[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Apr 25 22:23:15 BST 2024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
29679e3f by security tracker role at 2024-04-25T20:11:52+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,111 @@
+CVE-2024-4175 (Unicode transformation vulnerability in Hyperion affecting version 2.0 ...)
+ TODO: check
+CVE-2024-4174 (Cross-Site Scripting (XSS) vulnerability in Hyperion Web Server affect ...)
+ TODO: check
+CVE-2024-4172 (A vulnerability classified as problematic was found in idcCMS 1.35. Af ...)
+ TODO: check
+CVE-2024-4171 (A vulnerability classified as critical has been found in Tenda W30E 1. ...)
+ TODO: check
+CVE-2024-4170 (A vulnerability was found in Tenda 4G300 1.01.42. It has been rated as ...)
+ TODO: check
+CVE-2024-4169 (A vulnerability was found in Tenda 4G300 1.01.42. It has been declared ...)
+ TODO: check
+CVE-2024-4168 (A vulnerability was found in Tenda 4G300 1.01.42. It has been classifi ...)
+ TODO: check
+CVE-2024-4167 (A vulnerability was found in Tenda 4G300 1.01.42 and classified as cri ...)
+ TODO: check
+CVE-2024-4166 (A vulnerability has been found in Tenda 4G300 1.01.42 and classified a ...)
+ TODO: check
+CVE-2024-4165 (A vulnerability, which was classified as critical, was found in Tenda ...)
+ TODO: check
+CVE-2024-4164 (A vulnerability, which was classified as critical, has been found in T ...)
+ TODO: check
+CVE-2024-4077 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2024-4035 (The Photo Gallery \u2013 GT3 Image Gallery & Gutenberg Block Gallery p ...)
+ TODO: check
+CVE-2024-4024 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
+ TODO: check
+CVE-2024-4006 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
+ TODO: check
+CVE-2024-3994 (The Tutor LMS \u2013 eLearning and online course solution plugin for W ...)
+ TODO: check
+CVE-2024-3733 (The Essential Addons for Elementor \u2013 Best Elementor Templates, Wi ...)
+ TODO: check
+CVE-2024-3730 (The Simple Membership plugin for WordPress is vulnerable to Stored Cro ...)
+ TODO: check
+CVE-2024-33592 (Server-Side Request Forgery (SSRF) vulnerability in SoftLab Radio Play ...)
+ TODO: check
+CVE-2024-33247 (Sourcecodester Employee Task Management System v1.0 is vulnerable to S ...)
+ TODO: check
+CVE-2024-32961 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2024-32676 (Improper Restriction of Excessive Authentication Attempts vulnerabilit ...)
+ TODO: check
+CVE-2024-32649 (Vyper is a pythonic Smart Contract Language for the Ethereum virtual m ...)
+ TODO: check
+CVE-2024-32648 (Vyper is a pythonic Smart Contract Language for the Ethereum virtual m ...)
+ TODO: check
+CVE-2024-32647 (Vyper is a pythonic Smart Contract Language for the Ethereum virtual m ...)
+ TODO: check
+CVE-2024-32646 (Vyper is a pythonic Smart Contract Language for the Ethereum virtual m ...)
+ TODO: check
+CVE-2024-32645 (Vyper is a pythonic Smart Contract Language for the Ethereum virtual m ...)
+ TODO: check
+CVE-2024-32481 (Vyper is a pythonic Smart Contract Language for the Ethereum virtual m ...)
+ TODO: check
+CVE-2024-32467 (MeterSphere is an open source continuous testing platform. Prior to ve ...)
+ TODO: check
+CVE-2024-32358 (An issue in Jpress v.5.1.0 allows a remote attacker to execute arbitra ...)
+ TODO: check
+CVE-2024-32324 (Buffer Overflow vulnerability in Shenzhen Libituo Technology Co., Ltd ...)
+ TODO: check
+CVE-2024-32236 (An issue in CmsEasy v.7.7 and before allows a remote attacker to obtai ...)
+ TODO: check
+CVE-2024-31615 (ThinkCMF 6.0.9 is vulnerable to File upload via UeditorController.php.)
