[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Mon Mar 13 08:10:23 GMT 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
41a11235 by security tracker role at 2023-03-13T08:10:13+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,69 @@
+CVE-2023-28158
+ RESERVED
+CVE-2023-28157
+ RESERVED
+CVE-2023-28156
+ RESERVED
+CVE-2023-28155
+ RESERVED
+CVE-2023-28154 (Webpack 5 before 5.76.0 does not avoid cross-realm object access. Impo ...)
+ TODO: check
+CVE-2023-1363 (A vulnerability, which was classified as problematic, was found in Sou ...)
+ TODO: check
+CVE-2023-1362 (Improper Restriction of Rendered UI Layers or Frames in GitHub reposit ...)
+ TODO: check
+CVE-2023-1361 (SQL Injection in GitHub repository unilogies/bumsys prior to v2.0.2. ...)
+ TODO: check
+CVE-2022-48392
+ RESERVED
+CVE-2022-48391
+ RESERVED
+CVE-2022-48390
+ RESERVED
+CVE-2022-48389
+ RESERVED
+CVE-2022-48388
+ RESERVED
+CVE-2022-48387
+ RESERVED
+CVE-2022-48386
+ RESERVED
+CVE-2022-48385
+ RESERVED
+CVE-2022-48384
+ RESERVED
+CVE-2022-48383
+ RESERVED
+CVE-2022-48382
+ RESERVED
+CVE-2022-48381
+ RESERVED
+CVE-2022-48380
+ RESERVED
+CVE-2022-48379
+ RESERVED
+CVE-2022-48378
+ RESERVED
+CVE-2022-48377
+ RESERVED
+CVE-2022-48376
+ RESERVED
+CVE-2022-48375
+ RESERVED
+CVE-2022-48374
+ RESERVED
+CVE-2022-48373
+ RESERVED
+CVE-2022-48372
+ RESERVED
+CVE-2022-48371
+ RESERVED
+CVE-2022-48370
+ RESERVED
+CVE-2022-48369
+ RESERVED
+CVE-2022-48368
+ RESERVED
CVE-2023-1360 (A vulnerability was found in SourceCodester Employee Payslip Generator ...)
NOT-FOR-US: SourceCodester Employee Payslip Generator with Sending Mail
CVE-2023-1359 (A vulnerability has been found in SourceCodester Gadget Works Online O ...)
@@ -15285,14 +15351,17 @@ CVE-2023-22797 (An open redirect vulnerability is fixed in Rails 7.0.4.1 with th
- rails <not-affected> (Only affects 7.x)
NOTE: https://discuss.rubyonrails.org/t/cve-2023-22797-possible-open-redirect-vulnerability-in-action-pack/82120
CVE-2023-22796 (A regular expression based DoS vulnerability in Active Support <6.1 ...)
+ {DSA-5372-1}
- rails <unfixed> (bug #1030050)
NOTE: https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116
NOTE: https://github.com/rails/rails/commit/4b383e6936d7a72b5dc839f526c9a9aeb280acae (6-1-stable)
CVE-2023-22795 (A regular expression based DoS vulnerability in Action Dispatch <6. ...)
+ {DSA-5372-1}
- rails <unfixed> (bug #1030050)
NOTE: https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
NOTE: https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2 (6-1-stable)
CVE-2023-22794 (A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 rel ...)
+ {DSA-5372-1}
- rails <unfixed> (bug #1030050)
[buster] - rails <not-affected> (Only affects 6.x and later)
NOTE: https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117
@@ -15300,6 +15369,7 @@ CVE-2023-22794 (A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4
CVE-2023-22793
RESERVED
CVE-2023-22792 (A regular expression based DoS vulnerability in Action Dispatch <6. ...)
+ {DSA-5372-1}
- rails <unfixed> (bug #1030050)
NOTE: https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115
NOTE: https://github.com/rails/rails/commit/7a7f37f146aa977350cf914eba20a95ce371485f (6-1-stable)
@@ -58203,10 +58273,10 @@ CVE-2022-34823 (Buffer overflow vulnerability in CLUSTERPRO X 5.0 for Windows an
NOT-FOR-US: CLUSTERPRO and EXPRESSCLUSTER
CVE-2022-34822 (Path traversal vulnerability in CLUSTERPRO X 5.0 for Windows and earli ...)
NOT-FOR-US: CLUSTERPRO and EXPRESSCLUSTER
-CVE-2022-2259
- RESERVED
-CVE-2022-2258
- RESERVED
+CVE-2022-2259 (In affected versions of Octopus Deploy it is possible for a user to vi ...)
+ TODO: check
+CVE-2022-2258 (In affected versions of Octopus Deploy it is possible for a user to vi ...)
+ TODO: check
CVE-2022-2257 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. ...)
- vim 2:9.0.0135-1 (unimportant)
NOTE: https://huntr.dev/bounties/ca581f80-03ba-472a-b820-78f7fd05fe89
@@ -78591,7 +78661,7 @@ CVE-2022-27778 (A use of incorrectly resolved name vulnerability fixed in 7.83.1
NOTE: https://curl.se/docs/CVE-2022-27778.html
NOTE: Fixed by: https://github.com/curl/curl/commit/8c7ee9083d0d719d0a77ab20d9cc2ae84eeea7f3 (curl-7_83_1)
CVE-2022-27777 (A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5. ...)
