f7b (0.29.0.gfm.7)
TODO: check other codebase, python-cmarkgfm, ghostwriter, ruby-commonmarker and r-cran-commonmark
CVE-2023-22485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...)
- - cmark-gfm <unfixed>
+ - cmark-gfm <unfixed>
NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr
TODO: check other codebase, python-cmarkgfm, ghostwriter, ruby-commonmarker and r-cran-commonmark
CVE-2023-22484 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...)
- - cmark-gfm <unfixed>
+ - cmark-gfm <unfixed>
NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r
TODO: check other codebase, python-cmarkgfm, ghostwriter, ruby-commonmarker and r-cran-commonmark
CVE-2023-22483 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...)
- - cmark-gfm <unfixed>
+ - cmark-gfm <unfixed>
NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c
TODO: check other codebase, python-cmarkgfm, ghostwriter, ruby-commonmarker and r-cran-commonmark
CVE-2023-22482 (Argo CD is a declarative, GitOps continuous delivery tool for Kubernet ...)
@@ -7058,26 +7071,26 @@ CVE-2022-4839 (Cross-site Scripting (XSS) - Stored in GitHub repository usememos
NOT-FOR-US: usememos
CVE-2022-4838
RESERVED
-CVE-2022-4837
- RESERVED
+CVE-2022-4837 (The CPO Companion WordPress plugin before 1.1.0 does not validate and ...)
+ TODO: check
CVE-2022-4836
RESERVED
-CVE-2022-4835
- RESERVED
-CVE-2022-4834
- RESERVED
+CVE-2022-4835 (The Social Sharing Toolkit WordPress plugin through 2.6 does not valid ...)
+ TODO: check
+CVE-2022-4834 (The CPT Bootstrap Carousel WordPress plugin through 1.12 does not vali ...)
+ TODO: check
CVE-2022-4833
RESERVED
CVE-2022-4832 (The Store Locator WordPress plugin before 1.4.9 does not validate and ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4831
- RESERVED
+CVE-2022-4831 (The Custom User Profile Fields for User Registration WordPress plugin ...)
+ TODO: check
CVE-2022-4830
RESERVED
CVE-2022-4829
RESERVED
-CVE-2022-4828
- RESERVED
+CVE-2022-4828 (The Bold Timeline Lite WordPress plugin before 1.1.5 does not validate ...)
+ TODO: check
CVE-2022-4827
RESERVED
CVE-2022-4826
@@ -7196,10 +7209,10 @@ CVE-2022-48178
RESERVED
CVE-2022-48177
RESERVED
-CVE-2022-48176
- RESERVED
-CVE-2022-48175
- RESERVED
+CVE-2022-48176 (Netgear routers R7000P before v1.3.3.154, R6900P before v1.3.3.154, R7 ...)
+ TODO: check
+CVE-2022-48175 (Rukovoditel v3.2.1 was discovered to contain a remote code execution ( ...)
+ TODO: check
CVE-2022-48174
RESERVED
CVE-2022-48173
@@ -7536,8 +7549,8 @@ CVE-2022-48008 (An arbitrary file upload vulnerability in the plugin manager of
- limesurvey <itp> (bug #472802)
CVE-2022-48007 (A stored cross-site scripting (XSS) vulnerability in identification.ph ...)
- piwigo <removed>
-CVE-2022-48006
- RESERVED
+CVE-2022-48006 (An arbitrary file upload vulnerability in taocms v3.0.2 allows attacke ...)
+ TODO: check
CVE-2022-48005
RESERVED
CVE-2022-48004
@@ -7650,12 +7663,12 @@ CVE-2022-4796 (Incorrect Use of Privileged APIs in GitHub repository usememos/me
NOT-FOR-US: usememos
CVE-2022-4795
RESERVED
-CVE-2022-4794
- RESERVED
-CVE-2022-4793
- RESERVED
-CVE-2022-4792
- RESERVED
+CVE-2022-4794 (The AAWP WordPress plugin before 3.12.3 can be used to abuse trusted d ...)
+ TODO: check
+CVE-2022-4793 (The Blog Designer WordPress plugin before 2.4.1 does not validate and ...)
+ TODO: check
+CVE-2022-4792 (The News & Blog Designer Pack WordPress plugin before 3.3 does not ...)
+ TODO: check
CVE-2022-4791
RESERVED
CVE-2022-4790 (The WP Google My Business Auto Publish WordPress plugin before 3.4 doe ...)
@@ -7664,8 +7677,8 @@ CVE-2022-4789 (The WPZOOM Portfolio WordPress plugin before 1.2.2 does not valid
NOT-FOR-US: WordPress plugin
CVE-2022-4788
RESERVED
-CVE-2022-4787
- RESERVED
+CVE-2022-4787 (Themify Shortcodes WordPress plugin before 2.0.8 does not validate and ...)
