[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Wed Oct 11 09:12:27 BST 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
8cedc7c1 by security tracker role at 2023-10-11T08:12:13+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,21 @@
+CVE-2023-5511 (Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it ...)
+ TODO: check
+CVE-2023-4990 (Directory traversal vulnerability in MCL-Net versions prior to 4.6 Upd ...)
+ TODO: check
+CVE-2023-45312 (In the mtproto_proxy (aka MTProto proxy) component through 0.7.2 for E ...)
+ TODO: check
+CVE-2023-45194 (Use of default credentials vulnerability in MR-GM2 firmware Ver. 3.00. ...)
+ TODO: check
+CVE-2023-44997 (Cross-Site Request Forgery (CSRF) vulnerability in Nitin Rathod WP For ...)
+ TODO: check
+CVE-2023-44689 (e-Gov Client Application (Windows version) versions prior to 2.1.1.0 a ...)
+ TODO: check
+CVE-2023-37536 (An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remo ...)
+ TODO: check
+CVE-2023-36127 (User enumeration is found in in PHPJabbers Appointment Scheduler 3.0. ...)
+ TODO: check
+CVE-2023-36126 (There is a Cross Site Scripting (XSS) vulnerability in the "theme" par ...)
+ TODO: check
CVE-2023-39325
- golang-1.21 1.21.3-1
- golang-1.20 1.20.10-1
@@ -52,11 +70,13 @@ CVE-2023-4421
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2238677
NOTE: https://hg.mozilla.org/projects/nss/rev/fc05574c739947d615ab0b2b2b564f01c922eccd
CVE-2023-38546
+ {DSA-5523-1}
- curl 8.3.0-3
NOTE: https://curl.se/docs/CVE-2023-38546.html
NOTE: Fixed in https://github.com/curl/curl/commit/61275672b46d9abb32857404 (curl-8_4_0)
NOTE: Introduced in https://github.com/curl/curl/commit/74d5a6fb3b9a96d9f
CVE-2023-38545
+ {DSA-5523-1}
- curl 8.3.0-3
[buster] - curl <not-affected> (Vulnerable code not present)
NOTE: https://curl.se/docs/CVE-2023-38545.html
@@ -96,6 +116,7 @@ CVE-2023-4837 (SmodBIP is vulnerable to Cross-Site Request Forgery, that could b
CVE-2023-4309 (Election Services Co. (ESC) Internet Election Service is vulnerable to ...)
NOT-FOR-US: Election Services Co. (ESC) Internet Election Service
CVE-2023-45648 (Improper Input Validation vulnerability in Apache Tomcat.Tomcatfrom 11 ...)
+ {DSA-5522-1 DSA-5521-1}
- tomcat10 10.1.14-1
- tomcat9 <unfixed>
- tomcat8 <removed>
@@ -173,6 +194,7 @@ CVE-2023-43485 (When TACACS+ audit forwarding is configured on BIG-IP or BIG-IQ
CVE-2023-42796 (A vulnerability has been identified in CP-8031 MASTER MODULE (All vers ...)
NOT-FOR-US: Siemens
CVE-2023-42795 (Incomplete Cleanup vulnerability in Apache Tomcat.When recycling vario ...)
+ {DSA-5522-1 DSA-5521-1}
- tomcat10 10.1.14-1
- tomcat9 <unfixed>
- tomcat8 <removed>
@@ -505,6 +527,7 @@ CVE-2023-3961 [smbd allows client access to unix domain sockets on the file syst
NOTE: https://www.samba.org/samba/security/CVE-2023-3961.html
NOTE: In scope for continued Samba support
CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource consum ...)
+ {DSA-5522-1 DSA-5521-1}
- tomcat9 <unfixed>
- tomcat10 <unfixed>
- trafficserver <unfixed>
@@ -6894,6 +6917,7 @@ CVE-2023-4524
CVE-2023-41121 (Array AG OS before 9.4.0.499 allows denial of service: remote attacker ...)
NOT-FOR-US: Array AG OS
CVE-2023-41080 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in F ...)
