[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Mar 1 10:02:48 GMT 2023



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
20f7932a by Moritz Muehlenhoff at 2023-03-01T11:02:24+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -247,9 +247,9 @@ CVE-2023-27296
 CVE-2023-27295 (Cross-site request forgery is facilitated by OpenCATS failure to requi ...)
 	NOT-FOR-US: OpenCATS
 CVE-2023-27294 (Improper neutralization of input during web page generation allows an  ...)
-	TODO: check
+	NOT-FOR-US: OpenCATS
 CVE-2023-27293 (Improper neutralization of input during web page generation allows an  ...)
-	TODO: check
+	NOT-FOR-US: OpenCATS
 CVE-2023-27292 (An open redirect vulnerability exposes OpenCATS to template injection  ...)
 	NOT-FOR-US: OpenCATS
 CVE-2023-26594
@@ -3856,7 +3856,7 @@ CVE-2023-0849 (A vulnerability has been found in Netgear WNDR3700v2 1.0.1.14 and
 CVE-2023-0848 (A vulnerability was found in Netgear WNDR3700v2 1.0.1.14. It has been  ...)
 	NOT-FOR-US: Netgear
 CVE-2023-0847 (The Sub-IoT implementation of the DASH 7 Alliance protocol has a vulne ...)
-	TODO: check
+	NOT-FOR-US: DASH 7 Alliance protocol
 CVE-2023-25858
 	RESERVED
 CVE-2023-25857
@@ -3967,7 +3967,7 @@ CVE-2023-25809
 CVE-2023-25808
 	RESERVED
 CVE-2023-25807 (DataEase is an open source data visualization and analysis tool. When  ...)
-	TODO: check
+	NOT-FOR-US: DataEase
 CVE-2023-25806
 	RESERVED
 CVE-2023-25805 (versionn, software for changing version information across multiple fi ...)
@@ -4928,7 +4928,7 @@ CVE-2023-25577 (Werkzeug is a comprehensive WSGI web application library. Prior
 CVE-2023-25576 (@fastify/multipart is a Fastify plugin to parse the multipart content- ...)
 	NOT-FOR-US: Fastify plugin
 CVE-2023-25575 (API Platform Core is the server component of API Platform: hypermedia  ...)
-	TODO: check
+	NOT-FOR-US: API Platform Core
 CVE-2023-25574
 	RESERVED
 CVE-2023-25573
@@ -8966,7 +8966,7 @@ CVE-2023-24047
 CVE-2023-24046
 	RESERVED
 CVE-2023-24045 (In Dataiku DSS 11.2.1, an attacker can download other Dataiku files th ...)
-	TODO: check
+	NOT-FOR-US: Dataiku
 CVE-2023-24044 (** DISPUTED ** A Host Header Injection issue on the Login page of Ples ...)
 	NOT-FOR-US: Plesk Obsidian
 CVE-2023-24043
@@ -19120,9 +19120,9 @@ CVE-2022-47078
 CVE-2022-47077
 	RESERVED
 CVE-2022-47076 (An issue was discovered in Smart Office Web 20.28 and earlier allows a ...)
-	TODO: check
+	NOT-FOR-US: Smart Office Web
 CVE-2022-47075 (An issue was discovered in Smart Office Web 20.28 and earlier allows a ...)
-	TODO: check
+	NOT-FOR-US: Smart Office Web
 CVE-2022-47074
 	RESERVED
 CVE-2022-47073 (A cross-site scripting (XSS) vulnerability in the Create Ticket page o ...)
@@ -27164,7 +27164,7 @@ CVE-2023-20935
 CVE-2023-20934 (In resolveAttributionSource of ServiceUtilities.cpp, there is a possib ...)
 	NOT-FOR-US: Android
 CVE-2023-20933 (In several functions of MediaCodec.cpp, there is a possible way to cor ...)
-	NOT-FOR-US: Android
+	NOT-FOR-US: Android media framework
 CVE-2023-20932 (In onCreatePreferences of EditInfoFragment.java, there is a possible w ...)
