[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Mar 14 20:12:50 GMT 2024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0dcb2655 by security tracker role at 2024-03-14T20:12:38+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,65 @@
+CVE-2024-2438
+ REJECTED
+CVE-2024-2437
+ REJECTED
+CVE-2024-28849 (follow-redirects is an open source, drop-in replacement for Node's `ht ...)
+ TODO: check
+CVE-2024-28425 (greykite v1.0.0 was discovered to contain an arbitrary file upload vul ...)
+ TODO: check
+CVE-2024-28424 (zenml v0.55.4 was discovered to contain an arbitrary file upload vulne ...)
+ TODO: check
+CVE-2024-28423 (Airflow-Diagrams v2.1.0 was discovered to contain an arbitrary file up ...)
+ TODO: check
+CVE-2024-28418 (Webedition CMS 9.2.2.0 has a File upload vulnerability via /webEdition ...)
+ TODO: check
+CVE-2024-28417 (Webedition CMS 9.2.2.0 has a Stored XSS vulnerability via /webEdition/ ...)
+ TODO: check
+CVE-2024-28383 (Tenda AX12 v1.0 v22.03.01.16 was discovered to contain a stack overflo ...)
+ TODO: check
+CVE-2024-28323 (The bwdates-report-result.php file in Phpgurukul User Registration & L ...)
+ TODO: check
+CVE-2024-28181 (turbo_boost-commands is a set of commands to help you build robust rea ...)
+ TODO: check
+CVE-2024-27986 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
+ TODO: check
+CVE-2024-27301 (Support App is an opensource application specialized in managing Apple ...)
+ TODO: check
+CVE-2024-27266 (IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External ...)
+ TODO: check
+CVE-2024-27265 (IBM Integration Bus for z/OS 10.1 through 10.1.0.3 is vulnerable to cr ...)
+ TODO: check
+CVE-2024-25156 (A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 ...)
+ TODO: check
+CVE-2024-25139 (In TP-Link Omada er605 1.0.1 through (v2.6) 2.2.3, a cloud-brd binary ...)
+ TODO: check
+CVE-2024-24770 (vantage6 is an open source framework built to enable, manage and deplo ...)
+ TODO: check
+CVE-2024-24562 (vantage6-UI is the official user interface for the vantage6 server. In ...)
+ TODO: check
+CVE-2024-23823 (vantage6 is an open source framework built to enable, manage and deplo ...)
+ TODO: check
+CVE-2024-22346 (Db2 for IBM i 7.2, 7.3, 7.4, and 7.5 infrastructure could allow a loca ...)
+ TODO: check
+CVE-2024-1998
+ REJECTED
+CVE-2024-1623 (Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone ...)
+ TODO: check
+CVE-2024-0313 (A malicious insider exploiting this vulnerability can circumvent exist ...)
+ TODO: check
+CVE-2024-0312 (A malicious insider can uninstall Skyhigh Client Proxy without a valid ...)
+ TODO: check
+CVE-2024-0311 (A malicious insider can bypass the existing policy of Skyhigh Client P ...)
+ TODO: check
+CVE-2023-50168 (Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF G ...)
+ TODO: check
+CVE-2023-42938 (A logic issue was addressed with improved checks. This issue is fixed ...)
+ TODO: check
+CVE-2023-35191 (Uncontrolled resource consumption for some Intel(R) SPS firmware versi ...)
+ TODO: check
+CVE-2023-32633 (Improper input validation in the Intel(R) CSME installer software befo ...)
+ TODO: check
+CVE-2023-28389 (Incorrect default permissions in some Intel(R) CSME installer software ...)
+ TODO: check
CVE-2024-25395
NOT-FOR-US: RT-Thread
CVE-2024-25394
@@ -18,7 +80,7 @@ CVE-2024-24335
NOT-FOR-US: RT-Thread
CVE-2024-24334
NOT-FOR-US: RT-Thread
-CVE-2024-28746
+CVE-2024-28746 (Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that ...)
- airflow <itp> (bug #819700)
CVE-2024-2242 (The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cro ...)
