[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Mar 10 10:51:44 GMT 2023



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
604def06 by Moritz Muehlenhoff at 2023-03-10T11:51:03+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -41,7 +41,7 @@ CVE-2023-28006
 CVE-2023-28005
 	RESERVED
 CVE-2023-1307 (Authentication Bypass by Primary Weakness in GitHub repository froxlor ...)
-	TODO: check
+	- froxlor <itp> (bug #581792)
 CVE-2023-1306
 	RESERVED
 CVE-2023-1305
@@ -49,13 +49,13 @@ CVE-2023-1305
 CVE-2023-1304
 	RESERVED
 CVE-2023-1303 (A vulnerability was found in UCMS 1.6 and classified as critical. This ...)
-	TODO: check
+	NOT-FOR-US: UCMS
 CVE-2023-1302 (A vulnerability, which was classified as problematic, was found in Sou ...)
-	TODO: check
+	NOT-FOR-US: SourceCodester
 CVE-2023-1301 (A vulnerability, which was classified as critical, has been found in S ...)
-	TODO: check
+	NOT-FOR-US: SourceCodester
 CVE-2023-1300 (A vulnerability classified as critical was found in SourceCodester COV ...)
-	TODO: check
+	NOT-FOR-US: SourceCodester
 CVE-2023-1299
 	RESERVED
 CVE-2023-1298
@@ -169,11 +169,11 @@ CVE-2023-1277 (A vulnerability, which was classified as critical, was found in k
 CVE-2018-25081 (** DISPUTED ** Bitwarden through 2023.2.1 offers password auto-fill wi ...)
 	NOT-FOR-US: Bitwarden
 CVE-2017-20182 (A vulnerability was found in Mobile Vikings Django AJAX Utilities up t ...)
-	TODO: check
+	NOT-FOR-US: Mobile Vikings Django AJAX Utilities
 CVE-2014-125093 (A vulnerability has been found in Ad Blocking Detector Plugin up to 1. ...)
-	TODO: check
+	NOT-FOR-US: Ad Blocking Detector Plugin
 CVE-2013-10020 (A vulnerability, which was classified as problematic, was found in MMD ...)
-	TODO: check
+	NOT-FOR-US: MMDeveloper
 CVE-2023-27970
 	RESERVED
 CVE-2023-27969
@@ -1601,7 +1601,7 @@ CVE-2023-27492
 CVE-2023-27491
 	RESERVED
 CVE-2023-27490 (NextAuth.js is an open source authentication solution for Next.js appl ...)
-	TODO: check
+	NOT-FOR-US: NextAuth.js
 CVE-2023-27489
 	RESERVED
 CVE-2023-27488
@@ -1613,9 +1613,9 @@ CVE-2023-27486 (xCAT is a toolkit for deployment and administration of computer
 CVE-2023-27485 (thmmniii/fbs-core is an open source feedback system for students. In v ...)
 	NOT-FOR-US: thmmniii/fbs-core
 CVE-2023-27484 (crossplane-runtime is a set of go libraries used to build Kubernetes c ...)
-	TODO: check
+	NOT-FOR-US: crossplane-runtime
 CVE-2023-27483 (crossplane-runtime is a set of go libraries used to build Kubernetes c ...)
-	TODO: check
+	NOT-FOR-US: crossplane-runtime
 CVE-2023-27482 (homeassistant is an open source home automation tool. A remotely explo ...)
 	- homeassistant <itp> (bug #839786)
 CVE-2023-27481 (Directus is a real-time API and App dashboard for managing SQL databas ...)
@@ -2390,31 +2390,31 @@ CVE-2023-27216
 CVE-2023-27215
 	RESERVED
 CVE-2023-27214 (Online Student Management System v1.0 was discovered to contain multip ...)
-	TODO: check
+	NOT-FOR-US: Online Student Management System
 CVE-2023-27213 (Online Student Management System v1.0 was discovered to contain a SQL  ...)
-	TODO: check
+	NOT-FOR-US: Online Student Management System
 CVE-2023-27212 (A cross-site scripting (XSS) vulnerability in /php-opos/signup.php of  ...)
