[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Mon Oct 23 21:12:34 BST 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0daf541c by security tracker role at 2023-10-23T20:12:19+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,42 @@
-CVE-2023-46288
+CVE-2023-5718 (The Vue.js Devtools extension was found to leak screenshot data back t ...)
+ TODO: check
+CVE-2023-5246 (Authentication Bypass by Capture-replay in SICK Flexi Soft Gateways wi ...)
+ TODO: check
+CVE-2023-46603 (In International Color Consortium DemoIccMAX 79ecb74, there is an out- ...)
+ TODO: check
+CVE-2023-46602 (In International Color Consortium DemoIccMAX 79ecb74, there is a stack ...)
+ TODO: check
+CVE-2023-46332 (WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write in DataS ...)
+ TODO: check
+CVE-2023-46331 (WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in DataSegm ...)
+ TODO: check
+CVE-2023-46127 (Frappe is a full-stack web application framework that uses Python and ...)
+ TODO: check
+CVE-2023-46122 (sbt is a build tool for Scala, Java, and others. Given a specially cra ...)
+ TODO: check
+CVE-2023-43074 (Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A ...)
+ TODO: check
+CVE-2023-43067 (Dell Unity prior to 5.3 contains an XML External Entity injection vuln ...)
+ TODO: check
+CVE-2023-43066 (Dell Unity prior to 5.3 contains a Restricted Shell Bypass vulnerabili ...)
+ TODO: check
+CVE-2023-43065 (Dell Unity prior to 5.3 contains a Cross-site scripting vulnerability. ...)
+ TODO: check
+CVE-2023-43045 (IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 could ...)
+ TODO: check
+CVE-2023-42295 (An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to ex ...)
+ TODO: check
+CVE-2023-38722 (IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vul ...)
+ TODO: check
+CVE-2023-37532 (HCL Commerce Remote Store server could allow a remote attacker, using ...)
+ TODO: check
+CVE-2023-33840 (IBM Security Verify Governance 10.0 is vulnerable to cross-site script ...)
+ TODO: check
+CVE-2023-33839 (IBM Security Verify Governance 10.0 could allow a remote authenticated ...)
+ TODO: check
+CVE-2023-33837 (IBM Security Verify Governance 10.0 does not encrypt sensitive or crit ...)
+ TODO: check
+CVE-2023-46288 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
- airflow <itp> (bug #819700)
CVE-2023-46316 [Fix command line parsing in wrappers]
- traceroute 1:2.1.3-1
@@ -356,13 +394,17 @@ CVE-2023-5090 [x86: KVM: SVM: always update the x2avic msr interception]
NOTE: https://git.kernel.org/linus/b65235f6e102354ccafda601eaa1c5bef5284d21
CVE-2023-5668 (The WhatsApp Share Button plugin for WordPress is vulnerable to Stored ...)
NOT-FOR-US: WordPress plugin
-CVE-2023-5656 (The AI ChatBot plugin for WordPress is vulnerable to unauthorized use ...)
+CVE-2023-5656
+ REJECTED
NOT-FOR-US: WordPress plugin
-CVE-2023-5655 (The AI ChatBot plugin for WordPress is vulnerable to Cross-Site Reques ...)
+CVE-2023-5655
+ REJECTED
NOT-FOR-US: WordPress plugin
-CVE-2023-5647 (The AI ChatBot plugin for WordPress is vulnerable to Arbitrary File De ...)
+CVE-2023-5647
+ REJECTED
NOT-FOR-US: WordPress plugin
-CVE-2023-5646 (The AI ChatBot for WordPress is vulnerable to Directory Traversal in v ...)
+CVE-2023-5646
+ REJECTED
NOT-FOR-US: WordPress plugin
CVE-2023-5615 (The Skype Legacy Buttons plugin for WordPress is vulnerable to Stored ...)
NOT-FOR-US: WordPress plugin
@@ -710,6 +752,7 @@ CVE-2023-45812 (The Apollo Router is a configurable, high-performance graph rout
CVE-2023-45146 (XXL-RPC is a high performance, distributed RPC framework. With it, a T ...)
NOT-FOR-US: XXL-RPC
CVE-2023-45145 (Redis is an in-memory database that persists on disk. On startup, Redi ...)
+ {DLA-3627-1}
- redis 5:7.0.14-1 (bug #1054225)
[bookworm] - redis <no-dsa> (Minor issue)
[bullseye] - redis <no-dsa> (Minor issue)
@@ -4743,6 +4786,7 @@ CVE-2023-2358 (Hitachi Vantara Pentaho Business Analytics Server prior to versio
CVE-2023-29497 (A privacy issue was addressed with improved handling of temporary file ...)
