[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Feb 8 20:12:23 GMT 2024 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
43e2366f by security tracker role at 2024-02-08T20:12:10+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,4 +1,82 @@
-CVE-2024-0985
+CVE-2024-25191 (php-jwt 1.0.0 uses strcmp (which is not constant time) to verify authe ...)
+	TODO: check
+CVE-2024-25190 (l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify authe ...)
+	TODO: check
+CVE-2024-25189 (libjwt 1.15.3 uses strcmp (which is not constant time) to verify authe ...)
+	TODO: check
+CVE-2024-24886 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2024-24885 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2024-24881 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2024-24880 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2024-24879 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2024-24878 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2024-24877 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2024-24871 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2024-24836 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2024-24834 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+	TODO: check
+CVE-2024-24321 (An issue in Dlink DIR-816A2 v.1.10CNB05 allows a remote attacker to ex ...)
+	TODO: check
+CVE-2024-24215 (An issue in the component /cgi-bin/GetJsonValue.cgi of Cellinx NVT Web ...)
+	TODO: check
+CVE-2024-24213 (Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vu ...)
+	TODO: check
+CVE-2024-24115 (A stored cross-site scripting (XSS) vulnerability in the Edit Page fun ...)
+	TODO: check
+CVE-2024-24113 (xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerabilit ...)
+	TODO: check
+CVE-2024-24034 (Setor Informatica S.I.L version 3.0 is vulnerable to Open Redirect via ...)
+	TODO: check
+CVE-2024-23764 (Certain WithSecure products allow Local Privilege Escalation. This aff ...)
+	TODO: check
+CVE-2024-23660 (The Binance Trust Wallet app for iOS in commit 3cd6e8f647fbba8b5d8844f ...)
+	TODO: check
+CVE-2024-23452 (Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1. ...)
+	TODO: check
+CVE-2024-22836 (An OS command injection vulnerability exists in Akaunting v3.1.3 and e ...)
+	TODO: check
+CVE-2024-22795 (Insecure Permissions vulnerability in Forescout SecureConnector v.11.3 ...)
+	TODO: check
+CVE-2024-22464 (Dell EMC AppSync, versions from 4.2.0.0 to 4.6.0.0 including all Servi ...)
+	TODO: check
+CVE-2024-1329 (HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 tem ...)
+	TODO: check
+CVE-2024-1207 (The WP Booking Calendar plugin for WordPress is vulnerable to SQL Inje ...)
+	TODO: check
+CVE-2024-1150 (Improper Verification of Cryptographic Signature vulnerability in Snow ...)
+	TODO: check
+CVE-2024-1149 (Improper Verification of Cryptographic Signature vulnerability in Snow ...)
+	TODO: check
+CVE-2024-0965 (The Simple Page Access Restriction plugin for WordPress is vulnerable  ...)
+	TODO: check
+CVE-2024-0242 (Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior ...)
+	TODO: check
+CVE-2023-7169 (Authentication Bypass by Spoofing vulnerability in Snow Software Snow  ...)
+	TODO: check
+CVE-2023-6519 (Exposure of Data Element to Wrong Session vulnerability in Mia Technol ...)
+	TODO: check
+CVE-2023-6518 (Plaintext Storage of a Password vulnerability in Mia Technology Inc. M ...)
+	TODO: check
+CVE-2023-6517 (Exposure of Sensitive Information Due to Incompatible Policies vulnera ...)
+	TODO: check
+CVE-2023-6515 (Authorization Bypass Through User-Controlled Key vulnerability in Mia  ...)
+	TODO: check
+CVE-2023-50061 (PrestaShop Op'art Easy Redirect >= 1.3.8 and <= 1.3.12 is vulnerable t ...)
+	TODO: check
+CVE-2023-47020 (Multiple Cross-Site Request Forgery (CSRF) chaining in NCR Terminal Ha ...)
+	TODO: check
+CVE-2023-42282 (An issue in NPM IP Package v.1.1.8 and before allows an attacker to ex ...)
+	TODO: check
+CVE-2024-0985 (Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in Postg ...)
 	- postgresql-16 16.2-1
 	- postgresql-15 <removed>
 	- postgresql-13 <removed>
@@ -64,7 +142,7 @@ CVE-2023-48974 (Cross Site Scripting vulnerability in Axigen WebMail v.10.5.7 an
 	TODO: check
 CVE-2023-47798 (Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsup ...)
 	TODO: check
-CVE-2024-1312 [mm: lock_vma_under_rcu() must check vma->anon_vma under vma lock]
+CVE-2024-1312 (A use-after-free flaw was found in the Linux kernel's Memory Managemen ...)
 	- linux 6.4.11-1
 	[bookworm] - linux <not-affected> (Vulnerable code not present)
 	[bullseye] - linux <not-affected> (Vulnerable code not present)
@@ -386,10 +464,12 @@ CVE-2024-24575 (libgit2 is a portable C implementation of the Git core methods p
 	NOTE: Fixed by: https://github.com/libgit2/libgit2/commit/c9d31b711e8906cf248566f43142f20b03e20cbf (v1.6.5)
 	NOTE: Fixed by: https://github.com/libgit2/libgit2/commit/7f6f3dff9c41f3be7598693aa3c716c8354fba7f (v1.7.2)
 CVE-2024-1284 (Use after free in Mojo in Google Chrome prior to 121.0.6167.160 allowe ...)
+	{DSA-5617-1}
 	- chromium 121.0.6167.160-1
 	[bullseye] - chromium <end-of-life> (see #1061268)
 	[buster] - chromium <end-of-life> (see DSA 5046)
 CVE-2024-1283 (Heap buffer overflow in Skia in Google Chrome prior to 121.0.6167.160  ...)
+	{DSA-5617-1}
 	- chromium 121.0.6167.160-1
 	[bullseye] - chromium <end-of-life> (see #1061268)
 	[buster] - chromium <end-of-life> (see DSA 5046)
@@ -10390,7 +10470,7 @@ CVE-2023-36878 (Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerab
 	NOT-FOR-US: Microsoft
 CVE-2023-6595 (In WhatsUp Gold versions released before 2023.1, an API endpoint was f ...)
 	NOT-FOR-US: WhatsUp Gold
-CVE-2023-6572 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...)
+CVE-2023-6572 (Command Injection in GitHub repository gradio-app/gradio prior to main ...)
 	NOT-FOR-US: gradio
 CVE-2023-6571 (Cross-site Scripting (XSS) - Reflected in kubeflow/kubeflow)
 	NOT-FOR-US: kubeflow
@@ -10656,7 +10736,7 @@ CVE-2023-6051 (An issue has been discovered in GitLab CE/EE affecting all versio
 	- gitlab 16.4.4+ds2-2
 CVE-2023-6680 (An improper certificate validation issue in Smartcard authentication i ...)
 	- gitlab <not-affected> (Specific to EE)
-CVE-2023-6564
+CVE-2023-6564 (An issue has been discovered in GitLab EE Premium and Ultimate affecti ...)
 	- gitlab <not-affected> (Specific to EE)
 CVE-2023-49347 (Temporary data passed between application components by Budgie Extras  ...)
 	- budgie-extras 1.7.1-1 (unimportant)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43e2366f91fd425c1629e5245b1bc34e5c8c1665

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43e2366f91fd425c1629e5245b1bc34e5c8c1665
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240208/124e25e9/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list