-	TODO: check
+	NOT-FOR-US: Online Pizza Ordering System
 CVE-2023-27211 (A cross-site scripting (XSS) vulnerability in /admin/navbar.php of Onl ...)
-	TODO: check
+	NOT-FOR-US: Online Pizza Ordering System
 CVE-2023-27210 (Online Pizza Ordering System 1.0 was discovered to contain a SQL injec ...)
-	TODO: check
+	NOT-FOR-US: Online Pizza Ordering System
 CVE-2023-27209
 	RESERVED
 CVE-2023-27208 (A cross-site scripting (XSS) vulnerability in /php-opos/login.php of O ...)
-	TODO: check
+	NOT-FOR-US: Online Pizza Ordering System
 CVE-2023-27207 (Online Pizza Ordering System 1.0 was discovered to contain a SQL injec ...)
-	TODO: check
+	NOT-FOR-US: Online Pizza Ordering System
 CVE-2023-27206 (A cross-site scripting (XSS) vulnerability in /kruxton/navbar.php of B ...)
-	TODO: check
+	NOT-FOR-US: Best POS Management System
 CVE-2023-27205 (Best POS Management System 1.0 was discovered to contain a SQL injecti ...)
-	TODO: check
+	NOT-FOR-US: Best POS Management System
 CVE-2023-27204 (Best POS Management System 1.0 was discovered to contain a SQL injecti ...)
-	TODO: check
+	NOT-FOR-US: Best POS Management System
 CVE-2023-27203 (Best POS Management System 1.0 was discovered to contain a SQL injecti ...)
-	TODO: check
+	NOT-FOR-US: Best POS Management System
 CVE-2023-27202 (Best POS Management System 1.0 was discovered to contain a SQL injecti ...)
-	TODO: check
+	NOT-FOR-US: Best POS Management System
 CVE-2023-27201
 	RESERVED
 CVE-2023-27200
@@ -2904,7 +2904,7 @@ CVE-2023-26959
 CVE-2023-26958
 	RESERVED
 CVE-2023-26957 (onekeyadmin v1.3.9 was discovered to contain an arbitrary file delete  ...)
-	TODO: check
+	NOT-FOR-US: onekeyadmin
 CVE-2023-26956 (onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vu ...)
 	NOT-FOR-US: onekeyadmin
 CVE-2023-26955 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site scrip ...)
@@ -5004,9 +5004,9 @@ CVE-2023-26112
 CVE-2023-26111 (All versions of the package @nubosoftware/node-static; all versions of ...)
 	NOT-FOR-US: @nubosoftware/node-static
 CVE-2023-26110 (All versions of the package node-bluetooth are vulnerable to Buffer Ov ...)
-	TODO: check
+	NOT-FOR-US: node-bluetooth
 CVE-2023-26109 (All versions of the package node-bluetooth-serial-port are vulnerable  ...)
-	TODO: check
+	NOT-FOR-US: node-bluetooth-serial-port
 CVE-2023-26108 (Versions of the package @nestjs/core before 9.0.5 are vulnerable to In ...)
 	NOT-FOR-US: @nestjs/core
 CVE-2023-26107 (All versions of the package sketchsvg are vulnerable to Arbitrary Code ...)
@@ -5854,7 +5854,7 @@ CVE-2023-25816 (Nextcloud is an Open Source private cloud software. Versions 25.
 CVE-2023-25815
 	RESERVED
 CVE-2023-25814 (metersphere is an open source continuous testing platform. In versions ...)
-	TODO: check
+	NOT-FOR-US: metersphere
 CVE-2023-25813 (Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL inj ...)
 	NOT-FOR-US: Sequelize
 CVE-2023-25812 (Minio is a Multi-Cloud Object Storage framework. Affected versions do  ...)
@@ -6839,7 +6839,7 @@ CVE-2023-25575 (API Platform Core is the server component of API Platform: hyper
 CVE-2023-25574
 	RESERVED
 CVE-2023-25573 (metersphere is an open source continuous testing platform. In affected ...)
-	TODO: check
+	NOT-FOR-US: metersphere
 CVE-2023-25572 (react-admin is a frontend framework for building browser applications  ...)