NOT-FOR-US: WordPress plugin
@@ -120,7 +182,7 @@ CVE-2024-2286 (The Sky Addons for Elementor (Free Templates Library, Live Copy,
NOT-FOR-US: WordPress plugin
CVE-2024-2252 (The Droit Elementor Addons \u2013 Widgets, Blocks, Templates Library F ...)
NOT-FOR-US: WordPress plugin
-CVE-2024-2247 (JFrog Artifactory versions below 7.77.7, are vulnerable to DOM-based c ...)
+CVE-2024-2247 (JFrog Artifactory versions below 7.77.7, 7.82.1, are vulnerable to DOM ...)
NOT-FOR-US: JFrog Artifactory
CVE-2024-2239 (The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cr ...)
NOT-FOR-US: WordPress plugin
@@ -862,31 +924,31 @@ CVE-2024-2182 (A flaw was found in the Open Virtual Network (OVN). In OVN cluste
[bookworm] - ovn <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/bugs/2053113
NOTE: https://mail.openvswitch.org/pipermail/ovs-announce/2024-March/000346.html
-CVE-2023-43490
+CVE-2023-43490 (Incorrect calculation in microcode keying mechanism for some Intel(R) ...)
- intel-microcode 3.20240312.1 (bug #1066108)
[bookworm] - intel-microcode <postponed> (Decide after exposure on unstable for update)
[bullseye] - intel-microcode <postponed> (Decide after exposure on unstable for update)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01045.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
-CVE-2023-39368
+CVE-2023-39368 (Protection mechanism failure of bus lock regulator for some Intel(R) P ...)
- intel-microcode 3.20240312.1 (bug #1066108)
[bookworm] - intel-microcode <postponed> (Decide after exposure on unstable for update)
[bullseye] - intel-microcode <postponed> (Decide after exposure on unstable for update)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00972.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
-CVE-2023-38575
+CVE-2023-38575 (Non-transparent sharing of return predictor targets between contexts i ...)
- intel-microcode 3.20240312.1 (bug #1066108)
[bookworm] - intel-microcode <postponed> (Decide after exposure on unstable for update)
[bullseye] - intel-microcode <postponed> (Decide after exposure on unstable for update)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00982.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
-CVE-2023-22655
+CVE-2023-22655 (Protection mechanism failure in some 3rd and 4th Generation Intel(R) X ...)
- intel-microcode 3.20240312.1 (bug #1066108)
[bookworm] - intel-microcode <postponed> (Decide after exposure on unstable for update)
[bullseye] - intel-microcode <postponed> (Decide after exposure on unstable for update)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00960.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
-CVE-2023-28746 [RFDS: Register File Data Sampling]
+CVE-2023-28746 (Information exposure through microarchitectural state after transient ...)
- intel-microcode 3.20240312.1 (bug #1066108)
[bookworm] - intel-microcode <postponed> (Decide after exposure on unstable for update)
[bullseye] - intel-microcode <postponed> (Decide after exposure on unstable for update)
@@ -7550,7 +7612,7 @@ CVE-2023-32642 (Insufficient adherence to expected conventions for some Intel(R)
NOTE: Fixed upstream in linux-firmware/20231211
CVE-2023-32618 (Uncontrolled search path in some Intel(R) oneAPI Toolkit and component ...)
NOT-FOR-US: Intel
-CVE-2023-32282
+CVE-2023-32282 (Race condition in BIOS firmware for some Intel(R) Processors may allow ...)
NOT-FOR-US: Intel
CVE-2023-32280 (Insufficiently protected credentials in some Intel(R) Server Product O ...)
NOT-FOR-US: Intel
@@ -8662,6 +8724,7 @@ CVE-2023-4639 [Cookie Smuggling/Spoofing]
- undertow <unfixed> (bug #1063539)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2166022
CVE-2023-3966 (A flaw was found in Open vSwitch where multiple versions are vulnerabl ...)