 	NOT-FOR-US: Android
 CVE-2023-20931
@@ -49895,7 +49895,7 @@ CVE-2017-20146 (Usage of the CORS handler may apply improper CORS headers, allow
 	NOTE: https://github.com/gorilla/handlers/pull/116
 	NOTE: https://github.com/gorilla/handlers/commit/90663712d74cb411cbef281bc1e08c19d1a76145 (v1.3.0)
 CVE-2015-10004 (Token validation methods are susceptible to a timing side-channel duri ...)
-	TODO: check
+	NOT-FOR-US: Go robbert229/jwt
 CVE-2014-125026 (LZ4 bindings use a deprecated C API that is vulnerable to memory corru ...)
 	NOT-FOR-US: golz4 (Golang interface to LZ4)
 CVE-2013-10005 (The RemoteAddr and LocalAddr methods on the returned net.Conn may call ...)
@@ -51481,7 +51481,7 @@ CVE-2022-2505 (Mozilla developers and the Mozilla Fuzzing Team reported memory s
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-30/#CVE-2022-2505
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-32/#CVE-2022-2505
 CVE-2022-2504 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
-	TODO: check
+	NOT-FOR-US: SDD-Baro
 CVE-2022-2503 (Dm-verity is used for extending root-of-trust to root filesystems. Loa ...)
 	- linux 5.18.2-1
 	[bullseye] - linux 5.10.120-1
@@ -81298,7 +81298,7 @@ CVE-2022-25884
 CVE-2022-25883
 	RESERVED
 CVE-2022-25882 (Versions of the package onnx before 1.13.0 are vulnerable to Directory ...)
-	TODO: check
+	NOT-FOR-US: onnx
 CVE-2022-25881 (This affects versions of the package http-cache-semantics before 4.1.1 ...)
 	TODO: check
 CVE-2022-25879
@@ -89268,9 +89268,9 @@ CVE-2022-23556 (CodeIgniter is a PHP full-stack web framework. This vulnerabilit
 CVE-2022-23555 (authentik is an open-source Identity Provider focused on flexibility a ...)
 	NOT-FOR-US: authentik
 CVE-2022-23554 (Alpine is a scaffolding library in Java. Alpine prior to version 1.10. ...)
-	TODO: check
+	NOT-FOR-US: Alpine Java scaffolding library (different from src:alpine)
 CVE-2022-23553 (Alpine is a scaffolding library in Java. Alpine prior to version 1.10. ...)
-	TODO: check
+	NOT-FOR-US: Alpine Java scaffolding library (different from src:alpine)
 CVE-2022-23552 (Grafana is an open-source platform for monitoring and observability. S ...)
 	- grafana <removed>
 CVE-2022-23551 (aad-pod-identity assigns Azure Active Directory identities to Kubernet ...)
@@ -89506,7 +89506,7 @@ CVE-2022-23471 (containerd is an open source container runtime. A bug was found
 	NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9
 	NOTE: https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0
 CVE-2022-23470 (Galaxy is an open-source platform for data analysis. An arbitrary file ...)
-	TODO: check
+	NOT-FOR-US: Galaxy
 CVE-2022-23469 (Traefik is an open source HTTP reverse proxy and load balancer. Versio ...)
 	- traefik <itp> (bug #983289)
 CVE-2022-23468 (xrdp is an open source project which provides a graphical login to rem ...)
@@ -89519,7 +89519,7 @@ CVE-2022-23467 (OpenRazer is an open source driver and user-space daemon to cont
 	NOTE: https://github.com/openrazer/openrazer/security/advisories/GHSA-39hg-jvc9-fg7h
 	NOTE: https://github.com/openrazer/openrazer/commit/33aa7f07d54ae066f201c6d298cb4a2181cb90e6 (v3.5.1)
 CVE-2022-23466 (teler is an real-time intrusion detection and threat alert dashboard.  ...)
-	TODO: check
+	NOT-FOR-US: teler
 CVE-2022-23465 (SwiftTerm is a Xterm/VT100 Terminal emulator. Prior to commit a94e6b24 ...)
 	TODO: check
 CVE-2022-23464 (Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnera ...)
@@ -90525,9 +90525,9 @@ CVE-2022-23242 (TeamViewer Linux versions before 15.28 do not properly execute a
 CVE-2022-23241 (Clustered Data ONTAP versions 9.11.1 through 9.11.1P2 with SnapLock co ...)
