[Git][security-tracker-team/security-tracker][master] 4 commits: Process several NFUs
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Jan 11 22:15:23 GMT 2024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0e0ae67d by Salvatore Bonaccorso at 2024-01-11T23:14:47+01:00
Process several NFUs
Note, for the Apple related CVEs they are now marked as NFU, but it
might be later uncovered that e.g. some might affecte webkit2gtk. So
some extra care on this set of CVEs is in order.
- - - - -
c764c16b by Salvatore Bonaccorso at 2024-01-11T23:14:47+01:00
Add CVE-2023-50671/exiftags
- - - - -
e5a00b88 by Salvatore Bonaccorso at 2024-01-11T23:14:47+01:00
Add CVE-2023-37644/swftools
- - - - -
2825c35b by Salvatore Bonaccorso at 2024-01-11T23:14:48+01:00
Add CVE-2023-45139/fonttools
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -11,7 +11,7 @@ CVE-2024-23057 (TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contai
CVE-2024-22942 (TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a co ...)
NOT-FOR-US: TOTOLINK
CVE-2024-22199 (This package provides universal methods to use multiple template engin ...)
- TODO: check
+ NOT-FOR-US: Fiber web framework
CVE-2024-22198 (Nginx-UI is a web interface to manage Nginx configurations. It is vuln ...)
NOT-FOR-US: Nginx-UI
CVE-2024-22197 (Nginx-ui is online statistics for Server Indicators Monitor CPU usage, ...)
@@ -29,7 +29,7 @@ CVE-2024-0423 (A vulnerability was found in CodeAstro Online Food Ordering Syste
CVE-2024-0422 (A vulnerability was found in CodeAstro POS and Inventory Management Sy ...)
NOT-FOR-US: CodeAstro POS and Inventory Management System
CVE-2024-0419 (A vulnerability was found in Jasper httpdx up to 1.5.4 and classified ...)
- TODO: check
+ NOT-FOR-US: Jasper httpdx
CVE-2024-0418 (A vulnerability has been found in iSharer and upRedSun File Sharing Wi ...)
NOT-FOR-US: iSharer and upRedSun File Sharing Wizard
CVE-2024-0417 (A vulnerability, which was classified as critical, was found in DeShan ...)
@@ -47,7 +47,7 @@ CVE-2024-0412 (A vulnerability was found in DeShang DSShop up to 3.1.0. It has b
CVE-2024-0411 (A vulnerability was found in DeShang DSMall up to 6.1.0. It has been c ...)
NOT-FOR-US: DeShang DSMall
CVE-2024-0227 (Devise-Two-Factor does not throttle or otherwise restrict login attemp ...)
- TODO: check
+ NOT-FOR-US: Devise-Two-Factor
CVE-2023-7071 (The Essential Blocks \u2013 Page Builder Gutenberg Blocks, Patterns & ...)
NOT-FOR-US: WordPress plugin
CVE-2023-7070 (The Email Encoder \u2013 Protect Email Addresses and Phone Numbers plu ...)
@@ -123,7 +123,7 @@ CVE-2023-6558 (The Export and Import Users and Customers plugin for WordPress is
CVE-2023-6556 (The FOX \u2013 Currency Switcher Professional for WooCommerce plugin f ...)
NOT-FOR-US: WordPress plugin
CVE-2023-6554 (When access to the "admin" folder is not protected by some external au ...)
- TODO: check
+ NOT-FOR-US: TCExam
CVE-2023-6504 (The User Profile Builder \u2013 Beautiful User Registration Forms, Use ...)
NOT-FOR-US: WordPress plugin
CVE-2023-6496 (The Manage Notification E-mails plugin for WordPress is vulnerable to ...)
@@ -145,7 +145,7 @@ CVE-2023-5691 (The Chatbot for WordPress plugin for WordPress is vulnerable to S
CVE-2023-5504 (The BackWPup plugin for WordPress is vulnerable to Directory Traversal ...)
NOT-FOR-US: WordPress plugin
CVE-2023-5118 (The application is vulnerable to Stored Cross-Site Scripting (XSS) in ...)
- TODO: check
+ NOT-FOR-US: Kofax
CVE-2023-52032 (TOTOlink EX1200T V4.1.2cu.5232_B20210713 was discovered to contain a r ...)
NOT-FOR-US: TOTOlink
CVE-2023-52031 (TOTOlink A3700R v9.1.2u.5822_B20200513 was discovered to contain a rem ...)
@@ -173,7 +173,9 @@ CVE-2023-51749 (ScaleFusion 10.5.2 does not properly limit users to the Edge app
CVE-2023-51748 (ScaleFusion 10.5.2 does not properly limit users to the Edge applicati ...)
NOT-FOR-US: ScaleFusion
CVE-2023-50671 (In exiftags 1.01, nikon_prop1 in nikon.c has a heap-based buffer overf ...)
