[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Wed Nov 1 19:25:32 GMT 2023
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
08a79f4a by Moritz Muehlenhoff at 2023-11-01T20:25:02+01:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -354,7 +354,7 @@ CVE-2019-25155 (DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks
CVE-2015-20110 (JHipster generator-jhipster before 2.23.0 allows a timing attack again ...)
NOT-FOR-US: JHipster generator-jhipster
CVE-2023-34049 [allows an attacker to force Salt-SSH to run their script]
- - salt <unfixed>
+ - salt <unfixed> (bug #1055179)
NOTE: https://saltproject.io/security-announcements/2023-10-27-advisory/index.html
CVE-2023-5844 (Unverified Password Change in GitHub repository pimcore/admin-ui-class ...)
NOT-FOR-US: Pimcore admin-ui-classic-bundle
@@ -4565,7 +4565,7 @@ CVE-2023-43810 (OpenTelemetry, also known as OTel for short, is a vendor-neutral
CVE-2023-43058 (IBM Robotic Process Automation 23.0.9 is vulnerable to privilege escal ...)
NOT-FOR-US: IBM
CVE-2023-42445 (Gradle is a build tool with a focus on build automation and support fo ...)
- - gradle <unfixed>
+ - gradle <unfixed> (bug #1055176)
[bookworm] - gradle <no-dsa> (Minor issue)
[bullseye] - gradle <no-dsa> (Minor issue)
[buster] - gradle <no-dsa> (Minor issue)
@@ -4695,7 +4695,7 @@ CVE-2023-44828 (D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer o
CVE-2023-44390 (HtmlSanitizer is a .NET library for cleaning HTML fragments and docume ...)
NOT-FOR-US: HtmlSanitizer .NET library
CVE-2023-44387 (Gradle is a build tool with a focus on build automation and support fo ...)
- - gradle <unfixed>
+ - gradle <unfixed> (bug #1055177)
[bookworm] - gradle <no-dsa> (Minor issue)
[bullseye] - gradle <no-dsa> (Minor issue)
[buster] - gradle <postponed> (Minor issue, requires local access to build machine)
@@ -29366,7 +29366,7 @@ CVE-2023-29460 (An arbitrary code execution vulnerability contained in Rockwell
CVE-2023-29459 (The laola.redbull application through 5.1.9-R for Android exposes the ...)
NOT-FOR-US: laola.redbull
CVE-2023-29458 (Duktape is an 3rd-party embeddable JavaScript engine, with a focus on ...)
- - zabbix <unfixed>
+ - zabbix <unfixed> (bug #1055175)
[bookworm] - zabbix <no-dsa> (Minor issue)
[bullseye] - zabbix <no-dsa> (Minor issue)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
@@ -29375,34 +29375,34 @@ CVE-2023-29458 (Duktape is an 3rd-party embeddable JavaScript engine, with a foc
NOTE: duktape library introduced with https://github.com/zabbix/zabbix/commit/d43b04665c1ade5b4a9f49db750b8ca6c82e9de2 (5.0.0alpha1)
CVE-2023-29457 (Reflected XSS attacks, occur when a malicious script is reflected off ...)
{DLA-3538-1}
- - zabbix <unfixed>
+ - zabbix <unfixed> (bug #1055175)
[bookworm] - zabbix <no-dsa> (Minor issue)
[bullseye] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22988
CVE-2023-29456 (URL validation scheme receives input from a user and then parses it to ...)
{DLA-3538-1}
- - zabbix <unfixed>
+ - zabbix <unfixed> (bug #1055175)
[bookworm] - zabbix <no-dsa> (Minor issue)
[bullseye] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22987
CVE-2023-29455 (Reflected XSS attacks, also known as non-persistent attacks, occur whe ...)
{DLA-3538-1}
- - zabbix <unfixed>
+ - zabbix <unfixed> (bug #1055175)
[bookworm] - zabbix <no-dsa> (Minor issue)
[bullseye] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22986
CVE-2023-29454 (Stored or persistent cross-site scripting (XSS) is a type of XSS where ...)
{DLA-3538-1}
- - zabbix <unfixed>
+ - zabbix <unfixed> (bug #1055175)
[bookworm] - zabbix <no-dsa> (Minor issue)
[bullseye] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22985
CVE-2023-29453 (Templates do not properly consider backticks (`) as Javascript string ...)
- - zabbix <unfixed>
+ - zabbix <unfixed> (bug #1055175)
[buster] - zabbix <not-affected> (buster does not have the Go agent)
NOTE: https://support.zabbix.com/browse/ZBX-23388
CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> Geograph ...)
- - zabbix <unfixed>
+ - zabbix <unfixed> (bug #1055175)
[bookworm] - zabbix <no-dsa> (Minor issue)
[bullseye] - zabbix <not-affected> (vulnerable code introduced later)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
@@ -29411,20 +29411,20 @@ CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> Ge
NOTE: vulnerable geopmap widget introduced in version with https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2 (6.0.0alpha6)
CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the JSON parser ...)
{DLA-3538-1}
- - zabbix <unfixed>
+ - zabbix <unfixed> (bug #1055175)
[bookworm] - zabbix <no-dsa> (Minor issue)
[bullseye] - zabbix <not-affected> (5.x not affected)
NOTE: https://support.zabbix.com/browse/ZBX-22587
CVE-2023-29450 (JavaScript pre-processing can be used by the attacker to gain access t ...)
{DLA-3538-1}
- - zabbix <unfixed>
+ - zabbix <unfixed> (bug #1055175)
[bookworm] - zabbix <no-dsa> (Minor issue)
[bullseye] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22588
NOTE: Patch for 5.0.32rc1: https://github.com/zabbix/zabbix/commit/c3f1543e4
NOTE: Patch for 6.0.14rc2: https://github.com/zabbix/zabbix/commit/76f6a80cb
CVE-2023-29449 (JavaScript preprocessing, webhooks and global scripts can cause uncont ...)
- - zabbix <unfixed>
+ - zabbix <unfixed> (bug #1055175)
[bookworm] - zabbix <no-dsa> (Minor issue)
[bullseye] - zabbix <no-dsa> (Minor issue)
[buster] - zabbix <not-affected> (vulnerable code introduced later)
@@ -31027,7 +31027,7 @@ CVE-2023-29007 (Git is a revision control system. Prior to versions 2.30.9, 2.31
CVE-2023-29006 (The Order GLPI plugin allows users to manage order management within G ...)
NOT-FOR-US: GLPI plugin
CVE-2023-29005 (Flask-AppBuilder versions before 4.3.0 lack rate limiting which can al ...)
- - flask-appbuilder <unfixed>
+ - flask-appbuilder <unfixed> (bug #1055181)
NOTE: https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-9hcr-9hcv-x6pv
CVE-2023-29004 (hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache ...)
NOT-FOR-US: hap-wi/roxy-wi
@@ -33590,7 +33590,7 @@ CVE-2023-1388 (A heap-based overflow vulnerability in TA prior to version 5.7.9
CVE-2023-1387 (Grafana is an open-source platform for monitoring and observability. ...)
- grafana <removed>
CVE-2023-1386 (A flaw was found in the 9p passthrough filesystem (9pfs) implementatio ...)
- - qemu <unfixed>
+ - qemu <unfixed> (bug #1055174)
[bookworm] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[buster] - qemu <no-dsa> (Minor issue)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08a79f4a30d920b4ed168133b88a3e985db5c3f4
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08a79f4a30d920b4ed168133b88a3e985db5c3f4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231101/23caa127/attachment.htm>
More information about the debian-security-tracker-commits
mailing list