[Git][security-tracker-team/security-tracker][master] 4 commits: Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Jun 27 22:03:51 BST 2024 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
772b8540 by Salvatore Bonaccorso at 2024-06-27T23:01:57+02:00
Process some NFUs

- - - - -
5149d46e by Salvatore Bonaccorso at 2024-06-27T23:01:57+02:00
Add CVE-2024-39133/zziplib

- - - - -
bdb63fe8 by Salvatore Bonaccorso at 2024-06-27T23:01:58+02:00
Add CVE-2024-21520/djangorestframework

- - - - -
a9b61a3c by Salvatore Bonaccorso at 2024-06-27T23:01:58+02:00
Add two new wordpress issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -55,67 +55,68 @@ CVE-2024-5820 (Missing Authorization in stitionai/devika)
 CVE-2024-5755 (In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email v ...)
 	NOT-FOR-US: lunary-ai/lunary
 CVE-2024-5751 (BerriAI/litellm version v1.35.8 contains a vulnerability where an atta ...)
-	TODO: check
+	NOT-FOR-US: BerriAI/litellm
 CVE-2024-5714 (In lunary-ai/lunary version 1.2.4, an improper access control vulnerab ...)
-	TODO: check
+	NOT-FOR-US: lunary-ai/lunary
 CVE-2024-5710 (berriai/litellm version 1.34.34 is vulnerable to improper access contr ...)
-	TODO: check
+	NOT-FOR-US: BerriAI/litellm
 CVE-2024-5548 (Path Traversal in GitHub repository stitionai/devika prior to -.)
-	TODO: check
+	NOT-FOR-US: stitionai/devika
 CVE-2024-5547 (Relative Path Traversal in GitHub repository stitionai/devika prior to ...)
-	TODO: check
+	NOT-FOR-US: stitionai/devika
 CVE-2024-5334 (External Control of File Name or Path in GitHub repository stitionai/d ...)
-	TODO: check
+	NOT-FOR-US: stitionai/devika
 CVE-2024-4983 (The The Plus Addons for Elementor \u2013 Elementor Addons, Page Templa ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2024-4578 (This Advisory describes an issue that impacts Arista Wireless Access P ...)
-	TODO: check
+	NOT-FOR-US: Arista
 CVE-2024-3331 (Vulnerability in Spotfire Spotfire Enterprise Runtime for R - Server E ...)
-	TODO: check
+	NOT-FOR-US: Spotfire
 CVE-2024-3330 (Vulnerability in Spotfire Spotfire Analyst, Spotfire Spotfire Server,  ...)
-	TODO: check
+	NOT-FOR-US: Spotfire
 CVE-2024-3043 (An unauthenticated IEEE 802.15.4 'co-ordinator realignment' packet can ...)
 	TODO: check
 CVE-2024-3017 (In a   Silicon Labsmulti-protocol gateway, a corrupt pointer to buffer ...)
 	TODO: check
 CVE-2024-39669 (In the Console in Soffid IAM before 3.5.39, necessary checks were not  ...)
-	TODO: check
+	NOT-FOR-US: Soffid IAM
 CVE-2024-39376 (TELSAT marKoni FM Transmitters are vulnerable to users gaining unautho ...)
-	TODO: check
+	NOT-FOR-US: TELSAT marKoni FM Transmitters
 CVE-2024-39375 (TELSAT marKoni FM Transmitters are vulnerable to an attacker bypassing ...)
-	TODO: check
+	NOT-FOR-US: TELSAT marKoni FM Transmitters
 CVE-2024-39374 (TELSAT marKoni FM Transmitters are vulnerable to an attacker exploitin ...)
-	TODO: check
+	NOT-FOR-US: TELSAT marKoni FM Transmitters
 CVE-2024-39373 (TELSAT marKoni FM Transmitters are vulnerable to a command injection v ...)
-	TODO: check
+	NOT-FOR-US: TELSAT marKoni FM Transmitters
 CVE-2024-39208 (luci-app-lucky v2.8.3 was discovered to contain hardcoded credentials.)
-	TODO: check
+	NOT-FOR-US: luci-app-lucky
 CVE-2024-39207 (lua-shmem v1.0-1 was discovered to contain a buffer overflow via the s ...)