+ TODO: check
CVE-2022-4786
RESERVED
CVE-2022-4785
@@ -7676,8 +7689,8 @@ CVE-2022-4783
RESERVED
CVE-2022-4782
RESERVED
-CVE-2022-4781
- RESERVED
+CVE-2022-4781 (The Accordion Shortcodes WordPress plugin through 2.4.2 does not valid ...)
+ TODO: check
CVE-2022-4780 (ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credential ...)
NOT-FOR-US: ISOS firmwares
CVE-2022-4779 (StreamX applications from versions 6.02.01 to 6.04.34 are affected by ...)
@@ -7800,8 +7813,8 @@ CVE-2022-47969
RESERVED
CVE-2022-4777
RESERVED
-CVE-2022-4776
- RESERVED
+CVE-2022-4776 (The CC Child Pages WordPress plugin before 1.43 does not validate and ...)
+ TODO: check
CVE-2022-4775 (The GeoDirectory WordPress plugin before 2.2.22 does not validate and ...)
NOT-FOR-US: WordPress plugin
CVE-2022-4774
@@ -7819,11 +7832,13 @@ CVE-2022-4769
CVE-2022-4768 (A vulnerability was found in Dropbox merou. It has been classified as ...)
NOT-FOR-US: Dropbox merou
CVE-2022-47318 (ruby-git versions prior to v1.13.0 allows a remote authenticated attac ...)
+ {DLA-3303-1}
- ruby-git 1.13.1-1
[bullseye] - ruby-git <no-dsa> (Minor issue)
NOTE: https://github.com/ruby-git/ruby-git/pull/602
NOTE: https://github.com/ruby-git/ruby-git/commit/4fe8738e8348567255ab4be25867684b5d0d282d (v1.13.0)
CVE-2022-46648 (ruby-git versions prior to v1.13.0 allows a remote authenticated attac ...)
+ {DLA-3303-1}
- ruby-git 1.13.1-1
[bullseye] - ruby-git <no-dsa> (Minor issue)
NOTE: https://github.com/ruby-git/ruby-git/pull/602
@@ -7914,12 +7929,12 @@ CVE-2022-4767 (Denial of Service in GitHub repository usememos/memos prior to 0.
NOT-FOR-US: usememos
CVE-2022-4766 (A vulnerability was found in dolibarr_project_timesheet up to 4.5.5. I ...)
NOT-FOR-US: dolibarr_project_timesheet
-CVE-2022-4765
- RESERVED
+CVE-2022-4765 (The Portfolio for Elementor WordPress plugin before 2.3.1 does not val ...)
+ TODO: check
CVE-2022-4764
RESERVED
-CVE-2022-4763
- RESERVED
+CVE-2022-4763 (The Icon Widget WordPress plugin before 1.3.0 does not validate and es ...)
+ TODO: check
CVE-2022-4762
RESERVED
CVE-2022-4761
@@ -7946,8 +7961,8 @@ CVE-2022-4751 (The Word Balloon WordPress plugin before 4.19.3 does not validate
NOT-FOR-US: WordPress plugin
CVE-2022-4750
RESERVED
-CVE-2022-4749
- RESERVED
+CVE-2022-4749 (The Posts List Designer by Category WordPress plugin before 3.2 does n ...)
+ TODO: check
CVE-2022-4748 (A vulnerability was found in FlatPress. It has been classified as crit ...)
NOT-FOR-US: FlatPress
CVE-2022-4747
@@ -8064,6 +8079,7 @@ CVE-2022-47952 (lxc-user-nic in lxc through 5.0.1 is installed setuid root, and
NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591/comments/45
NOTE: Different issue than CVE-2018-6556
CVE-2022-47951 (An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before ...)
+ {DLA-3302-1 DLA-3301-1 DLA-3300-1}
- nova 2:26.0.0-6 (bug #1029561)
- cinder 2:21.0.0-3 (bug #1029562)
- glance 2:25.0.0-2 (bug #1029563)
@@ -8186,8 +8202,8 @@ CVE-2022-4701 (The Royal Elementor Addons plugin for WordPress is vulnerable to
NOT-FOR-US: Royal Elementor Addons plugin for WordPress
CVE-2022-4700 (The Royal Elementor Addons plugin for WordPress is vulnerable to insuf ...)
NOT-FOR-US: Royal Elementor Addons plugin for WordPress
-CVE-2022-4699
- RESERVED
+CVE-2022-4699 (The MediaElement.js WordPress plugin through 4.2.8 does not validate a ...)
+ TODO: check
CVE-2022-4698 (The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Si ...)
NOT-FOR-US: ProfilePress plugin for WordPress
CVE-2022-4697 (The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Si ...)