 	NOT-FOR-US: Clustered Data ONTAP
 CVE-2022-23240 (Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Win ...)
-	TODO: check
+	NOT-FOR-US: Active IQ Unified Manager
 CVE-2022-23239 (Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Win ...)
-	TODO: check
+	NOT-FOR-US: Active IQ Unified Manager
 CVE-2022-23238 (Linux deployments of StorageGRID (formerly StorageGRID Webscale) versi ...)
 	NOT-FOR-US: StorageGRID (formerly StorageGRID Webscale)
 CVE-2022-23237 (E-Series SANtricity OS Controller Software 11.x versions through 11.70 ...)
@@ -92822,7 +92822,7 @@ CVE-2022-22670 (An access issue was addressed with improved access restrictions.
 CVE-2022-22669 (A use after free issue was addressed with improved memory management.  ...)
 	NOT-FOR-US: Apple
 CVE-2022-22668 (A logic issue was addressed with improved restrictions. This issue is  ...)
-	TODO: check
+	NOT-FOR-US: Apple
 CVE-2022-22667 (A use after free issue was addressed with improved memory management.  ...)
 	NOT-FOR-US: Apple
 CVE-2022-22666 (A memory corruption issue was addressed with improved validation. This ...)
@@ -93022,7 +93022,7 @@ CVE-2022-22584 (A memory corruption issue was addressed with improved validation
 CVE-2022-22583 (A permissions issue was addressed with improved validation. This issue ...)
 	NOT-FOR-US: Apple
 CVE-2022-22582 (A validation issue existed in the handling of symlinks. This issue was ...)
-	TODO: check
+	NOT-FOR-US: Apple
 CVE-2022-22581
 	RESERVED
 CVE-2022-22580
@@ -98031,7 +98031,7 @@ CVE-2021-45034 (A vulnerability has been identified in CP-8000 MASTER MODULE WIT
 CVE-2021-45033 (A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O  ...)
 	NOT-FOR-US: Siemens
 CVE-2021-45032 (This CVE ID has been rejected or withdrawn by its CVE Numbering Author ...)
-	TODO: check
+	NOT-FOR-US: Rejected CVE
 CVE-2021-45031 (A vulnerability in MEPSAN's USC+ before version 3.0 has a weakness in  ...)
 	NOT-FOR-US: MEPSAN
 CVE-2021-45030
@@ -98568,7 +98568,7 @@ CVE-2021-4107 (yetiforcecrm is vulnerable to Improper Neutralization of Input Du
 CVE-2021-4106 (A vulnerability in Snow Inventory Java Scanner allows an attacker to r ...)
 	NOT-FOR-US: Snow Inventory Java Scanner
 CVE-2021-4105 (Improper Handling of Parameters vulnerability in BG-TEK COSLAT Firewal ...)
-	TODO: check
+	NOT-FOR-US: BG-TEK
 CVE-2018-25022 (The Onion module in toxcore before 0.2.2 doesn't restrict which packet ...)
 	- libtoxcore 0.2.2-1
 	NOTE: https://blog.tox.chat/2018/04/security-vulnerability-and-new-toxcore-release
@@ -108441,7 +108441,7 @@ CVE-2022-20237 (In BuildDevIDResponse of miscdatabuilder.cpp, there is a possibl
 CVE-2022-20236 (A drm driver have oob problem, could cause the system crash or EOPProd ...)
 	NOT-FOR-US: Unisoc
 CVE-2022-20235 (The PowerVR GPU kernel driver maintains an "Information Page" used by  ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2022-20234 (In Car Settings app, the NotificationAccessConfirmationActivity is exp ...)
 	NOT-FOR-US: Android
 CVE-2022-20233 (In param_find_digests_internal and related functions of the Titan-M so ...)
@@ -110314,9 +110314,9 @@ CVE-2021-41990 (The gmp plugin in strongSwan before 5.9.4 has a remote integer o
 	[stretch] - strongswan <not-affected> (The vulnerable code was introduced later in version 5.6.1)
 	NOTE: https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-(cve-2021-41990).html
 CVE-2021-41989 (Qlik QlikView through 12.60.20100.0 creates a Temporary File in a Dire ...)