+ TODO: check
+CVE-2024-31574 (Cross Site Scripting vulnerability in TWCMS v.2.6 allows a local attac ...)
+ TODO: check
+CVE-2024-31266 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...)
+ TODO: check
+CVE-2024-30939 (An issue discovered in Yealink VP59 Teams Editions with firmware versi ...)
+ TODO: check
+CVE-2024-30890 (Cross Site Scripting vulnerability in ED01-CMS v.1.0 allows an attacke ...)
+ TODO: check
+CVE-2024-30560 (Cross-Site Request Forgery (CSRF) vulnerability in \u5927\u4fa0WP DX-W ...)
+ TODO: check
+CVE-2024-2829 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
+ TODO: check
+CVE-2024-2434 (An issue has been discovered in GitLab affecting all versions of GitLa ...)
+ TODO: check
+CVE-2024-29660 (Cross Site Scripting vulnerability in DedeCMS v.5.7 allows a local att ...)
+ TODO: check
+CVE-2024-28241 (The GLPI Agent is a generic management agent. Prior to version 1.7.2, ...)
+ TODO: check
+CVE-2024-28240 (The GLPI Agent is a generic management agent. A vulnerability that onl ...)
+ TODO: check
+CVE-2024-25917 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
+ TODO: check
+CVE-2024-25624 (Iris is a web collaborative platform aiming to help incident responder ...)
+ TODO: check
+CVE-2024-25569 (An out-of-bounds read vulnerability exists in the RAWCodec::DecodeByte ...)
+ TODO: check
+CVE-2024-25026 (IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Applicatio ...)
+ TODO: check
+CVE-2024-22391 (A heap-based buffer overflow vulnerability exists in the LookupTable:: ...)
+ TODO: check
+CVE-2024-22373 (An out-of-bounds write vulnerability exists in the JPEG2000Codec::Deco ...)
+ TODO: check
+CVE-2024-22144 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...)
+ TODO: check
+CVE-2024-1347 (An issue has been discovered in GitLab CE/EE affecting all versions be ...)
+ TODO: check
+CVE-2023-52220 (Missing Authorization vulnerability in MonsterInsights Google Analytic ...)
+ TODO: check
+CVE-2023-51484 (Improper Authentication vulnerability in wp-buy Login as User or Custo ...)
+ TODO: check
+CVE-2023-51482 (Improper Authentication vulnerability in EazyPlugins Eazy Plugin Manag ...)
+ TODO: check
CVE-2024-4173 (A vulnerability in Brocade SANnav ova versions before Brocade SANnav v ...)
NOT-FOR-US: Brocade
CVE-2024-4161 (In Brocade SANnav, before Brocade SANnav v2.3.0, syslog traffic receiv ...)
@@ -326,7 +434,8 @@ CVE-2023-47357
REJECTED
CVE-2023-32127 (Missing Authorization vulnerability in Daniel Powney Multi Rating allo ...)
NOT-FOR-US: WordPress plugin
-CVE-2024-25583
+CVE-2024-25583 (A crafted response from an upstream server the recursor has been confi ...)
+ {DSA-5674-1}
- pdns-recursor 4.9.5-1 (bug #1069762)
NOTE: https://www.openwall.com/lists/oss-security/2024/04/24/1
CVE-2024-3154
@@ -733,7 +842,8 @@ CVE-2024-31841 (An issue was discovered in Italtel Embrace 1.6.4. The web server
NOT-FOR-US: Italtel Embrace
CVE-2024-31750 (SQL injection vulnerability in f-logic datacube3 v.1.0 allows a remote ...)
NOT-FOR-US: f-logic datacube3
-CVE-2024-31745 (Libdwarf v0.9.1 was discovered to contain a heap use-after-free via th ...)
+CVE-2024-31745
+ REJECTED
- dwarfutils <unfixed>
[bookworm] - dwarfutils <no-dsa> (Minor issue)
[bullseye] - dwarfutils <no-dsa> (Minor issue)
@@ -2817,7 +2927,7 @@ CVE-2024-0404 (A mass assignment vulnerability exists in the `/api/invite/:code`
NOT-FOR-US: mintplex-labs/anything-llm
CVE-2023-33806 (Insecure default configurations in Hikvision Interactive Tablet DS-D5B ...)