@@ -8285,8 +8301,8 @@ CVE-2022-47927 (An issue was discovered in MediaWiki before 1.35.9, 1.36.x throu
NOTE: https://phabricator.wikimedia.org/T322637
CVE-2022-47914
RESERVED
-CVE-2022-4680
- RESERVED
+CVE-2022-4680 (The Revive Old Posts WordPress plugin before 9.0.11 unserializes user ...)
+ TODO: check
CVE-2022-4679
RESERVED
CVE-2022-4678
@@ -8309,16 +8325,16 @@ CVE-2022-4673 (The Rate my Post WordPress plugin before 3.3.9 does not validate
NOT-FOR-US: WordPress plugin
CVE-2022-4672 (The WordPress Simple Shopping Cart WordPress plugin before 4.6.2 does ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4671
- RESERVED
+CVE-2022-4671 (The PixCodes WordPress plugin before 2.3.7 does not validate and escap ...)
+ TODO: check
CVE-2022-4670
RESERVED
CVE-2022-4669
RESERVED
CVE-2022-4668 (The Easy Appointments WordPress plugin before 3.11.2 does not validate ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4667
- RESERVED
+CVE-2022-4667 (The RSS Aggregator by Feedzy WordPress plugin before 4.1.1 does not va ...)
+ TODO: check
CVE-2022-4666
RESERVED
CVE-2022-4665 (Unrestricted Upload of File with Dangerous Type in GitHub repository a ...)
@@ -8370,18 +8386,18 @@ CVE-2022-4656
RESERVED
CVE-2022-4655 (The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4654
- RESERVED
+CVE-2022-4654 (The Pricing Tables WordPress Plugin WordPress plugin before 3.2.3 does ...)
+ TODO: check
CVE-2022-4653 (The Greenshift WordPress plugin before 4.8.9 does not validate and esc ...)
NOT-FOR-US: WordPress plugin
CVE-2022-4652
RESERVED
-CVE-2022-4651
- RESERVED
+CVE-2022-4651 (The Justified Gallery WordPress plugin before 1.7.1 does not validate ...)
+ TODO: check
CVE-2022-4650 (The HashBar WordPress plugin before 1.3.6 does not validate and escape ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4649
- RESERVED
+CVE-2022-4649 (The WP Extended Search WordPress plugin before 2.1.2 does not validate ...)
+ TODO: check
CVE-2020-36625 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in destiny.g ...)
NOT-FOR-US: destiny.gg chat
CVE-2020-36624 (A vulnerability was found in ahorner text-helpers up to 1.0.x. It has ...)
@@ -10631,10 +10647,10 @@ CVE-2022-4555 (The WP Shamsi plugin for WordPress is vulnerable to authorization
NOT-FOR-US: WP Shamsi plugin for WordPress
CVE-2022-4554 (B2B Customer Ordering System developed by ID Software Project and Cons ...)
NOT-FOR-US: B2B Customer Ordering System
-CVE-2022-4553
- RESERVED
-CVE-2022-4552
- RESERVED
+CVE-2022-4553 (The FL3R FeelBox WordPress plugin through 8.1 does not have CSRF check ...)
+ TODO: check
+CVE-2022-4552 (The FL3R FeelBox WordPress plugin through 8.1 does not have CSRF check ...)
+ TODO: check
CVE-2022-4551
RESERVED
CVE-2022-4550
@@ -11008,8 +11024,8 @@ CVE-2022-4498 (In TP-Link routers, Archer C5 and WR710N-V1, running the latest a
NOT-FOR-US: TP-Link
CVE-2022-4497 (The Jetpack CRM WordPress plugin before 5.5 does not validate and esca ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4496
- RESERVED
+CVE-2022-4496 (The SAML SSO Standard WordPress plugin version 16.0.0 before 16.0.8, S ...)
+ TODO: check
CVE-2022-4495 (A vulnerability, which was classified as problematic, has been found i ...)
NOT-FOR-US: collective.dms.basecontent
CVE-2022-4494 (A vulnerability, which was classified as critical, has been found in b ...)
@@ -11194,12 +11210,12 @@ CVE-2022-4474 (The Easy Social Feed WordPress plugin before 6.4.0 does not valid
NOT-FOR-US: WordPress plugin
CVE-2022-4473
RESERVED
-CVE-2022-4472
- RESERVED
+CVE-2022-4472 (The Simple Sitemap WordPress plugin before 3.5.8 does not validate and ...)
+ TODO: check
CVE-2022-4471
RESERVED
-CVE-2022-4470
- RESERVED
+CVE-2022-4470 (The Widgets for Google Reviews WordPress plugin before 9.8 does not va ...)
+ TODO: check
CVE-2022-4469 (The Simple Membership WordPress plugin before 4.2.2 does not validate ...)