NOT-FOR-US: Apple
CVE-2023-43040 [Improperly verified POST keys]
+ {DLA-3629-1}
- ceph 16.2.11+ds-5 (bug #1053690)
[bookworm] - ceph <no-dsa> (Minor issue)
[bullseye] - ceph <no-dsa> (Minor issue)
@@ -5608,7 +5652,7 @@ CVE-2023-32182 (A Improper Link Resolution Before File Access ('Link Following')
NOT-FOR-US: config_postfix (SUSE specific script)
CVE-2023-31808 (Technicolor TG670 10.5.N.9 devices contain multiple accounts with hard ...)
NOT-FOR-US: Technicolor
-CVE-2023-2995 (The Leyka WordPress plugin through 3.30.3 does not sanitise and escape ...)
+CVE-2023-2995 (The Leyka WordPress plugin before 3.30.4 does not sanitise and escape ...)
NOT-FOR-US: WordPress plugin
CVE-2023-2567 (A SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due ...)
NOT-FOR-US: Nozomi Networks Guardian and CMC
@@ -11799,7 +11843,7 @@ CVE-2023-4159 (Unrestricted Upload of File with Dangerous Type in GitHub reposit
NOT-FOR-US: omeka-s
CVE-2023-4158 (Cross-site Scripting (XSS) - Stored in GitHub repository omeka/omeka-s ...)
NOT-FOR-US: omeka-s
-CVE-2023-4157 (Improper Input Validation in GitHub repository omeka/omeka-s prior to ...)
+CVE-2023-4157 (CWE-74 Improper Neutralization of Special Elements in Output Used by a ...)
NOT-FOR-US: omeka-s
CVE-2023-4156 (A heap out-of-bounds read flaw was found in builtin.c in the gawk pack ...)
- gawk 1:5.2.1-1
@@ -18860,6 +18904,7 @@ CVE-2023-32750 (Pydio Cells through 4.1.2 allows SSRF. For longer running proces
CVE-2023-32749 (Pydio Cells allows users by default to create so-called external users ...)
NOT-FOR-US: Pydio Cells
CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus- ...)
+ {DLA-3628-1}
[experimental] - dbus 1.15.6-1
- dbus 1.14.8-1 (bug #1037151)
[bookworm] - dbus 1.14.8-1~deb12u1
@@ -30031,12 +30076,12 @@ CVE-2023-28807
RESERVED
CVE-2023-28806
RESERVED
-CVE-2023-28805
- RESERVED
-CVE-2023-28804
- RESERVED
-CVE-2023-28803
- RESERVED
+CVE-2023-28805 (An Improper Input Validation vulnerability in Zscaler Client Connector ...)
+ TODO: check
+CVE-2023-28804 (An Improper Verification of Cryptographic Signature vulnerability in Z ...)
+ TODO: check
+CVE-2023-28803 (An authentication bypass by spoofing of a device with a synthetic IP a ...)
+ TODO: check
CVE-2023-28802
RESERVED
CVE-2023-28801 (An Improper Verification of Cryptographic Signature in the SAML authen ...)
@@ -30047,16 +30092,16 @@ CVE-2023-28799 (A URL parameter during login flow was vulnerable to injection. A
NOT-FOR-US: Zscaler
CVE-2023-28798
RESERVED
-CVE-2023-28797
- RESERVED
-CVE-2023-28796
- RESERVED
-CVE-2023-28795
- RESERVED
+CVE-2023-28797 (Zscaler Client Connector for Windows before 4.1 writes/deletes a confi ...)
+ TODO: check
+CVE-2023-28796 (Improper Verification of Cryptographic Signature vulnerability in Zsca ...)
+ TODO: check
+CVE-2023-28795 (Origin Validation Error vulnerability in Zscaler Client Connector on L ...)
+ TODO: check
CVE-2023-28794
RESERVED
-CVE-2023-28793
- RESERVED
+CVE-2023-28793 (Buffer overflow vulnerability in the signelf library used by Zscaler C ...)
+ TODO: check
CVE-2023-28792 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirte ...)
NOT-FOR-US: WordPress plugin
CVE-2023-28791 (Cross-Site Request Forgery (CSRF) vulnerability in Gangesh Matta Simpl ...)