 	NOT-FOR-US: react-admin
 CVE-2023-25571 (Backstage is an open platform for building developer portals. `@backst ...)
@@ -8333,11 +8333,11 @@ CVE-2023-0625
 CVE-2023-0624 (OrangeScrum version 2.0.11 allows an external attacker to obtain arbit ...)
 	NOT-FOR-US: OrangeScrum
 CVE-2023-0623 (Cscape Envision RV version 4.60 is vulnerable to an out-of-bounds writ ...)
-	TODO: check
+	NOT-FOR-US: Cscape Envision RV
 CVE-2023-0622 (Cscape Envision RV version 4.60 is vulnerable to an out-of-bounds writ ...)
-	TODO: check
+	NOT-FOR-US: Cscape Envision RV
 CVE-2023-0621 (Cscape Envision RV version 4.60 is vulnerable to an out-of-bounds read ...)
-	TODO: check
+	NOT-FOR-US: Cscape Envision RV
 CVE-2023-0620
 	RESERVED
 CVE-2023-25000
@@ -32770,7 +32770,7 @@ CVE-2023-20066
 CVE-2023-20065
 	RESERVED
 CVE-2023-20064 (A vulnerability in the GRand Unified Bootloader (GRUB) for Cisco IOS X ...)
-	TODO: check
+	NOT-FOR-US: Cisco's use of GRUB
 CVE-2023-20063
 	RESERVED
 CVE-2023-20062 (Multiple vulnerabilities in Cisco Unified Intelligence Center could al ...)
@@ -32803,7 +32803,7 @@ CVE-2023-20051
 CVE-2023-20050 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...)
 	NOT-FOR-US: Cisco
 CVE-2023-20049 (A vulnerability in the bidirectional forwarding detection (BFD) hardwa ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2023-20048
 	RESERVED
 CVE-2023-20047 (A vulnerability in the Link Layer Discovery Protocol (LLDP) feature of ...)
@@ -74298,7 +74298,7 @@ CVE-2022-29058 (An improper neutralization of special elements [CWE-89] used in
 CVE-2022-29057 (A improper neutralization of input during web page generation ('cross- ...)
 	NOT-FOR-US: Fortinet
 CVE-2022-29056 (A improper restriction of excessive authentication attempts vulnerabil ...)
-	TODO: check
+	NOT-FOR-US: Fortinet
 CVE-2022-29055 (A access of uninitialized pointer in Fortinet FortiOS version 7.2.0, 7 ...)
 	NOT-FOR-US: FortiGuard
 CVE-2022-29054 (A missing cryptographic steps vulnerability [CWE-325] in the functions ...)
@@ -83266,7 +83266,7 @@ CVE-2022-25907 (The package ts-deepmerge before 2.0.2 are vulnerable to Prototyp
 CVE-2022-25906 (All versions of the package is-http2 are vulnerable to Command Injecti ...)
 	NOT-FOR-US: Node is-http2
 CVE-2022-25904 (All versions of package safe-eval are vulnerable to Prototype Pollutio ...)
-	TODO: check
+	NOT-FOR-US: Node safe-eval
 CVE-2022-25903 (The package opcua from 0.0.0 are vulnerable to Denial of Service (DoS) ...)
 	NOT-FOR-US: Rust crate opcua
 CVE-2022-25902
@@ -83381,7 +83381,7 @@ CVE-2022-25855 (All versions of the package create-choo-app3 are vulnerable to C
 CVE-2022-25854 (This affects the package @yaireo/tagify before 4.9.8. The package is u ...)
 	NOT-FOR-US: Tagify
 CVE-2022-25853 (All versions of the package semver-tags are vulnerable to Command Inje ...)
-	TODO: check
+	NOT-FOR-US: Node semver-tags
 CVE-2022-25852 (All versions of package pg-native; all versions of package libpq are v ...)
 	NOT-FOR-US: Node pgnative
 CVE-2022-25851 (The package jpeg-js before 0.4.4 are vulnerable to Denial of Service ( ...)
@@ -83391,9 +83391,9 @@ CVE-2022-25850 (The package github.com/hoppscotch/proxyscotch before 1.0.0 are v
 CVE-2022-25849 (The package joyqi/hyper-down from 0.0.0 are vulnerable to Cross-site S ...)