-	TODO: check
+	NOT-FOR-US: Qlik
 CVE-2021-41988 (Qlik NPrinting Designer through 21.14.3.0 creates a Temporary File in  ...)
-	TODO: check
+	NOT-FOR-US: Qlik
 CVE-2021-41987 (In the SCEP Server of RouterOS in certain Mikrotik products, an attack ...)
 	NOT-FOR-US: Mikrotik
 CVE-2021-41986
@@ -110358,7 +110358,7 @@ CVE-2021-41971 (Apache Superset up to and including 1.3.0 when configured with E
 CVE-2021-3856 (ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows read ...)
 	NOT-FOR-US: Keycloak
 CVE-2021-3855 (Improper Neutralization of Special Elements used in a Command ('Comman ...)
-	TODO: check
+	NOT-FOR-US: Liman MYS
 CVE-2021-3854
 	RESERVED
 CVE-2021-XXXX [RUSTSEC-2021-0119: Out-of-bounds write in nix::unistd::getgrouplist]
@@ -110719,7 +110719,7 @@ CVE-2021-41825 (Verint Workforce Optimization (WFO) 15.2.5.1033 allows HTML inje
 CVE-2021-41824 (Craft CMS before 3.7.14 allows CSV injection. ...)
 	NOT-FOR-US: Craft CMS
 CVE-2021-41823 (The Web Application Firewall (WAF) in Kemp LoadMaster 7.2.54.1 allows  ...)
-	TODO: check
+	NOT-FOR-US: Kemp LoadMaster
 CVE-2021-41822
 	RESERVED
 CVE-2021-41821 (Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer U ...)
@@ -114597,9 +114597,9 @@ CVE-2021-40344 (An issue was discovered in Nagios XI 5.8.5. In the Custom Includ
 CVE-2021-40343 (An issue was discovered in Nagios XI 5.8.5. Insecure file permissions  ...)
 	NOT-FOR-US: Nagios XI
 CVE-2021-40342 (In the DES implementation, the affected product versions use a default ...)
-	TODO: check
+	NOT-FOR-US: Hitachi
 CVE-2021-40341 (DES cipher, which has inadequate encryption strength, is used Hitachi  ...)
-	TODO: check
+	NOT-FOR-US: Hitachi
 CVE-2021-40340 (Information Exposure vulnerability in Hitachi Energy LinkOne applicati ...)
 	NOT-FOR-US: Hitachi
 CVE-2021-40339 (Configuration vulnerability in Hitachi Energy LinkOne application due  ...)
@@ -116906,7 +116906,7 @@ CVE-2021-39371 (An XML external entity (XXE) injection in PyWPS before 4.4.5 all
 CVE-2021-39370
 	RESERVED
 CVE-2021-39369 (In Philips (formerly Carestream) Vue MyVue PACS through 12.2.x.x, the  ...)
-	TODO: check
+	NOT-FOR-US: Philips (formerly Carestream) Vue MyVue PACS
 CVE-2021-39368 (Canon Oce Print Exec Workgroup 1.3.2 allows XSS via the lang parameter ...)
 	NOT-FOR-US: Canon Oce Print Exec Workgroup
 CVE-2021-39367 (Canon Oce Print Exec Workgroup 1.3.2 allows Host header injection. ...)
@@ -119786,11 +119786,11 @@ CVE-2021-38243
 CVE-2021-38242
 	RESERVED
 CVE-2021-38241 (Deserialization issue discovered in Ruoyi before 4.6.1 allows remote a ...)
-	TODO: check
+	NOT-FOR-US: Ruoyi
 CVE-2021-38240
 	RESERVED
 CVE-2021-38239 (SQL Injection vulnerability in dataease before 1.2.0, allows attackers ...)
-	TODO: check
+	NOT-FOR-US: DataEase
 CVE-2021-38238
 	RESERVED
 CVE-2021-38237
@@ -121188,7 +121188,7 @@ CVE-2021-37776
 CVE-2021-37775
 	RESERVED
 CVE-2021-37774 (An issue was discovered in function httpProcDataSrv in TL-WDR7660 2.0. ...)