NOT-FOR-US: Hikvision
-CVE-2023-3597
+CVE-2023-3597 (A flaw was found in Keycloak, where it does not correctly validate its ...)
NOT-FOR-US: Keycloak
CVE-2024-31497 (In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation ...)
- putty 0.81-1
@@ -3281,7 +3391,7 @@ CVE-2023-6067 (The WP User Profile Avatar WordPress plugin through 1.0.1 does no
NOT-FOR-US: WordPress plugin
CVE-2023-52144 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
NOT-FOR-US: WordPress plugin
-CVE-2024-3508
+CVE-2024-3508 (A flaw was found in Bombastic, which allows authenticated users to upl ...)
NOT-FOR-US: Bombastic's use of bzip2
CVE-2024-3651 [potential DoS via resource consumption via specially crafted inputs to idna.encode()]
- python-idna <unfixed> (bug #1069127)
@@ -3539,13 +3649,13 @@ CVE-2023-47714 (IBM Sterling File Gateway 6.0.0.0 through 6.0.3.9, 6.1.0.0 throu
NOT-FOR-US: IBM
CVE-2024-31391 (Insertion of Sensitive Information into Log File vulnerability in the ...)
NOT-FOR-US: Apache Solr Operator
-CVE-2024-3625
+CVE-2024-3625 (A flaw was found in Quay, where Quay's database is stored in plain tex ...)
NOT-FOR-US: mirror-registry for Quay
-CVE-2024-3624
+CVE-2024-3624 (A flaw was found in how Quay's database is stored in plain-text in mir ...)
NOT-FOR-US: mirror-registry for Quay
-CVE-2024-3623
+CVE-2024-3623 (A flaw was found when using mirror-registry to install Quay. It uses a ...)
NOT-FOR-US: mirror-registry for Quay
-CVE-2024-3622
+CVE-2024-3622 (A flaw was found when using mirror-registry to install Quay. It uses a ...)
NOT-FOR-US: mirror-registry for Quay
CVE-2024-3400 (A command injection as a result of arbitrary file creation vulnerabili ...)
NOT-FOR-US: Palo Alto Networks
@@ -4297,7 +4407,7 @@ CVE-2024-3447
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813
NOTE: https://gitlab.com/qemu-project/qemu/-/commit/9e4b27ca6bf4974f169bbca7f3dca117b1208b6f (v9.0.0-rc3)
NOTE: https://gitlab.com/qemu-project/qemu/-/commit/35a67d2aa8caf8eb0bee7d38515924c95417047e (v8.2.3)
-CVE-2024-2905
+CVE-2024-2905 (A security vulnerability has been discovered within rpm-ostree, pertai ...)
NOT-FOR-US: rpm-ostree
CVE-2024-2243 (A vulnerability was found in csmock where a regular user of the OSH se ...)
NOT-FOR-US: csmock
@@ -4455,7 +4565,8 @@ CVE-2024-3545 (Improper permission handling in the vault offline cache feature i
NOT-FOR-US: Devolutions
CVE-2024-3514
REJECTED
-CVE-2024-3512 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPre ...)
+CVE-2024-3512
+ REJECTED
NOT-FOR-US: WordPress plugin
CVE-2024-3446 (A double free vulnerability was found in QEMU virtio devices (virtio-g ...)
- qemu 1:8.2.3+ds-1 (bug #1068820)
@@ -6119,19 +6230,25 @@ CVE-2024-27575 (INOTEC Sicherheitstechnik WebServer CPS220/64 3.3.19 allows a re
NOT-FOR-US: INOTEC
CVE-2024-27268 (IBM WebSphere Application Server Liberty 18.0.0.2 through 24.0.0.3 is ...)
NOT-FOR-US: IBM
-CVE-2024-25709 (There is a stored Cross-site Scripting vulnerability in Esri Portal fo ...)