- TODO: check
+ - exiftags <unfixed>
+ NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-exiftags/
+ TODO: check details
CVE-2023-50159 (In ScaleFusion (Windows Desktop App) agent v10.5.2, Kiosk mode applica ...)
NOT-FOR-US: ScaleFusion
CVE-2023-4962 (The Video PopUp plugin for WordPress is vulnerable to Stored Cross-Sit ...)
@@ -189,13 +191,13 @@ CVE-2023-4247 (The GiveWP plugin for WordPress is vulnerable to Cross-Site Reque
CVE-2023-4246 (The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Fo ...)
NOT-FOR-US: WordPress plugin
CVE-2022-4958 (A vulnerability classified as problematic has been found in qkmc-rk re ...)
- TODO: check
+ NOT-FOR-US: qkmc-rk redbbs
CVE-2024-22195 (Jinja is an extensible templating engine. Special placeholders in the ...)
- jinja2 <unfixed>
NOTE: https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95
NOTE: Fixed by: https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23 (3.1.3)
CVE-2024-22194 (cdo-local-uuid project provides a specialized UUID-generating function ...)
- TODO: check
+ NOT-FOR-US: cdo-local-uuid project
CVE-2024-22190 (GitPython is a python library used to interact with Git repositories. ...)
- python-git <not-affected> (Only affects Windows)
NOTE: https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
@@ -208,7 +210,7 @@ CVE-2024-21821 (Multiple TP-LINK products allow a network-adjacent authenticated
CVE-2024-21773 (Multiple TP-LINK products allow a network-adjacent unauthenticated att ...)
NOT-FOR-US: TP-LINK
CVE-2024-21669 (Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for buil ...)
- TODO: check
+ NOT-FOR-US: Hyperledger Aries Cloud Agent Python (ACA-Py)
CVE-2024-21667 (pimcore/customer-data-framework is the Customer Management Framework f ...)
NOT-FOR-US: Pimcore framework
CVE-2024-21666 (The Customer Management Framework (CMF) for Pimcore adds functionality ...)
@@ -216,7 +218,7 @@ CVE-2024-21666 (The Customer Management Framework (CMF) for Pimcore adds functio
CVE-2024-21665 (ecommerce-framework-bundle is the Pimcore Ecommerce Framework Bundle. ...)
NOT-FOR-US: Pimcore
CVE-2024-21638 (Azure IPAM (IP Address Management) is a lightweight solution developed ...)
- TODO: check
+ NOT-FOR-US: Azure IPAM (IP Address Management)
CVE-2024-21637 (Authentik is an open-source Identity Provider. Authentik is a vulnerab ...)
NOT-FOR-US: authentik
CVE-2024-0252 (ManageEngine ADSelfService Plus versions6401and below are vulnerable t ...)
@@ -260,109 +262,110 @@ CVE-2023-45171 (IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged loca
CVE-2023-45169 (IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user ...)
NOT-FOR-US: IBM
CVE-2023-42941 (The issue was addressed with improved checks. This issue is fixed in i ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42934 (An information disclosure issue was addressed by removing the vulnerab ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42933 (This issue was addressed with improved checks. This issue is fixed in ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42929 (The issue was addressed with improved checks. This issue is fixed in m ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42876 (The issue was addressed with improved bounds checks. This issue is fix ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42872 (The issue was addressed with additional permissions checks. This issue ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42871 (The issue was addressed with improved memory handling. This issue is f ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42870 (A use-after-free issue was addressed with improved memory management. ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42869 (Multiple memory corruption issues were addressed with improved input v ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42866 (The issue was addressed with improved memory handling. This issue is f ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42865 (An out-of-bounds read was addressed with improved input validation. Th ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42862 (An out-of-bounds read was addressed with improved input validation. Th ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42833 (A correctness issue was addressed with improved checks. This issue is ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42832 (A race condition was addressed with improved state handling. This issu ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42831 (This issue was addressed by removing the vulnerable code. This issue i ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42830 (A privacy issue was addressed with improved private data redaction for ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42829 (The issue was addressed with additional restrictions on the observabil ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42828 (This issue was addressed by removing the vulnerable code. This issue i ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-42826 (The issue was addressed with improved checks. This issue is fixed in m ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-41994 (A logic issue was addressed with improved checks This issue is fixed i ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-41987 (This issue was addressed with improved checks. This issue is fixed in ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-41974 (A use-after-free issue was addressed with improved memory management. ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-41075 (A type confusion issue was addressed with improved checks. This issue ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-41069 (This issue was addressed by improving Face ID anti-spoofing models. Th ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-41060 (A type confusion issue was addressed with improved checks. This issue ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-40529 (This issue was addressed with improved redaction of sensitive informat ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-40439 (A privacy issue was addressed with improved private data redaction for ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-40438 (An issue was addressed with improved handling of temporary files. This ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-40437 (A privacy issue was addressed with improved private data redaction for ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-40433 (A logic issue was addressed with improved checks. This issue is fixed ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-40430 (A logic issue was addressed with improved checks. This issue is fixed ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-40414 (A use-after-free issue was addressed with improved memory management. ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-40411 (This issue was addressed with improved data protection. This issue is ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-40394 (The issue was addressed with improved validation of environment variab ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-40393 (An authentication issue was addressed with improved state management. ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-40385 (This issue was addressed by removing the vulnerable code. This issue i ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-40383 (A path handling issue was addressed with improved validation. This iss ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-38612 (The issue was addressed with improved checks. This issue is fixed in m ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-38610 (A memory corruption issue was addressed by removing the vulnerable cod ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-38607 (The issue was addressed with improved handling of caches. This issue i ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-38267 (IBM Security Access Manager Appliance (IBM Security Verify Access Appl ...)