 	NOT-FOR-US: joyqi/hyper-down
 CVE-2022-25848 (This affects all versions of package static-dev-server. This is becaus ...)
-	TODO: check
+	NOT-FOR-US: static-dev-server
 CVE-2022-25847 (All versions of the package serve-lite are vulnerable to Cross-site Sc ...)
-	TODO: check
+	NOT-FOR-US: serve-lite
 CVE-2022-25846
 	RESERVED
 CVE-2022-25845 (The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deser ...)
@@ -83456,7 +83456,7 @@ CVE-2022-25352 (The package libnested before 1.5.2 are vulnerable to Prototype P
 CVE-2022-25351
 	RESERVED
 CVE-2022-25350 (All versions of the package puppet-facter are vulnerable to Command In ...)
-	TODO: check
+	NOT-FOR-US: Node puppet-facter (different from src:facter)
 CVE-2022-25349 (All versions of package materialize-css are vulnerable to Cross-site S ...)
 	- materialize <unfixed> (bug #1014727)
 	NOTE: https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2766498
@@ -83490,7 +83490,7 @@ CVE-2022-25232
 CVE-2022-25231 (The package node-opcua before 2.74.0 are vulnerable to Denial of Servi ...)
 	NOT-FOR-US: node-opcua/node-opcua
 CVE-2022-25171 (The package p4 before 0.0.7 are vulnerable to Command Injection via th ...)
-	TODO: check
+	NOT-FOR-US: Node p4
 CVE-2022-24913 (Versions of the package com.fasterxml.util:java-merge-sort before 1.1. ...)
 	NOT-FOR-US: com.fasterxml.util:java-merge-sort
 CVE-2022-24912 (The package github.com/runatlantis/atlantis/server/controllers/events  ...)
@@ -83521,7 +83521,7 @@ CVE-2022-24434 (This affects all versions of package dicer. A malicious attacker
 CVE-2022-24433 (The package simple-git before 3.3.0 are vulnerable to Command Injectio ...)
 	NOT-FOR-US: simple-git
 CVE-2022-24431 (All versions of package abacus-ext-cmdline are vulnerable to Command I ...)
-	TODO: check
+	NOT-FOR-US: abacus-ext-cmdline
 CVE-2022-24430
 	RESERVED
 CVE-2022-24429 (The package convert-svg-core before 0.6.3 are vulnerable to Arbitrary  ...)
@@ -83529,7 +83529,7 @@ CVE-2022-24429 (The package convert-svg-core before 0.6.3 are vulnerable to Arbi
 CVE-2022-24381 (All versions of package asneg/opcuastack are vulnerable to Denial of S ...)
 	NOT-FOR-US: ASNeG/OpcUaStack
 CVE-2022-24377 (The package cycle-import-check before 1.3.2 are vulnerable to Command  ...)
-	TODO: check
+	NOT-FOR-US: cycle-import-check
 CVE-2022-24376 (All versions of package git-promise are vulnerable to Command Injectio ...)
 	NOT-FOR-US: Node git-promise
 CVE-2022-24375 (The package node-opcua before 2.74.0 are vulnerable to Denial of Servi ...)
@@ -83572,7 +83572,7 @@ CVE-2022-22138 (All versions of package fast-string-search are vulnerable to Den
 CVE-2022-21811
 	RESERVED
 CVE-2022-21810 (All versions of the package smartctl are vulnerable to Command Injecti ...)
-	TODO: check
+	NOT-FOR-US: Node smartctl
 CVE-2022-21803 (This affects the package nconf before 0.11.4. When using the memory en ...)
 	NOT-FOR-US: node nconf
 CVE-2022-21802 (The package grapesjs before 0.19.5 are vulnerable to Cross-site Script ...)
@@ -83624,7 +83624,7 @@ CVE-2022-21208 (The package node-opcua before 2.74.0 are vulnerable to Denial of
 CVE-2022-21195 (All versions of package url-regex are vulnerable to Regular Expression ...)
 	NOT-FOR-US: AlexFlipnote/url_regex
 CVE-2022-21192 (All versions of the package serve-lite are vulnerable to Directory Tra ...)