NOT-FOR-US: WordPress plugin
CVE-2022-4468 (The WP Recipe Maker WordPress plugin before 8.6.1 does not validate an ...)
@@ -11720,8 +11736,8 @@ CVE-2022-44454
RESERVED
CVE-2022-44450
RESERVED
-CVE-2022-4441
- RESERVED
+CVE-2022-4441 (Incorrect Privilege Assignment vulnerability in Hitachi Storage Plug-i ...)
+ TODO: check
CVE-2022-4440 (Use after free in Profiles in Google Chrome prior to 108.0.5359.124 al ...)
{DSA-5302-1}
- chromium 108.0.5359.124-1
@@ -12521,8 +12537,8 @@ CVE-2022-46894
RESERVED
CVE-2022-46893
RESERVED
-CVE-2022-4395
- RESERVED
+CVE-2022-4395 (The Membership For WooCommerce WordPress plugin before 2.1.7 does not ...)
+ TODO: check
CVE-2022-4394 (The iPages Flipbook For WordPress plugin through 1.4.6 does not saniti ...)
NOT-FOR-US: WordPress plugin
CVE-2022-4393 (The ImageLinks Interactive Image Builder for WordPress plugin through ...)
@@ -13353,8 +13369,8 @@ CVE-2022-4308
RESERVED
CVE-2022-4307 (The پلاگین پرد&# ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4306
- RESERVED
+CVE-2022-4306 (The Panda Pods Repeater Field WordPress plugin before 1.5.4 does not s ...)
+ TODO: check
CVE-2022-4305 (The Login as User or Customer WordPress plugin before 3.3 lacks author ...)
NOT-FOR-US: WordPress plugin
CVE-2022-4304
@@ -15610,8 +15626,8 @@ CVE-2022-4139 (An incorrect TLB flush issue was found in the Linux kernel’
[buster] - linux <not-affected> (Vulnerable code not present, only affects gen12 video and compute engines)
NOTE: https://www.openwall.com/lists/oss-security/2022/11/30/1
NOTE: https://git.kernel.org/linus/04aa64375f48a5d430b5550d9271f8428883e550
-CVE-2022-45897
- RESERVED
+CVE-2022-45897 (On Xerox WorkCentre 3550 25.003.03.000 devices, an authenticated attac ...)
+ TODO: check
CVE-2022-45896 (Planet eStream before 6.72.10.07 allows unauthenticated upload of arbi ...)
NOT-FOR-US: Planet eStream
CVE-2022-45895 (Planet eStream before 6.72.10.07 discloses sensitive information, rela ...)
@@ -15903,8 +15919,8 @@ CVE-2022-45791
RESERVED
CVE-2022-45790
RESERVED
-CVE-2022-45789
- RESERVED
+CVE-2022-45789 (A CWE-294: Authentication Bypass by Capture-replay vulnerability exist ...)
+ TODO: check
CVE-2022-45788 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...)
TODO: check
CVE-2022-45787 (Unproper laxist permissions on the temporary files used by MIME4J Temp ...)
@@ -16761,8 +16777,8 @@ CVE-2022-4043 (The WP Custom Admin Interface WordPress plugin before 7.29 unseri
NOT-FOR-US: WordPress plugin
CVE-2022-4042 (The Paytium: Mollie payment forms & donations WordPress plugin thr ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4041
- RESERVED
+CVE-2022-4041 (Incorrect Privilege Assignment vulnerability in Hitachi Storage Plug-i ...)
+ TODO: check
CVE-2022-4040
RESERVED
CVE-2022-4039
@@ -18632,8 +18648,8 @@ CVE-2022-44899
RESERVED
CVE-2022-44898 (The MsIo64.sys component in Asus Aura Sync through v1.07.79 does not p ...)
NOT-FOR-US: Asus Aura Sync
-CVE-2022-44897
- RESERVED
+CVE-2022-44897 (A cross-site scripting (XSS) vulnerability in ApolloTheme AP PageBuild ...)