+CVE-2024-25709
+ REJECTED
NOT-FOR-US: Esri Portal
CVE-2024-25708 (There is a stored Cross-site Scripting vulnerability in Esri Portal fo ...)
NOT-FOR-US: Esri Portal
-CVE-2024-25706 (There is an HTML injection vulnerability in Esri Portal for ArcGIS <=1 ...)
+CVE-2024-25706
+ REJECTED
NOT-FOR-US: Esri Portal
-CVE-2024-25705 (There is a cross site scripting vulnerability in the Esri Portal for A ...)
+CVE-2024-25705
+ REJECTED
NOT-FOR-US: Esri Portal
-CVE-2024-25704 (There is a stored Cross-site Scripting vulnerability in Esri Portal fo ...)
+CVE-2024-25704
+ REJECTED
NOT-FOR-US: Esri Portal
-CVE-2024-25703 (There is a reflected cross site scripting vulnerability in the home ap ...)
+CVE-2024-25703
+ REJECTED
NOT-FOR-US: Esri Portal
-CVE-2024-25700 (There is a stored Cross-site Scripting vulnerability in Esri Portal fo ...)
+CVE-2024-25700
+ REJECTED
NOT-FOR-US: Esri Portal
CVE-2024-25699 (There is a difficult to exploit improper authentication issue in the H ...)
NOT-FOR-US: Esri Portal
@@ -6397,7 +6514,7 @@ CVE-2024-27919 (Envoy is a cloud-native, open-source edge and service proxy. In
- envoyproxy <itp> (bug #987544)
CVE-2024-2700 (A vulnerability was found in the quarkus-core component. Quarkus captu ...)
NOT-FOR-US: Quarkus
-CVE-2024-1139
+CVE-2024-1139 (A credentials leak vulnerability was found in the cluster monitoring o ...)
NOT-FOR-US: Red Hat OpenShift Container Platform
CVE-2024-3274 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in D-Li ...)
NOT-FOR-US: D-Link
@@ -12138,7 +12255,7 @@ CVE-2024-2515 (A vulnerability, which was classified as problematic, has been fo
NOT-FOR-US: MAGESH-K21 Online-College-Event-Hall-Reservation-System
CVE-2024-1857 (The Ultimate Gift Cards for WooCommerce \u2013 Create, Redeem & Manage ...)
NOT-FOR-US: WooCommerce plugin
-CVE-2024-2467 [Crypt-OpenSSL-RSA vulnerable to the Marvin Attack]
+CVE-2024-2467 (A timing-based side-channel flaw exists in the perl-Crypt-OpenSSL-RSA ...)
- libcrypt-openssl-rsa-perl <unfixed> (bug #1066969)
[bookworm] - libcrypt-openssl-rsa-perl <no-dsa> (Minor issue)
[bullseye] - libcrypt-openssl-rsa-perl <no-dsa> (Minor issue)
@@ -15007,7 +15124,7 @@ CVE-2024-27351 (In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5
NOTE: CVE is a followup to CVE-2019-14232 and CVE-2023-43665.
CVE-2024-2167
REJECTED
-CVE-2024-1657
+CVE-2024-1657 (A flaw was found in the ansible automation platform. An insecure WebSo ...)
NOT-FOR-US: Red Hat Ansible Automation Platform
CVE-2024-2048 (Vault and Vault Enterprise (\u201cVault\u201d) TLS certificate auth me ...)
NOT-FOR-US: HashiCorp Vault
@@ -18485,11 +18602,11 @@ CVE-2023-37177 (SQL Injection vulnerability in PMB Services PMB v.7.4.7 and befo
NOT-FOR-US: PMB
CVE-2024-26147 (Helm is a package manager for Charts for Kubernetes. Versions prior to ...)
- helm-kubernetes <itp> (bug #910799)
-CVE-2024-1726
+CVE-2024-1726 (A flaw was discovered in the RESTEasy Reactive implementation in Quark ...)
NOT-FOR-US: Quarkus
CVE-2024-1722 (A flaw was found in Keycloak. In certain conditions, this issue may al ...)