-	TODO: check
+	NOT-FOR-US: serve-lite
 CVE-2022-21191 (Versions of the package global-modules-path before 3.0.0 are vulnerabl ...)
 	NOT-FOR-US: Node global-modules-path
 CVE-2022-21190 (This affects the package convict before 6.2.3. This is a bypass of [CV ...)
@@ -83688,9 +83688,9 @@ CVE-2022-0744
 CVE-2022-25838 (Laravel Fortify before 1.11.1 allows reuse within a short time window, ...)
 	NOT-FOR-US: Laravel Fortify
 CVE-2022-25837 (Bluetooth® Pairing in Bluetooth Core Specification v1.0B through  ...)
-	TODO: check
+	NOT-FOR-US: Bluetooth protocol issue
 CVE-2022-25836 (Bluetooth® Low Energy Pairing in Bluetooth Core Specification v4. ...)
-	TODO: check
+	NOT-FOR-US: Bluetooth protocol issue
 CVE-2022-25835
 	RESERVED
 CVE-2022-25834
@@ -91372,7 +91372,7 @@ CVE-2022-23525 (Helm is a tool for managing Charts, pre-configured Kubernetes re
 CVE-2022-23524 (Helm is a tool for managing Charts, pre-configured Kubernetes resource ...)
 	- helm-kubernetes <itp> (bug #910799)
 CVE-2022-23523 (In versions prior to 0.8.1, the linux-loader crate uses the offsets an ...)
-	TODO: check
+	NOT-FOR-US: Rust crate linux-loader
 CVE-2022-23522
 	RESERVED
 CVE-2022-23521 (Git is distributed revision control system. gitattributes are a mechan ...)
@@ -91450,7 +91450,7 @@ CVE-2022-23501 (TYPO3 is an open source PHP based web content management system.
 CVE-2022-23500 (TYPO3 is an open source PHP based web content management system. In ve ...)
 	NOT-FOR-US: Typo3
 CVE-2022-23499 (HTML sanitizer is written in PHP, aiming to provide XSS-safe markup ba ...)
-	TODO: check
+	NOT-FOR-US: Typo3 extension
 CVE-2022-23498 (Grafana is an open-source platform for monitoring and observability. W ...)
 	- grafana <not-affected> (Specific to Grafana Enterprise)
 CVE-2022-23497 (FreshRSS is a free, self-hostable RSS aggregator. User configuration f ...)
@@ -91544,7 +91544,7 @@ CVE-2022-23467 (OpenRazer is an open source driver and user-space daemon to cont
 CVE-2022-23466 (teler is an real-time intrusion detection and threat alert dashboard.  ...)
 	NOT-FOR-US: teler
 CVE-2022-23465 (SwiftTerm is a Xterm/VT100 Terminal emulator. Prior to commit a94e6b24 ...)
-	TODO: check
+	NOT-FOR-US: SwiftTerm
 CVE-2022-23464 (Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnera ...)
 	NOT-FOR-US: Nepxion
 CVE-2022-23463 (Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerab ...)
@@ -123940,7 +123940,7 @@ CVE-2021-37504 (A cross-site scripting (XSS) vulnerability in the fileNameStr pa
 CVE-2021-37503
 	RESERVED
 CVE-2021-37502 (Cross Site Scripting (XSS) vulnerability in automad 1.7.5 allows remot ...)
-	TODO: check
+	NOT-FOR-US: automad
 CVE-2021-37501 (Buffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1 ...)
 	TODO: check
 CVE-2021-37500 (Directory traversal vulnerability in Reprise License Manager (RLM) web ...)
@@ -124496,7 +124496,7 @@ CVE-2021-37236
 CVE-2021-37235
 	RESERVED
 CVE-2021-37234 (Incorrect Access Control vulnerability in Modern Honey Network commit  ...)
-	TODO: check
+	NOT-FOR-US: Modern Honey Network
 CVE-2021-37233
 	RESERVED
 CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124.204813 ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/604def06ae770af73df3bd208cf7ea323d77e9e8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/604def06ae770af73df3bd208cf7ea323d77e9e8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230310/3baa97f0/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list