+ {DSA-5640-1}
- openvswitch 3.3.0-1 (bug #1063492)
[buster] - openvswitch <not-affected> (Vulnerable feature introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2024/02/08/3
@@ -24971,7 +25034,7 @@ CVE-2023-33304 (A use of hard-coded credentials vulnerability in Fortinet FortiC
NOT-FOR-US: FortiGuard
CVE-2023-32701 (Improper Input Validation in the Networking Stack of QNX SDP version(s ...)
NOT-FOR-US: QNX SDP
-CVE-2023-32666
+CVE-2023-32666 (On-chip debug and test interface with improper access control in some ...)
NOT-FOR-US: Intel
CVE-2023-32662 (Improper authorization in some Intel Battery Life Diagnostic Tool inst ...)
NOT-FOR-US: Intel
@@ -32077,7 +32140,7 @@ CVE-2023-33269 (An issue was discovered in DTS Monitoring 3.57.0. The parameter
CVE-2023-33268 (An issue was discovered in DTS Monitoring 3.57.0. The parameter port w ...)
NOT-FOR-US: DTS Monitoring
CVE-2023-5366 (A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertise ...)
- {DLA-3734-1}
+ {DSA-5640-1 DLA-3734-1}
- openvswitch 3.1.2-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2006347
NOTE: https://github.com/openvswitch/ovs/commit/694c7b4e097c4d89e23ea9b3c7b677b4fcbe0459 (v3.1.2)
@@ -62333,8 +62396,8 @@ CVE-2023-27879 (Improper access control in firmware for some Intel(R) Optane(TM)
NOT-FOR-US: Intel
CVE-2023-27519 (Improper input validation in firmware for some Intel(R) Optane(TM) SSD ...)
NOT-FOR-US: Intel
-CVE-2023-27502
- RESERVED
+CVE-2023-27502 (Insertion of sensitive information into log file for some Intel(R) Loc ...)
+ TODO: check
CVE-2023-27306 (Improper Initialization in firmware for some Intel(R) Optane(TM) SSD p ...)
NOT-FOR-US: Intel
CVE-2023-27305 (Incorrect default permissions in some Intel(R) Arc(TM) & Iris(R) Xe Gr ...)
@@ -68308,6 +68371,7 @@ CVE-2023-0844 (The Namaste! LMS WordPress plugin before 2.6 does not sanitize an
CVE-2023-0843
RESERVED
CVE-2023-0842 (xml2js version 0.4.23 allows an external attacker to edit or add new p ...)
+ {DLA-3760-1}
- node-xml2js 0.4.23+~cs15.4.0+dfsg-7 (bug #1034148)
[bullseye] - node-xml2js 0.2.8-1.1+deb11u1
NOTE: https://fluidattacks.com/advisories/myers/
@@ -94332,7 +94396,7 @@ CVE-2022-44119
RESERVED
CVE-2022-44118 (dedecmdv6 v6.1.9 is vulnerable to Remote Code Execution (RCE) via file ...)
NOT-FOR-US: dedecmdv6
-CVE-2022-44117 (Boa 0.94.14rc21 is vulnerable to SQL Injection via username.)
+CVE-2022-44117 (Boa 0.94.14rc21 is vulnerable to SQL Injection via username. NOTE: the ...)
- boa <removed>
CVE-2022-44116
RESERVED
@@ -116385,7 +116449,7 @@ CVE-2022-36783 (AlgoSec \u2013 FireFlow Reflected Cross-Site-Scripting (RXSS) A
NOT-FOR-US: AlgoSec
CVE-2022-36782 (Pal Electronics Systems - Pal Gate Authorization Errors. The vulnerabi ...)
NOT-FOR-US: Pal Electronics Systems
-CVE-2022-36781 (WiseConnect - ScreenConnect Session Code Bypass. An attacker would hav ...)
+CVE-2022-36781 (ConnectWise ScreenConnect versions 22.6 and below contained a flaw all ...)
NOT-FOR-US: WiseConnect
CVE-2022-36780 (Avdor CIS - crystal quality Credentials Management Errors. The product ...)
NOT-FOR-US: Avdor CIS
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0dcb2655454d7c397df7fbea98c5264d66f921f4
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0dcb2655454d7c397df7fbea98c5264d66f921f4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240314/12321a2f/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list