+ TODO: check
CVE-2022-44896
RESERVED
CVE-2022-44895
@@ -20608,18 +20624,21 @@ CVE-2022-44573
RESERVED
CVE-2022-44572 [rack: Forbid control characters in attributes]
RESERVED
+ {DLA-3298-1}
- ruby-rack <unfixed> (bug #1029832)
NOTE: https://github.com/rack/rack/commit/dc50f8e495f67eb933b1fc33ebee550908d945e6 (v2.0.9.2)
NOTE: https://github.com/rack/rack/commit/8291f502b0e1dcf514cc25c34e4bf0beec7a92ae (v2.1.4.2)
NOTE: https://github.com/rack/rack/commit/19e49f0f185d7e42ed5b402baec6c897a8c48029 (v2.2.6.1)
CVE-2022-44571 [rack: Fix ReDoS vulnerability in multipart parser]
RESERVED
+ {DLA-3298-1}
- ruby-rack <unfixed> (bug #1029832)
NOTE: https://github.com/rack/rack/commit/4e33ad10bf5f16d25c156f905bcc548e7f787bc3 (v2.0.9.2)
NOTE: https://github.com/rack/rack/commit/9b5fb5c7ef0e39b959a6c5c0005d9af44a29d6f8 (v2.1.4.2)
NOTE: https://github.com/rack/rack/commit/ee25ab9a7ee981d7578f559701085b0cf39bde77 (v2.2.6.1)
CVE-2022-44570 [rack: Fix ReDoS in Rack::Utils.get_byte_ranges]
RESERVED
+ {DLA-3298-1}
- ruby-rack <unfixed> (bug #1029832)
NOTE: https://github.com/rack/rack/commit/52721ae0b730e3920ad5375dfd5a3ea9b4f9e359 (v2.0.9.2)
NOTE: https://github.com/rack/rack/commit/f66ef5c8255dcea82c1b2665fc9ab948b76bb437 (v2.1.4.2)
@@ -33681,8 +33700,8 @@ CVE-2022-40260
RESERVED
CVE-2022-40259 (AMI MegaRAC Redfish Arbitrary Code Execution ...)
NOT-FOR-US: AMI MegaRAC Redfish
-CVE-2022-40258
- RESERVED
+CVE-2022-40258 (AMI Megarac Weak password hashes for Redfish & API ...)
+ TODO: check
CVE-2022-40257 (An HTML injection vulnerability exists in CERT/CC VINCE software prior ...)
NOT-FOR-US: CERT/CC VINCE
CVE-2022-40256
@@ -34048,14 +34067,14 @@ CVE-2022-3144 (The Wordfence Security – Firewall & Malware Scan plugin
NOT-FOR-US: WordPress plugin
CVE-2022-3143 (wildfly-elytron: possible timing attacks via use of unsafe comparator. ...)
NOT-FOR-US: WildFly Elytron
-CVE-2022-40137
- RESERVED
-CVE-2022-40136
- RESERVED
-CVE-2022-40135
- RESERVED
-CVE-2022-40134
- RESERVED
+CVE-2022-40137 (A buffer overflow in the WMI SMI Handler in some Lenovo models may all ...)
+ TODO: check
+CVE-2022-40136 (An information leak vulnerability in SMI Handler used to configure pla ...)
+ TODO: check
+CVE-2022-40135 (An information leak vulnerability in the Smart USB Protection SMI Hand ...)
+ TODO: check
+CVE-2022-40134 (An information leak vulnerability in the SMI Set BIOS Password SMI Han ...)
+ TODO: check
CVE-2022-40127 (A vulnerability in Example Dags of Apache Airflow allows an attacker w ...)
- airflow <itp> (bug #819700)
CVE-2022-38972 (Cross-site scripting vulnerability in Movable Type plugin A-Form versi ...)
@@ -48319,16 +48338,16 @@ CVE-2022-34890 (This vulnerability allows local attackers to disclose sensitive
NOT-FOR-US: Parallels
CVE-2022-34889 (This vulnerability allows local attackers to escalate privileges on af ...)
NOT-FOR-US: Parallels
-CVE-2022-34888
- RESERVED
+CVE-2022-34888 (The Remote Mount feature can potentially be abused by valid, authentic ...)
+ TODO: check
CVE-2022-34887
RESERVED
CVE-2022-34886
RESERVED
-CVE-2022-34885
- RESERVED
-CVE-2022-34884
- RESERVED
+CVE-2022-34885 (An improper input sanitization vulnerability in the Motorola MR2600 ro ...)
+ TODO: check
+CVE-2022-34884 (A buffer overflow exists in the Remote Presence subsystem which can po ...)
+ TODO: check
CVE-2022-34883 (OS Command Injection vulnerability in Hitachi RAID Manager Storage Rep ...)
NOT-FOR-US: Hitachi
CVE-2022-34882 (Information Exposure Through an Error Message vulnerability in Hitachi ...)
@@ -53987,10 +54006,10 @@ CVE-2022-32749 (Improper Check for Unusual or Exceptional Conditions vulnerabili
NOTE: https://github.com/apache/trafficserver/pull/9243
NOTE: https://github.com/apache/trafficserver/commit/71a80d1abb3fbcb2e30ff850c8bca0a371589b5a (master)
NOTE: https://github.com/apache/trafficserver/commit/590f87304b233791169af3d5899c5ba135bb61fa (9.1.x)
-CVE-2022-32748
- RESERVED
-CVE-2022-32747
- RESERVED
+CVE-2022-32748 (A CWE-295: Improper Certificate Validation vulnerability exists that c ...)