-	TODO: check
+	NOT-FOR-US: TL-WDR7660
 CVE-2021-37773
 	RESERVED
 CVE-2021-37772
@@ -121872,7 +121872,7 @@ CVE-2021-37520
 CVE-2021-37519 (Buffer Overflow vulnerability in authfile.c memcached 1.6.9 allows att ...)
 	TODO: check
 CVE-2021-37518 (Universal Cross Site Scripting (UXSS) vulnerability in Vimium Extensio ...)
-	TODO: check
+	NOT-FOR-US: Vivium
 CVE-2021-37517 (An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fix ...)
 	- dolibarr <removed>
 CVE-2021-37516
@@ -121908,13 +121908,13 @@ CVE-2021-37502 (Cross Site Scripting (XSS) vulnerability in automad 1.7.5 allows
 CVE-2021-37501 (Buffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1 ...)
 	TODO: check
 CVE-2021-37500 (Directory traversal vulnerability in Reprise License Manager (RLM) web ...)
-	TODO: check
+	NOT-FOR-US: Reprise License Manager
 CVE-2021-37499 (CRLF vulnerability in Reprise License Manager (RLM) web interface thro ...)
-	TODO: check
+	NOT-FOR-US: Reprise License Manager
 CVE-2021-37498 (An SSRF issue was discovered in Reprise License Manager (RLM) web inte ...)
-	TODO: check
+	NOT-FOR-US: Reprise License Manager
 CVE-2021-37497 (SQL injection vulnerability in route of PbootCMS 3.0.5 allows remote a ...)
-	TODO: check
+	NOT-FOR-US: PbootCMS
 CVE-2021-37496
 	RESERVED
 CVE-2021-37495
@@ -121924,7 +121924,7 @@ CVE-2021-37494
 CVE-2021-37493
 	RESERVED
 CVE-2021-37492 (An issue discovered in src/wallet/wallet.cpp in Ravencoin Core 4.3.2.1 ...)
-	TODO: check
+	NOT-FOR-US: Ravencoin
 CVE-2021-37491 (An issue discovered in src/wallet/wallet.cpp in Dogecoin Project Dogec ...)
 	TODO: check
 CVE-2021-37490
@@ -122168,19 +122168,19 @@ CVE-2021-37381 (Southsoft GMIS 5.0 is vulnerable to CSRF attacks. Attackers can
 CVE-2021-37380
 	RESERVED
 CVE-2021-37379 (** UNSUPPORTED WHEN ASSIGNED ** Cross Site Scripting (XSS) vulnerabili ...)
-	TODO: check
+	NOT-FOR-US: Teradek
 CVE-2021-37378 (** UNSUPPORTED WHEN ASSIGNED ** Cross Site Scripting (XSS) vulnerabili ...)
-	TODO: check
+	NOT-FOR-US: Teradek
 CVE-2021-37377 (** UNSUPPORTED WHEN ASSIGNED ** Cross Site Scripting (XSS) vulnerabili ...)
-	TODO: check
+	NOT-FOR-US: Teradek
 CVE-2021-37376 (** UNSUPPORTED WHEN ASSIGNED ** Cross Site Scripting (XSS) vulnerabili ...)
-	TODO: check
+	NOT-FOR-US: Teradek
 CVE-2021-37375 (** UNSUPPORTED WHEN ASSIGNED ** Cross Site Scripting (XSS) vulnerabili ...)
-	TODO: check
+	NOT-FOR-US: Teradek
 CVE-2021-37374 (** UNSUPPORTED WHEN ASSIGNED ** Cross Site Scripting (XSS) vulnerabili ...)
-	TODO: check
+	NOT-FOR-US: Teradek
 CVE-2021-37373 (** UNSUPPORTED WHEN ASSIGNED ** Cross Site Scripting (XSS) vulnerabili ...)
-	TODO: check
+	NOT-FOR-US: Teradek
 CVE-2021-37372 (Online Student Admission System 1.0 is affected by an insecure file up ...)
 	NOT-FOR-US: Online Student Admission System
 CVE-2021-37371 (Online Student Admission System 1.0 is affected by an unauthenticated  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20f7932af283b0e05a58b90005d336198571ed97

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20f7932af283b0e05a58b90005d336198571ed97
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230301/e4b6b377/attachment.htm>


More information about the debian-security-tracker-commits mailing list