NOT-FOR-US: IBM
CVE-2023-37644 (SWFTools 0.9.2 772e55a allows attackers to trigger a large memory-allo ...)
- TODO: check
+ - swftools <removed>
+ NOTE: https://github.com/matthiaskramm/swftools/issues/202
CVE-2023-32436 (The issue was addressed with improved bounds checks. This issue is fix ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-32424 (The issue was addressed with improved memory handling. This issue is f ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-32401 (A buffer overflow was addressed with improved bounds checking. This is ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-32383 (This issue was addressed by forcing hardened runtime on the affected b ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-32378 (A use-after-free issue was addressed with improved memory management. ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-32366 (An out-of-bounds write issue was addressed with improved input validat ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2022-48577 (An access issue was addressed with improved access restrictions. This ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2022-48504 (The issue was addressed with improved handling of caches. This issue i ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2022-47965 (The issue was addressed with improved memory handling. This issue is f ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2022-47915 (The issue was addressed with improved memory handling. This issue is f ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-4001 [bypass the GRUB password protection feature]
- grub2 <undetermined>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2224951
@@ -537,7 +540,11 @@ CVE-2023-47171 (An information disclosure vulnerability exists in the aVideoEnco
CVE-2023-46712 (A improper access control in Fortinet FortiPortal version 7.0.0 throug ...)
NOT-FOR-US: FortiGuard
CVE-2023-45139 (fontTools is a library for manipulating fonts, written in Python. The ...)
- TODO: check
+ - fonttools 4.46.0-1
+ [bullseye] - fonttools <not-affected> (Vulnerable code not present)
+ [buster] - fonttools <not-affected> (Vulnerable code not present)
+ NOTE: https://github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5
+ NOTE: Fixed by: https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c (4.43.0)
CVE-2023-44250 (An improper privilege management vulnerability [CWE-269] in a Fortinet ...)
NOT-FOR-US: FortiGuard
CVE-2023-41603 (D-Link R15 before v1.08.02 was discovered to contain no firewall restr ...)
@@ -42532,11 +42539,11 @@ CVE-2023-29448
CVE-2023-29447 (An insufficiently protected credentials vulnerability in KEPServerEX c ...)
NOT-FOR-US: KEPServerEX
CVE-2023-29446 (An improper input validation vulnerability has been discovered that co ...)
- TODO: check
+ NOT-FOR-US: PTC
CVE-2023-29445 (An uncontrolled search path element vulnerability (DLL hijacking) has ...)
- TODO: check
+ NOT-FOR-US: PTC
CVE-2023-29444 (An uncontrolled search path element vulnerability (DLL hijacking) has ...)
- TODO: check
+ NOT-FOR-US: PTC
CVE-2023-29443 (Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP ...)
NOT-FOR-US: Zoho ManageEngine
CVE-2023-29442 (Zoho ManageEngine Applications Manager before 16400 allows proxy.html ...)
@@ -47089,7 +47096,7 @@ CVE-2023-28198 (A use-after-free issue was addressed with improved memory manage
[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
NOTE: https://webkitgtk.org/security/WSA-2023-0008.html
CVE-2023-28197 (An access issue was addressed with additional sandbox restrictions. Th ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-28196
RESERVED
CVE-2023-28195 (A privacy issue was addressed with improved private data redaction for ...)
@@ -47113,7 +47120,7 @@ CVE-2023-28187 (This issue was addressed with improved state management. This is
CVE-2023-28186
RESERVED
CVE-2023-28185 (An integer overflow was addressed through improved input validation. T ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2023-28184
RESERVED
CVE-2023-28183
@@ -71311,7 +71318,7 @@ CVE-2022-46723 (This issue was addressed with improved checks. This issue is fix
CVE-2022-46722 (A logic issue was addressed with improved checks. This issue is fixed ...)