+ TODO: check
+CVE-2022-32747 (A CWE-290: Authentication Bypass by Spoofing vulnerability exists that ...)
+ TODO: check
CVE-2022-32746 (A flaw was found in the Samba AD LDAP server. The AD DC database audit ...)
{DSA-5205-1}
- samba 2:4.16.4+dfsg-1 (bug #1016449)
@@ -54551,42 +54570,42 @@ CVE-2022-2014 (Code Injection in GitHub repository jgraph/drawio prior to 19.0.2
NOT-FOR-US: jgraph/drawio
CVE-2022-32530 (A CWE-668 Exposure of Resource to Wrong Sphere vulnerability exists th ...)
NOT-FOR-US: Geo SCADA Mobile
-CVE-2022-32529
- RESERVED
-CVE-2022-32528
- RESERVED
-CVE-2022-32527
- RESERVED
-CVE-2022-32526
- RESERVED
-CVE-2022-32525
- RESERVED
-CVE-2022-32524
- RESERVED
-CVE-2022-32523
- RESERVED
-CVE-2022-32522
- RESERVED
-CVE-2022-32521
- RESERVED
-CVE-2022-32520
- RESERVED
-CVE-2022-32519
- RESERVED
-CVE-2022-32518
- RESERVED
-CVE-2022-32517
- RESERVED
-CVE-2022-32516
- RESERVED
-CVE-2022-32515
- RESERVED
-CVE-2022-32514
- RESERVED
-CVE-2022-32513
- RESERVED
-CVE-2022-32512
- RESERVED
+CVE-2022-32529 (A CWE-120: Buffer Copy without Checking Size of Input vulnerability ex ...)
+ TODO: check
+CVE-2022-32528 (A CWE-306: Missing Authentication for Critical Function vulnerability ...)
+ TODO: check
+CVE-2022-32527 (A CWE-120: Buffer Copy without Checking Size of Input vulnerability ex ...)
+ TODO: check
+CVE-2022-32526 (A CWE-120: Buffer Copy without Checking Size of Input vulnerability ex ...)
+ TODO: check
+CVE-2022-32525 (A CWE-120: Buffer Copy without Checking Size of Input vulnerability ex ...)
+ TODO: check
+CVE-2022-32524 (A CWE-120: Buffer Copy without Checking Size of Input vulnerability ex ...)
+ TODO: check
+CVE-2022-32523 (A CWE-120: Buffer Copy without Checking Size of Input vulnerability ex ...)
+ TODO: check
+CVE-2022-32522 (A CWE-120: Buffer Copy without Checking Size of Input vulnerability ex ...)
+ TODO: check
+CVE-2022-32521 (A CWE 502: Deserialization of Untrusted Data vulnerability exists that ...)
+ TODO: check
+CVE-2022-32520 (A CWE-522: Insufficiently Protected Credentials vulnerability exists t ...)
+ TODO: check
+CVE-2022-32519 (A CWE-257: Storing Passwords in a Recoverable Format vulnerability exi ...)
+ TODO: check
+CVE-2022-32518 (A CWE-522: Insufficiently Protected Credentials vulnerability exists t ...)
+ TODO: check
+CVE-2022-32517 (A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulne ...)
+ TODO: check
+CVE-2022-32516 (A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists that ...)
+ TODO: check
+CVE-2022-32515 (A CWE-307: Improper Restriction of Excessive Authentication Attempts v ...)
+ TODO: check
+CVE-2022-32514 (A CWE-287: Improper Authentication vulnerability exists that could all ...)
+ TODO: check
+CVE-2022-32513 (A CWE-521: Weak Password Requirements vulnerability exists that could ...)
+ TODO: check
+CVE-2022-32512 (A CWE-119: Improper Restriction of Operations within the Bounds of a M ...)
+ TODO: check
CVE-2022-32511 (jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a s ...)
- ruby-jmespath 1.6.1-1 (bug #1014807)
[bullseye] - ruby-jmespath <no-dsa> (Minor issue)
@@ -58704,6 +58723,7 @@ CVE-2022-31131 (Nextcloud mail is a Mail app for the Nextcloud home server produ
CVE-2022-31130 (Grafana is an open source observability and data visualization platfor ...)
- grafana <removed>
CVE-2022-31129 (moment is a JavaScript date library for parsing, validating, manipulat ...)
+ {DLA-3295-1}
- node-moment 2.29.4+ds-1 (bug #1014845)
[bullseye] - node-moment 2.29.1+ds-2+deb11u2
NOTE: https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 (2.29.4)
@@ -60958,8 +60978,8 @@ CVE-2022-30423 (Merchandise Online Store v1.0 by oretnom23 has an arbitrary code
NOT-FOR-US: Merchandise Online Store
CVE-2022-30422 (Proietti Tech srl Planet Time Enterprise 4.2.0.1,4.2.0.0,4.1.0.0,4.0.0 ...)