 	TODO: check
 CVE-2024-39158 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...)
-	TODO: check
+	NOT-FOR-US: idccms
 CVE-2024-39157 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...)
-	TODO: check
+	NOT-FOR-US: idccms
 CVE-2024-39156 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...)
-	TODO: check
+	NOT-FOR-US: idccms
 CVE-2024-39155 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...)
-	TODO: check
+	NOT-FOR-US: idccms
 CVE-2024-39154 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...)
-	TODO: check
+	NOT-FOR-US: idccms
 CVE-2024-39153 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...)
-	TODO: check
+	NOT-FOR-US: idccms
 CVE-2024-39133 (Heap Buffer Overflow vulnerability in zziplib v0.13.77 allows attacker ...)
-	TODO: check
+	- zziplib <unfixed>
+	NOTE: https://github.com/gdraheim/zziplib/issues/164
 CVE-2024-39130 (A NULL Pointer Dereference discovered in DumpTS v0.1.0-nightly allows  ...)
-	TODO: check
+	NOT-FOR-US: DumpTS
 CVE-2024-39129 (Heap Buffer Overflow vulnerability in DumpTS v0.1.0-nightly allows att ...)
-	TODO: check
+	NOT-FOR-US: DumpTS
 CVE-2024-38523 (Hush Line is a free and open-source, anonymous-tip-line-as-a-service f ...)
-	TODO: check
+	NOT-FOR-US: Hush Line
 CVE-2024-38515
 	REJECTED
 CVE-2024-35260 (Microsoft Dataverse Remote Code Execution Vulnerability)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2024-35153 (IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-si ...)
 	NOT-FOR-US: IBM
 CVE-2024-31916 (IBM OpenBMC FW1050.00 through FW1050.10 BMCWeb HTTPS server component  ...)
@@ -123,23 +124,23 @@ CVE-2024-31916 (IBM OpenBMC FW1050.00 through FW1050.10 BMCWeb HTTPS server comp
 CVE-2024-31883 (IBM Security Verify Access 10.0.0.0 through 10.0.7.1, under certain co ...)
 	NOT-FOR-US: IBM
 CVE-2024-31802 (DESIGNA ABACUS v.18 and before allows an attacker to bypass the paymen ...)
-	TODO: check
+	NOT-FOR-US: DESIGNA ABACUS
 CVE-2024-2882 (SDG Technologies PnPSCADA allows a remote attacker to attach various e ...)
-	TODO: check
+	NOT-FOR-US: SDG Technologies PnPSCADA
 CVE-2024-28820 (Buffer overflow in the extract_openvpn_cr function in openvpn-cr.c in  ...)
 	TODO: check
 CVE-2024-24792 (Parsing a corrupt or malicious image with invalid color indices can ca ...)
 	TODO: check
 CVE-2024-1153 (Improper Access Control vulnerability in Talya Informatics Travel APPS ...)
-	TODO: check
+	NOT-FOR-US: Talya Informatics Travel APPS
 CVE-2024-1107 (Authorization Bypass Through User-Controlled Key vulnerability in Taly ...)
-	TODO: check
+	NOT-FOR-US: Talya Informatics Travel APPS
 CVE-2024-0949 (Improper Access Control, Missing Authorization, Incorrect Authorizatio ...)
-	TODO: check
+	NOT-FOR-US: Elektraweb
 CVE-2024-0947 (Reliance on Cookies without Validation and Integrity Checking vulnerab ...)
-	TODO: check
+	NOT-FOR-US: Talya Informatics Elektraweb
 CVE-2023-7270 (An issue was discovered in SoftMaker Office 2024 / NX before revision  ...)
-	TODO: check
+	NOT-FOR-US: SoftMaker
 CVE-2023-42014 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.2.0.2 i ...)
 	NOT-FOR-US: IBM
 CVE-2023-42011 (IBM Sterling B2B Integrator Standard Edition 6.1 and 6.2 does not rest ...)
@@ -429,7 +430,9 @@ CVE-2024-21740 (Artery AT32F415CBT7 and AT32F421C8T7 devices have Incorrect Acce