NOT-FOR-US: Keycloak
-CVE-2023-6787
+CVE-2023-6787 (A flaw was found in Keycloak that occurs from an error in the re-authe ...)
NOT-FOR-US: Keycloak
CVE-2024-27215
REJECTED
@@ -23175,7 +23292,7 @@ CVE-2024-1111 (A vulnerability, which was classified as problematic, has been fo
NOT-FOR-US: SourceCodester QR Code Login System
CVE-2024-1103 (A vulnerability was found in CodeAstro Real Estate Management System 1 ...)
NOT-FOR-US: CodeAstro Real Estate Management System
-CVE-2024-1102
+CVE-2024-1102 (A vulnerability was found in jberet-core logging. An exception in 'dbP ...)
NOT-FOR-US: JBeret
CVE-2024-1099 (A vulnerability was found in Rebuild up to 3.5.5. It has been classifi ...)
NOT-FOR-US: Rebuild
@@ -24097,7 +24214,7 @@ CVE-2024-0911 (A flaw was found in indent, a program for formatting C code. This
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2260399
NOTE: https://lists.gnu.org/archive/html/bug-indent/2024-01/msg00001.html
NOTE: Crash in CLI tool, no security impact
-CVE-2024-0874
+CVE-2024-0874 (A flaw was found in coredns. This issue could lead to invalid cache en ...)
- coredns <itp> (bug #880676)
CVE-2024-0456 (An authorization vulnerability exists in GitLab versions 14.0 prior to ...)
- gitlab 16.6.6-1
@@ -24200,7 +24317,7 @@ CVE-2024-0727 (Issue summary: Processing a maliciously formatted PKCS12 file may
NOTE: https://github.com/openssl/openssl/commit/febb086d0fc1ea12181f4d833aa9b8fdf2133b3b (openssl-3.1.5)
CVE-2023-6267 (A flaw was found in the json payload. If annotation based security is ...)
NOT-FOR-US: Quarkus
-CVE-2023-5675
+CVE-2023-5675 (A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reacti ...)
NOT-FOR-US: Quarkus
CVE-2023-52356 (A segment fault (SEGV) flaw was found in libtiff that could be trigger ...)
{DLA-3758-1}
@@ -25564,7 +25681,7 @@ CVE-2024-22365 (linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause
[buster] - pam <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2024/01/18/3
NOTE: https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb (v1.6.0)
-CVE-2023-6596
+CVE-2023-6596 (An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE- ...)
NOT-FOR-US: Red Hat OpenShift (specific for incomplete fixes in Red Hat for two OpenShift Containers)
CVE-2024-22715 (Stupid Simple CMS <=1.2.4 was discovered to contain a Cross-Site Reque ...)
NOT-FOR-US: Stupid Simple CMS
@@ -34566,7 +34683,7 @@ CVE-2023-33017 (Memory corruption in Boot while running a ListVars test in UEFI
NOT-FOR-US: Qualcomm
CVE-2023-4503 (An improper initialization vulnerability was found in Galleon. When us ...)
NOT-FOR-US: Red Hat EAP-Galleon
-CVE-2023-6484
+CVE-2023-6484 (A log injection flaw was found in Keycloak. A text string may be injec ...)
NOT-FOR-US: Keycloak
CVE-2023-6481 (A serialization vulnerability in logback receiver component part of l ...)
- logback <not-affected> (Incomplte fix not applied)
@@ -83819,9 +83936,9 @@ CVE-2023-25020 (Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Kibok
NOT-FOR-US: WordPress plugin
CVE-2023-25019 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Premio C ...)
NOT-FOR-US: WordPress plugin
-CVE-2023-6717
+CVE-2023-6717 (A flaw was found in the SAML client registration in Keycloak that coul ...)
NOT-FOR-US: Keycloak
-CVE-2023-6544
+CVE-2023-6544 (A flaw was found in the Keycloak package. This issue occurs due to a p ...)
NOT-FOR-US: Keycloak
CVE-2023-0657
RESERVED
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29679e3f57bd2b942192a483ef0e7a20c309fd49
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29679e3f57bd2b942192a483ef0e7a20c309fd49
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240425/5dc473ea/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list