@@ -35528,16 +35573,16 @@ CVE-2023-27154
RESERVED
CVE-2023-27153
RESERVED
-CVE-2023-27152
- RESERVED
+CVE-2023-27152 (DECISO OPNsense 23.1 does not impose rate limits for authentication, a ...)
+ TODO: check
CVE-2023-27151
RESERVED
CVE-2023-27150
RESERVED
-CVE-2023-27149
- RESERVED
-CVE-2023-27148
- RESERVED
+CVE-2023-27149 (A stored cross-site scripting (XSS) vulnerability in Enhancesoft osTic ...)
+ TODO: check
+CVE-2023-27148 (A stored cross-site scripting (XSS) vulnerability in the Admin panel i ...)
+ TODO: check
CVE-2023-27147
RESERVED
CVE-2023-27146
@@ -130425,8 +130470,8 @@ CVE-2022-22468
RESERVED
CVE-2022-22467
RESERVED
-CVE-2022-22466
- RESERVED
+CVE-2022-22466 (IBM Security Verify Governance 10.0 contains hard-coded credentials, s ...)
+ TODO: check
CVE-2022-22465 (IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, an ...)
NOT-FOR-US: IBM
CVE-2022-22464 (IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, an ...)
@@ -138343,6 +138388,7 @@ CVE-2021-3981 (A flaw in grub2 was found where its configuration file, known as
CVE-2021-3980 (elgg is vulnerable to Exposure of Private Personal Information to an U ...)
- elgg <itp> (bug #526197)
CVE-2021-3979 (A key length flaw was found in Red Hat Ceph Storage. An attacker can e ...)
+ {DLA-3629-1}
- ceph 16.2.9+ds-1
[bullseye] - ceph <no-dsa> (Minor issue)
[stretch] - ceph <no-dsa> (Minor issue)
@@ -172814,6 +172860,7 @@ CVE-2021-3532 (A flaw was found in Ansible where the secret information present
- ansible-base <removed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956464
CVE-2021-3531 (A flaw was found in the Red Hat Ceph Storage RGW in versions before 14 ...)
+ {DLA-3629-1}
- ceph 14.2.21-1 (bug #988890)
[stretch] - ceph <not-affected> (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2021/05/14/5
@@ -173029,7 +173076,7 @@ CVE-2021-3526
CVE-2021-3525
REJECTED
CVE-2021-3524 (A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gate ...)
- {DLA-2735-1}
+ {DLA-3629-1 DLA-2735-1}
- ceph 14.2.21-1 (bug #988889)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1951674
NOTE: Fixed by: https://github.com/ceph/ceph/commit/763aebb94678018f89427137ffbc0c5205b1edc1
@@ -186495,16 +186542,16 @@ CVE-2021-26740 (Arbitrary file upload vulnerability sysupload.php in millken doy
NOT-FOR-US: doyocms
CVE-2021-26739 (SQL Injection vulnerability in pay.php in millken doyocms 2.3, allows ...)
NOT-FOR-US: doyocms
-CVE-2021-26738
- RESERVED
-CVE-2021-26737
- RESERVED
-CVE-2021-26736
- RESERVED
-CVE-2021-26735
- RESERVED
-CVE-2021-26734
- RESERVED
+CVE-2021-26738 (Zscaler Client Connector for macOS prior to 3.7 had an unquoted search ...)
+ TODO: check
+CVE-2021-26737 (The Zscaler Client Connector for macOS prior to 3.6 did not sufficient ...)
+ TODO: check
+CVE-2021-26736 (Multiple vulnerabilities in the Zscaler Client Connector Installer and ...)
+ TODO: check
+CVE-2021-26735 (The Zscaler Client Connector Installer and Unsintallers for Windows pr ...)
+ TODO: check
+CVE-2021-26734 (Zscaler Client Connector Installer on Windows before version 3.4.0.124 ...)
+ TODO: check
CVE-2021-26733 (A broken access control vulnerability in the FirstReset_handler_func f ...)
NOT-FOR-US: Lanner Inc IAC-AST2500A standard firmware
CVE-2021-26732 (A broken access control vulnerability in the First_network_func functi ...)
@@ -203780,6 +203827,7 @@ CVE-2021-20290 (An improper authorization handling flaw was found in Foreman. Th
CVE-2021-20289 (A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.F ...)
NOT-FOR-US: Keycloak
CVE-2021-20288 (An authentication flaw was found in ceph in versions before 14.2.20. W ...)