 CVE-2024-21739 (Geehy APM32F103CCT6, APM32F103RCT6, APM32F103RCT7, and APM32F103VCT6 d ...)
 	NOT-FOR-US: Geehy
 CVE-2024-21520 (Versions of the package djangorestframework before 3.15.2 are vulnerab ...)
-	TODO: check
+	- djangorestframework <unfixed>
+	NOTE: https://github.com/encode/django-rest-framework/pull/9435
+	NOTE: https://github.com/encode/django-rest-framework/commit/3b41f0124194430da957b119712978fa2266b642 (3.15.2)
 CVE-2024-6308 (A vulnerability was found in itsourcecode Simple Online Hotel Reservat ...)
 	NOT-FOR-US: itsourcecode Simple Online Hotel Reservation System
 CVE-2024-6307 (WordPress Core is vulnerable to Stored Cross-Site Scripting via the HT ...)
@@ -537,9 +540,11 @@ CVE-2024-34142 (Adobe Experience Manager versions 6.5.20 and earlier are affecte
 CVE-2024-34141 (Adobe Experience Manager versions 6.5.20 and earlier are affected by a ...)
 	NOT-FOR-US: Adobe
 CVE-2024-32111 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
-	TODO: check
+	- wordpress <unfixed>
+	NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
 CVE-2024-31111 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
-	TODO: check
+	- wordpress <unfixed>
+	NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
 CVE-2024-28832 (Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7 ...)
 	- check-mk <removed>
 CVE-2024-28831 (Stored XSS in some confirmation pop-ups in Checkmk before versions 2.3 ...)
@@ -785,7 +790,7 @@ CVE-2024-22385 (Incorrect Default Permissions vulnerability in Hitachi Storage P
 CVE-2024-22168 (A Cross-Site Scripting (XSS) vulnerability on the My Cloud, My Cloud H ...)
 	TODO: check
 CVE-2023-6198 (Use of Hard-coded Credentials vulnerability in Baicells Snap Router Ba ...)
-	TODO: check
+	NOT-FOR-US: Baicells Snap Router BaiCE_BMI on EP3011
 CVE-2023-5038 (badmonkey, a Security Researcher has found a flaw that allows for a un ...)
 	TODO: check
 CVE-2023-50029 (PHP Injection vulnerability in the module "M4 PDF Extensions" (m4pdf)  ...)
@@ -835,7 +840,7 @@ CVE-2024-4754 (Improper Neutralization of Input During Web Page Generation ('Cro
 CVE-2024-4748 (The CRUDDIY project is vulnerable to shell command injection via sendi ...)
 	NOT-FOR-US: CRUDDIY project
 CVE-2024-3264 (Use of a Broken or Risky Cryptographic Algorithm vulnerability in Mia  ...)
-	TODO: check
+	NOT-FOR-US: Mia Technology Inc. Mia-Med Health Aplication
 CVE-2024-38373 (FreeRTOS-Plus-TCP is a lightweight TCP/IP stack for FreeRTOS. FreeRTOS ...)
 	NOT-FOR-US: FreeRTOS-Plus-TCP
 CVE-2024-38369 (XWiki Platform is a generic wiki platform offering runtime services fo ...)
@@ -101182,7 +101187,7 @@ CVE-2023-26879
 CVE-2023-26878
 	RESERVED
 CVE-2023-26877 (File upload vulnerability found in Softexpert Excellence Suite v.2.1 a ...)
-	TODO: check
+	NOT-FOR-US: Softexpert Excellence Suite
 CVE-2023-26876 (SQL injection vulnerability found in Piwigo v.13.5.0 and before allows ...)
 	- piwigo <removed>
 CVE-2023-26875



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7c515ba984bccdaa90196d5b5100214454f77d25...a9b61a3c037202aa9bcb5b7b5302929f1aba29ff

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7c515ba984bccdaa90196d5b5100214454f77d25...a9b61a3c037202aa9bcb5b7b5302929f1aba29ff
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240627/19b09c56/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list