NOT-FOR-US: Proietti Tech srl Planet Time Enterprise
-CVE-2022-30421
- RESERVED
+CVE-2022-30421 (Improper Authentication vulnerability in Toshiba Storage Security Soft ...)
+ TODO: check
CVE-2022-30420
RESERVED
CVE-2022-30419
@@ -69436,10 +69456,10 @@ CVE-2022-27540
RESERVED
CVE-2022-27539
RESERVED
-CVE-2022-27538
- RESERVED
-CVE-2022-27537
- RESERVED
+CVE-2022-27538 (A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has be ...)
+ TODO: check
+CVE-2022-27537 (Potential vulnerabilities have been identified in the system BIOS of c ...)
+ TODO: check
CVE-2022-27536 (Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be ca ...)
- golang-1.18 <not-affected> (MacOS-specific)
- golang-1.17 <not-affected> (MacOS-specific)
@@ -73842,8 +73862,8 @@ CVE-2022-25982
RESERVED
CVE-2022-25981
RESERVED
-CVE-2022-25979
- RESERVED
+CVE-2022-25979 (Versions of the package jsuites before 5.0.1 are vulnerable to Cross-s ...)
+ TODO: check
CVE-2022-25978
RESERVED
CVE-2022-25977
@@ -74000,8 +74020,8 @@ CVE-2022-25883
RESERVED
CVE-2022-25882 (Versions of the package onnx before 1.13.0 are vulnerable to Directory ...)
TODO: check
-CVE-2022-25881
- RESERVED
+CVE-2022-25881 (This affects versions of the package http-cache-semantics before 4.1.1 ...)
+ TODO: check
CVE-2022-25879
RESERVED
CVE-2022-25878 (The package protobufjs before 6.11.3 are vulnerable to Prototype Pollu ...)
@@ -74109,6 +74129,7 @@ CVE-2022-25759 (The package convert-svg-core before 0.6.2 are vulnerable to Remo
CVE-2022-25758 (All versions of package scss-tokenizer are vulnerable to Regular Expre ...)
- node-scss-tokenizer <itp> (bug #885456)
CVE-2022-25648 (The package git before 1.11.0 are vulnerable to Command Injection via ...)
+ {DLA-3303-1}
- ruby-git 1.13.1-1 (bug #1009926)
[bullseye] - ruby-git <no-dsa> (Minor issue)
NOTE: https://github.com/ruby-git/ruby-git/pull/569
@@ -74322,8 +74343,8 @@ CVE-2022-21149 (The package s-cart/s-cart before 6.9; the package s-cart/core be
NOT-FOR-US: s-cart/core
CVE-2022-21144 (This affects all versions of package libxmljs. When invoking the libxm ...)
NOT-FOR-US: Node libxmljs
-CVE-2022-21129
- RESERVED
+CVE-2022-21129 (Versions of the package nemo-appium before 0.0.9 are vulnerable to Com ...)
+ TODO: check
CVE-2022-21126 (The package com.github.samtools:htsjdk before 3.0.1 are vulnerable to ...)
TODO: check
CVE-2022-21122 (The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Exe ...)
@@ -76730,6 +76751,7 @@ CVE-2022-25001
CVE-2022-25000
RESERVED
CVE-2022-24999 (qs before 6.10.3, as used in Express before 4.17.3 and other products, ...)
+ {DLA-3299-1}
- node-qs 6.10.3+ds+~6.9.7-1
[bullseye] - node-qs 6.9.4+ds-1+deb11u1
NOTE: https://github.com/ljharb/qs/pull/428
@@ -77433,6 +77455,7 @@ CVE-2022-24786 (PJSIP is a free and open source multimedia communication library
NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q
NOTE: https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508
CVE-2022-24785 (Moment.js is a JavaScript date library for parsing, validating, manipu ...)
+ {DLA-3295-1}
- node-moment 2.29.2+ds-1 (bug #1009327)
[bullseye] - node-moment 2.29.1+ds-2+deb11u1
[stretch] - node-moment <end-of-life> (Nodejs in stretch not covered by security support)
@@ -82231,12 +82254,12 @@ CVE-2022-0299
RESERVED
CVE-2022-23456 (Potential arbitrary file deletion vulnerability has been identified in ...)
NOT-FOR-US: HP
-CVE-2022-23455
- RESERVED
-CVE-2022-23454
- RESERVED
-CVE-2022-23453
- RESERVED
+CVE-2022-23455 (Potential security vulnerabilities have been identified in HP Support ...)
+ TODO: check
+CVE-2022-23454 (Potential security vulnerabilities have been identified in HP Support ...)