+ {DSA-5522-1 DSA-5521-1}
- tomcat10 10.1.13-1
- tomcat9 9.0.70-2
[buster] - tomcat9 <postponed> (Minor issue; can be fixed later)
@@ -8015,7 +8039,7 @@ CVE-2023-39975 (kdc/do_tgs_req.c in MIT Kerberos 5 (aka krb5) 1.21 before 1.21.2
NOTE: Fixed by: https://github.com/krb5/krb5/commit/88a1701b423c13991a8064feeb26952d3641d840
CVE-2023-39507 (Improper authorization in the custom URL scheme handler in "Rikunabi N ...)
NOT-FOR-US: "Rikunabi NEXT" App for Android
-CVE-2023-39250 (Dell Storage Integration Tools for VMware (DSITV) 06.01.00.016 contain ...)
+CVE-2023-39250 (Dell Storage Integration Tools for VMware (DSITV) and Dell Storage vSp ...)
NOT-FOR-US: Dell
CVE-2023-39115 (install/aiz-uploader/upload in Campcodes Online Matrimonial Website Sy ...)
NOT-FOR-US: Campcodes Online Matrimonial Website System
@@ -8972,15 +8996,15 @@ CVE-2023-39531 (Sentry is an error tracking and performance monitoring platform.
NOT-FOR-US: Sentry
CVE-2023-39008 (A command injection vulnerability in the component /api/cron/settings/ ...)
NOT-FOR-US: OPNsense
-CVE-2023-39007 (/ui/cron/item/open in the Cron component of OPNsense before 23.7 allow ...)
+CVE-2023-39007 (/ui/cron/item/open in the Cron component of OPNsense Community Edition ...)
NOT-FOR-US: OPNsense
-CVE-2023-39006 (The Crash Reporter (crash_reporter.php) component of OPNsense before 2 ...)
+CVE-2023-39006 (The Crash Reporter (crash_reporter.php) component of OPNsense Communit ...)
NOT-FOR-US: OPNsense
-CVE-2023-39005 (Insecure permissions exist for configd.socket in OPNsense before 23.7.)
+CVE-2023-39005 (Insecure permissions exist for configd.socket in OPNsense Community Ed ...)
NOT-FOR-US: OPNsense
CVE-2023-39004 (Insecure permissions in the configuration directory (/conf/) of OPNsen ...)
NOT-FOR-US: OPNsense
-CVE-2023-39003 (OPNsense before 23.7 was discovered to contain insecure permissions in ...)
+CVE-2023-39003 (OPNsense Community Edition before 23.7 and Business Edition before 23. ...)
NOT-FOR-US: OPNsense
CVE-2023-39002 (A cross-site scripting (XSS) vulnerability in the act parameter of sys ...)
NOT-FOR-US: OPNsense
@@ -8990,7 +9014,7 @@ CVE-2023-39000 (A reflected cross-site scripting (XSS) vulnerability in the comp
NOT-FOR-US: OPNsense
CVE-2023-38999 (A Cross-Site Request Forgery (CSRF) in the System Halt API (/system/ha ...)
NOT-FOR-US: OPNsense
-CVE-2023-38998 (An open redirect in the Login page of OPNsense before 23.7 allows atta ...)
+CVE-2023-38998 (An open redirect in the Login page of OPNsense Community Edition befor ...)
NOT-FOR-US: OPNsense
CVE-2023-38997 (A directory traversal vulnerability in the Captive Portal templates of ...)
NOT-FOR-US: OPNsense
@@ -28368,6 +28392,7 @@ CVE-2023-1553
CVE-2023-1552 (ToolboxST prior to version 7.10 is affected by a deserialization vulne ...)
NOT-FOR-US: ToolboxST
CVE-2023-28709 (The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 ...)
+ {DSA-5521-1}
[experimental] - tomcat10 10.1.8-1
- tomcat10 10.1.10-1
- tomcat9 <not-affected> (Incomplete fix for CVE-2023-24998 not applied)
@@ -35523,12 +35548,12 @@ CVE-2023-26322
RESERVED
CVE-2023-26321
RESERVED
-CVE-2023-26320
- RESERVED
-CVE-2023-26319
- RESERVED
-CVE-2023-26318
- RESERVED
+CVE-2023-26320 (Improper Neutralization of Special Elements used in a Command ('Comman ...)