+ {DLA-3629-1}
- ceph 14.2.20-1 (bug #986974)
[stretch] - ceph <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/04/14/2
@@ -215418,6 +215466,7 @@ CVE-2020-27782 (A flaw was found in the Undertow AJP connector. Malicious reques
NOTE: https://issues.redhat.com/browse/UNDERTOW-1824
NOTE: https://github.com/undertow-io/undertow/commit/fdac349cbcd1da41fe8b9d4e7ebbab6879990c2a (2.2.4.Final)
CVE-2020-27781 (User credentials can be manipulated and stolen by Native CephFS consum ...)
+ {DLA-3629-1}
- ceph 14.2.16-1 (bug #985670)
[stretch] - ceph <postponed> (Minor issue)
NOTE: https://bugs.launchpad.net/manila/+bug/1904015
@@ -221082,6 +221131,7 @@ CVE-2020-25680 (A flaw was found in JBCS httpd in version 2.4.37 SP3, where it u
CVE-2020-25679
REJECTED
CVE-2020-25678 (A flaw was found in ceph in versions prior to 16.y.z where ceph stores ...)
+ {DLA-3629-1}
- ceph 14.2.18-1
[stretch] - ceph <no-dsa> (Minor issue)
NOTE: https://tracker.ceph.com/issues/37503
@@ -253367,6 +253417,7 @@ CVE-2020-12061 (An issue was discovered in Nitrokey FIDO U2F firmware through 1.
CVE-2020-12060
RESERVED
CVE-2020-12059 (An issue was discovered in Ceph through 13.2.9. A POST request with an ...)
+ {DLA-3629-1}
- ceph 14.2.4-1
[stretch] - ceph <not-affected> (Vulnerable code introduced later)
[jessie] - ceph <not-affected> (Vulnerable code introduced later)
@@ -258294,7 +258345,7 @@ CVE-2020-10754 (It was found that nmcli, a command line interface to NetworkMana
NOTE: affected but not the Debian binary builds (and is RedHat/Fedora specific
NOTE: plugin).
CVE-2020-10753 (A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gate ...)
- {DLA-2735-1}
+ {DLA-3629-1 DLA-2735-1}
- ceph 14.2.15-1 (bug #975300)
[jessie] - ceph <no-dsa> (Minor issue)
NOTE: https://github.com/ceph/ceph/pull/35773
@@ -282545,7 +282596,7 @@ CVE-2020-1762 (An insufficient JWT validation vulnerability was found in Kiali v
CVE-2020-1761 (A flaw was found in the OpenShift web console, where the access token ...)
NOT-FOR-US: OpenShift
CVE-2020-1760 (A flaw was found in the Ceph Object Gateway, where it supports request ...)
- {DLA-2735-1 DLA-2171-1}
+ {DLA-3629-1 DLA-2735-1 DLA-2171-1}
- ceph 14.2.9-1 (bug #956142)
NOTE: Introduced with: https://github.com/ceph/ceph-ci/commit/f4a0b2d9260a4523745875e3977a8a1ef9dc5e2e
NOTE: Fixed by: https://github.com/ceph/ceph-ci/commit/8aa1f77363ec32bdc57744a143035033291ab5e1
@@ -282809,6 +282860,7 @@ CVE-2020-1702 (A malicious container image can consume an unbounded amount of me
CVE-2020-1701 (A flaw was found in the KubeVirt main virt-handler versions before 0.2 ...)
NOT-FOR-US: KubeVirt
CVE-2020-1700 (A flaw was found in the way the Ceph RGW Beast front-end handles unexp ...)
+ {DLA-3629-1}
- ceph 14.2.7-1
[stretch] - ceph <not-affected> (Vulnerable code introduced later)
[jessie] - ceph <not-affected> (Vulnerable code introduced later)
@@ -313755,6 +313807,7 @@ CVE-2019-10224 (A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4
CVE-2019-10223 (A security issue was discovered in the kube-state-metrics versions v1. ...)
NOT-FOR-US: kube-state-metrics
CVE-2019-10222 (A flaw was found in the Ceph RGW configuration with Beast as the front ...)
+ {DLA-3629-1}
- ceph 14.2.4-1 (bug #936015)
[stretch] - ceph <not-affected> (Vulnerable code not present)
[jessie] - ceph <not-affected> (Vulnerable code not present)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0daf541c573211f20d055dc095767583501dfb5b
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0daf541c573211f20d055dc095767583501dfb5b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231023/646da5d3/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list