- {DLA-3093-1}
+ {DSA-5372-1 DLA-3093-1}
- rails 2:6.1.6.1+dfsg-1 (bug #1016982)
NOTE: https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
NOTE: Fixed by: https://github.com/rails/rails/commit/123f42a573f7fcbf391885c135ca809f21615180 (v6.1.5.1)
@@ -90943,7 +91013,7 @@ CVE-2022-23839
CVE-2022-23838
RESERVED
CVE-2022-23837 (In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the ...)
- {DLA-2943-1}
+ {DLA-3360-1 DLA-2943-1}
- ruby-sidekiq 6.4.1+dfsg-1 (bug #1004193)
[bullseye] - ruby-sidekiq <no-dsa> (Minor issue)
NOTE: https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956 (v6.4.0)
@@ -91528,7 +91598,7 @@ CVE-2022-23634 (Puma is a Ruby/Rack web server built for parallelism. Prior to `
NOTE: https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb (v5.6.3)
NOTE: Related issue to CVE-2022-23633 for src:rails
CVE-2022-23633 (Action Pack is a framework for handling and responding to web requests ...)
- {DLA-3093-1}
+ {DSA-5372-1 DLA-3093-1}
- rails 2:6.1.4.6+dfsg-1 (bug #1005389)
NOTE: https://www.openwall.com/lists/oss-security/2022/02/11/5
NOTE: Fixed by: https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545 (v6.1.4.5)
@@ -95484,7 +95554,7 @@ CVE-2022-22579 (An information disclosure issue was addressed with improved stat
CVE-2022-22578 (A logic issue was addressed with improved validation. This issue is fi ...)
NOT-FOR-US: Apple
CVE-2022-22577 (An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that co ...)
- {DLA-3093-1}
+ {DSA-5372-1 DLA-3093-1}
- rails 2:6.1.6.1+dfsg-1 (bug #1011941)
NOTE: https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
NOTE: https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec (v6.1.5.1)
@@ -101057,7 +101127,7 @@ CVE-2021-44832 (Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding secur
CVE-2022-21832
RESERVED
CVE-2022-21831 (A code injection vulnerability exists in the Active Storage >= v5.2 ...)
- {DLA-3093-1}
+ {DSA-5372-1 DLA-3093-1}
- rails 2:6.1.4.7+dfsg-1 (bug #1011940)
NOTE: https://github.com/advisories/GHSA-w749-p3v6-hccq
NOTE: https://github.com/rails/rails/commit/b0b5eaf477c907819ead1808d09bfaae3eb4cc54 (v6.1.4.7)
@@ -102138,6 +102208,7 @@ CVE-2021-44530 (An injection vulnerability exists in a third-party library used
CVE-2021-44529 (A code injection vulnerability in the Ivanti EPM Cloud Services Applia ...)
NOT-FOR-US: Ivanti
CVE-2021-44528 (A open redirect vulnerability exists in Action Pack >= 6.0.0 that c ...)
+ {DSA-5372-1}
- rails 2:6.1.4.6+dfsg-1 (bug #1001817)
[buster] - rails <not-affected> (Vulnerable code introduced later)
[stretch] - rails <not-affected> (Vulnerable code introduced later)
@@ -127082,6 +127153,7 @@ CVE-2021-3640 (A flaw use-after-free in function sco_sock_sendmsg() of the Linux
[bullseye] - linux 5.10.84-1
NOTE: https://www.openwall.com/lists/oss-security/2021/07/22/1
CVE-2021-3639 (A flaw was found in mod_auth_mellon where it does not sanitize logout ...)
+ {DLA-3359-1}
- libapache2-mod-auth-mellon 0.18.0-1 (bug #991730)
[bullseye] - libapache2-mod-auth-mellon 0.17.0-1+deb11u1
[stretch] - libapache2-mod-auth-mellon <no-dsa> (Minor issue)
@@ -143139,7 +143211,7 @@ CVE-2021-30152 (An issue was discovered in MediaWiki before 1.31.13 and 1.32.x t
NOTE: https://phabricator.wikimedia.org/T270713
NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2021-April/094418.html
CVE-2021-30151 (Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue n ...)
- {DLA-2943-1}
+ {DLA-3360-1 DLA-2943-1}
- ruby-sidekiq 6.3.1+dfsg-1 (bug #987354)
[bullseye] - ruby-sidekiq <no-dsa> (Minor issue)
NOTE: https://github.com/mperham/sidekiq/issues/4852
@@ -160805,6 +160877,7 @@ CVE-2021-22944 (A vulnerability found in UniFi Protect application V1.18.1 and e
CVE-2021-22943 (A vulnerability found in UniFi Protect application V1.18.1 and earlier ...)
NOT-FOR-US: UniFi Protect application
CVE-2021-22942 (A possible open redirect vulnerability in the Host Authorization middl ...)
+ {DSA-5372-1}
[experimental] - rails 2:6.1.4.1+dfsg-1
- rails 2:6.1.4.1+dfsg-3 (bug #992586)
[buster] - rails <not-affected> (Vulnerable code not present)
@@ -270805,6 +270878,7 @@ CVE-2019-13040
CVE-2019-13039
RESERVED
CVE-2019-13038 (mod_auth_mellon through 0.14.2 has an Open Redirect via the login?Retu ...)
+ {DLA-3359-1}
- libapache2-mod-auth-mellon 0.15.0-1 (low; bug #931265)
[stretch] - libapache2-mod-auth-mellon <no-dsa> (Minor issue)
[jessie] - libapache2-mod-auth-mellon <ignored> (Open Redirect protection not implemented yet)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41a1123565dd0e74f49817e29b3207949fdafc45
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41a1123565dd0e74f49817e29b3207949fdafc45
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230313/f996c661/attachment.htm>
More information about the debian-security-tracker-commits
mailing list