NOT-FOR-US: Apple
CVE-2022-46721 (The issue was addressed with improved memory handling. This issue is f ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2022-46720 (An integer overflow was addressed with improved input validation. This ...)
NOT-FOR-US: Apple
CVE-2022-46719
@@ -71333,7 +71340,7 @@ CVE-2022-46712 (A use after free issue was addressed with improved memory manage
CVE-2022-46711
RESERVED
CVE-2022-46710 (A logic issue was addressed with improved checks. This issue is fixed ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2022-46709 (A memory corruption issue was addressed with improved state management ...)
NOT-FOR-US: Apple
CVE-2022-46708
@@ -74185,9 +74192,9 @@ CVE-2022-45796 (Command injection vulnerability in nw_interface.html in SHARP mu
CVE-2022-45795
RESERVED
CVE-2022-45794 (An attacker with network access to the affected PLC (CJ-series and CS- ...)
- TODO: check
+ NOT-FOR-US: CS/CJ-series Programmable Controllers
CVE-2022-45793 ([PROBLEMTYPE] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [A ...)
- TODO: check
+ NOT-FOR-US: Omron
CVE-2022-45792
RESERVED
CVE-2022-45791
@@ -81045,7 +81052,7 @@ CVE-2023-20575 (A potential power side-channel vulnerability in some AMD process
CVE-2023-20574
RESERVED
CVE-2023-20573 (A privileged attacker can prevent delivery of debug exceptions to SEV- ...)
- TODO: check
+ NOT-FOR-US: AMD
CVE-2023-20572
RESERVED
CVE-2023-20571 (A race condition in System Management Mode (SMM) code may allow an att ...)
@@ -85649,7 +85656,7 @@ CVE-2022-42841 (A type confusion issue was addressed with improved checks. This
CVE-2022-42840 (The issue was addressed with improved memory handling. This issue is f ...)
NOT-FOR-US: Apple
CVE-2022-42839 (This issue was addressed with improved redaction of sensitive informat ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2022-42838 (An issue with app access to camera data was addressed with improved lo ...)
NOT-FOR-US: Apple
CVE-2022-42837 (An issue existed in the parsing of URLs. This issue was addressed with ...)
@@ -85704,7 +85711,7 @@ CVE-2022-42818 (This issue was addressed with improved data protection. This iss
CVE-2022-42817 (A logic issue was addressed with improved state management. This issue ...)
NOT-FOR-US: Apple
CVE-2022-42816 (A logic issue was addressed with improved state management. This issue ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2022-42815 (This issue was addressed with improved data protection. This issue is ...)
NOT-FOR-US: Apple
CVE-2022-42814 (A logic issue was addressed with improved checks. This issue is fixed ...)
@@ -92200,7 +92207,7 @@ CVE-2022-40363 (A buffer overflow in the component nfc_device_load_mifare_ul_dat
CVE-2022-40362
RESERVED
CVE-2022-40361 (Cross Site Scripting Vulnerability in Elite CRM v1.2.11 allows attacke ...)
- TODO: check
+ NOT-FOR-US: Elite CRM
CVE-2022-40360
RESERVED
CVE-2022-40359 (Cross site scripting (XSS) vulnerability in kfm through 1.4.7 via craf ...)
@@ -112564,7 +112571,7 @@ CVE-2022-32933 [A website may be able to track the websites a user visited in Sa
CVE-2022-32932 (The issue was addressed with improved memory handling. This issue is f ...)
NOT-FOR-US: Apple
CVE-2022-32931 (This issue was addressed with improved data protection. This issue is ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2022-32930
REJECTED
CVE-2022-32929 (A permissions issue was addressed with additional restrictions. This i ...)
@@ -233662,7 +233669,7 @@ CVE-2020-26631
CVE-2020-26630 (A Time-Based SQL Injection vulnerability was discovered in Hospital Ma ...)
NOT-FOR-US: Hospital Management System
CVE-2020-26629 (A JQuery Unrestricted Arbitrary File Upload vulnerability was discover ...)
- TODO: check
+ NOT-FOR-US: Hospital Management System
CVE-2020-26628 (A Cross-Site Scripting (XSS) vulnerability was discovered in Hospital ...)
NOT-FOR-US: Hospital Management System
CVE-2020-26627 (A Time-Based SQL Injection vulnerability was discovered in Hospital Ma ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1dd2cf35f18943171d8aa4c6b8cd537bdd8025c4...2825c35b04e16e70f3b85e5af6970fdb97c061cb
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1dd2cf35f18943171d8aa4c6b8cd537bdd8025c4...2825c35b04e16e70f3b85e5af6970fdb97c061cb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240111/b741bd53/attachment.htm>
More information about the debian-security-tracker-commits
mailing list