+ TODO: check
+CVE-2023-26319 (Improper Neutralization of Special Elements used in a Command ('Comman ...)
+ TODO: check
+CVE-2023-26318 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ...)
+ TODO: check
CVE-2023-26317 (A vulnerability has been discovered in Xiaomi routers that could allow ...)
NOT-FOR-US: Xiaomi
CVE-2023-26316 (A XSS vulnerability exists in the Xiaomi cloud service Application pro ...)
@@ -35842,8 +35867,8 @@ CVE-2023-26222
RESERVED
CVE-2023-26221
RESERVED
-CVE-2023-26220
- RESERVED
+CVE-2023-26220 (The Spotfire Library component of TIBCO Software Inc.'s Spotfire Analy ...)
+ TODO: check
CVE-2023-26219
RESERVED
CVE-2023-26218 (The Web Client component of TIBCO Software Inc.'s TIBCO Nimbus contain ...)
@@ -39792,6 +39817,7 @@ CVE-2023-25000 (HashiCorp Vault's implementation of Shamir's secret sharing used
CVE-2023-24999 (HashiCorp Vault and Vault Enterprise\u2019s approle auth method allowe ...)
NOT-FOR-US: Vault
CVE-2023-24998 (Apache Commons FileUpload before 1.5 does not limit the number of requ ...)
+ {DSA-5522-1}
- tomcat10 10.1.5-1
- tomcat9 9.0.70-2
[bullseye] - tomcat9 <postponed> (Minor issue, fix along with future update)
@@ -60321,10 +60347,10 @@ CVE-2022-44760
RESERVED
CVE-2022-44759
RESERVED
-CVE-2022-44758
- RESERVED
-CVE-2022-44757
- RESERVED
+CVE-2022-44758 (BigFix Insights/IVR fixlet uses improper credential handling within ce ...)
+ TODO: check
+CVE-2022-44757 (BigFix Insights for Vulnerability Remediation (IVR) uses weak cryptogr ...)
+ TODO: check
CVE-2022-44756 (Insights for Vulnerability Remediation (IVR) is vulnerable toimproper ...)
NOT-FOR-US: HCL
CVE-2022-44755 (HCL Notes is susceptible to a stack based buffer overflow vulnerabilit ...)
@@ -69656,8 +69682,8 @@ CVE-2022-42453 (There are insufficient warnings when a Fixlet is imported by a u
NOT-FOR-US: HCL
CVE-2022-42452 (HCL Launch is vulnerable to HTML injection. HTML code is stored and in ...)
NOT-FOR-US: HCL
-CVE-2022-42451
- RESERVED
+CVE-2022-42451 (Certain credentials within the BigFix Patch Management Download Plug-i ...)
+ TODO: check
CVE-2022-42450
RESERVED
CVE-2022-42449
@@ -112572,7 +112598,7 @@ CVE-2022-27213 (Jenkins Environment Dashboard Plugin 1.1.10 and earlier does not
NOT-FOR-US: Jenkins plugin
CVE-2022-27212 (Jenkins List Git Branches Parameter Plugin 0.0.9 and earlier does not ...)
NOT-FOR-US: Jenkins plugin
-CVE-2022-27211 (A missing/An incorrect permission check in Jenkins Kubernetes Continuo ...)
+CVE-2022-27211 (A missing permission check in Jenkins Kubernetes Continuous Deploy Plu ...)
NOT-FOR-US: Jenkins plugin
CVE-2022-27210 (A cross-site request forgery (CSRF) vulnerability in Jenkins Kubernete ...)
NOT-FOR-US: Jenkins plugin
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cedc7c179f9a2365c4e41118fd21209b4663219
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cedc7c179f9a2365c4e41118fd21209b4663219
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231011/f5f11299/attachment.htm>
More information about the debian-security-tracker-commits
mailing list