+ TODO: check
+CVE-2022-23453 (Potential security vulnerabilities have been identified in HP Support ...)
+ TODO: check
CVE-2022-23452 (An authorization flaw was found in openstack-barbican, where anyone wi ...)
- barbican 1:14.0.0~rc1-2
[bullseye] - barbican <no-dsa> (Minor issue)
@@ -83361,8 +83384,8 @@ CVE-2022-0225 (A flaw was found in Keycloak. This flaw allows a privileged attac
NOT-FOR-US: Keycloak
CVE-2022-0224 (dolibarr is vulnerable to Improper Neutralization of Special Elements ...)
- dolibarr <removed>
-CVE-2022-0223
- RESERVED
+CVE-2022-0223 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...)
+ TODO: check
CVE-2022-0222 (A CWE-269: Improper Privilege Management vulnerability exists that cou ...)
NOT-FOR-US: Modicon
CVE-2022-0221 (A CWE-611: Improper Restriction of XML External Entity Reference vulne ...)
@@ -85240,10 +85263,10 @@ CVE-2021-46152 (A vulnerability has been identified in Simcenter Femap V2020.2 (
NOT-FOR-US: Siemens
CVE-2021-46151 (A vulnerability has been identified in Simcenter Femap V2020.2 (All ve ...)
NOT-FOR-US: Siemens
-CVE-2022-22732
- RESERVED
-CVE-2022-22731
- RESERVED
+CVE-2022-22732 (A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists t ...)
+ TODO: check
+CVE-2022-22731 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...)
+ TODO: check
CVE-2022-0144 (shelljs is vulnerable to Improper Privilege Management ...)
- node-shelljs 0.8.5+~cs0.8.10-1
[bullseye] - node-shelljs <no-dsa> (Minor issue)
@@ -104692,10 +104715,10 @@ CVE-2021-3811 (adminlte is vulnerable to Improper Neutralization of Input During
NOT-FOR-US: adminlte
CVE-2021-3810 (code-server is vulnerable to Inefficient Regular Expression Complexity ...)
NOT-FOR-US: code-server
-CVE-2021-3809
- RESERVED
-CVE-2021-3808
- RESERVED
+CVE-2021-3809 (Potential security vulnerabilities have been identified in the BIOS (U ...)
+ TODO: check
+CVE-2021-3808 (Potential security vulnerabilities have been identified in the BIOS (U ...)
+ TODO: check
CVE-2021-3807 (ansi-regex is vulnerable to Inefficient Regular Expression Complexity ...)
- node-ansi-regex 5.0.1-1 (bug #994568)
[bullseye] - node-ansi-regex 5.0.1-1~deb11u1
@@ -138106,8 +138129,8 @@ CVE-2021-3441 (A potential security vulnerability has been identified for the HP
NOT-FOR-US: HP
CVE-2021-3440 (HP Print and Scan Doctor, an application within the HP Smart App for W ...)
NOT-FOR-US: HP
-CVE-2021-3439
- RESERVED
+CVE-2021-3439 (HP has identified a potential vulnerability in BIOS firmware of some W ...)
+ TODO: check
CVE-2021-3438 (A potential buffer overflow in the software drivers for certain HP Las ...)
NOT-FOR-US: HP LaserJet products and Samsung product printers
CVE-2021-3437 (Potential security vulnerabilities have been identified in an OMEN Gam ...)
@@ -219714,7 +219737,7 @@ CVE-2020-8185 (A denial of service vulnerability exists in Rails <6.0.3.2 tha
- rails <not-affected> (Introduced in rails 6.x)
NOTE: https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0
CVE-2020-8184 (A reliance on cookies without validation/integrity check security vuln ...)
- {DLA-2275-1}
+ {DLA-3298-1 DLA-2275-1}
- ruby-rack 2.1.1-6 (bug #963477)
NOTE: https://hackerone.com/reports/895727
NOTE: Fixed by: https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c
@@ -219813,7 +219836,7 @@ CVE-2020-8162 (A client side enforcement of server side security vulnerability e
NOTE: https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
NOTE: https://github.com/rails/rails/commit/e8df5648515a0e8324d3b3c4bdb7bde6802cd8be (5.2)
CVE-2020-8161 (A directory traversal vulnerability exists in rack < 2.2.0 that all ...)
- {DLA-2275-1 DLA-2216-1}
+ {DLA-3298-1 DLA-2275-1 DLA-2216-1}
- ruby-rack 2.1.1-5
NOTE: https://groups.google.com/forum/#!msg/rubyonrails-security/IOO1vNZTzPA/Ylzi1UYLAAAJ
NOTE: Fixed by: https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14a1bfefebed3975fdfac231624773aa001d028c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14a1bfefebed3975fdfac231624773aa001d028c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230131/3fba4617/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list