[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2024-28849/node-follow-redirects

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Mar 14 20:30:32 GMT 2024 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4d5bcc61 by Salvatore Bonaccorso at 2024-03-14T21:30:08+01:00
Add CVE-2024-28849/node-follow-redirects

- - - - -
63435ff9 by Salvatore Bonaccorso at 2024-03-14T21:30:08+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3,63 +3,66 @@ CVE-2024-2438
 CVE-2024-2437
 	REJECTED
 CVE-2024-28849 (follow-redirects is an open source, drop-in replacement for Node's `ht ...)
-	TODO: check
+	- node-follow-redirects <unfixed>
+	NOTE: https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp
+	NOTE: https://github.com/psf/requests/issues/1885
+	NOTE: https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b (v1.15.6)
 CVE-2024-28425 (greykite v1.0.0 was discovered to contain an arbitrary file upload vul ...)
-	TODO: check
+	NOT-FOR-US: greykite
 CVE-2024-28424 (zenml v0.55.4 was discovered to contain an arbitrary file upload vulne ...)
-	TODO: check
+	NOT-FOR-US: zenml
 CVE-2024-28423 (Airflow-Diagrams v2.1.0 was discovered to contain an arbitrary file up ...)
-	TODO: check
+	NOT-FOR-US: Airflow-Diagrams
 CVE-2024-28418 (Webedition CMS 9.2.2.0 has a File upload vulnerability via /webEdition ...)
-	TODO: check
+	NOT-FOR-US: Webedition CMS
 CVE-2024-28417 (Webedition CMS 9.2.2.0 has a Stored XSS vulnerability via /webEdition/ ...)
-	TODO: check
+	NOT-FOR-US: Webedition CMS
 CVE-2024-28383 (Tenda AX12 v1.0 v22.03.01.16 was discovered to contain a stack overflo ...)
-	TODO: check
+	NOT-FOR-US: Tenda
 CVE-2024-28323 (The bwdates-report-result.php file in Phpgurukul User Registration & L ...)
-	TODO: check
+	NOT-FOR-US: Phpgurukul User Registration & Login and User Management System
 CVE-2024-28181 (turbo_boost-commands is a set of commands to help you build robust rea ...)
-	TODO: check
+	NOT-FOR-US: turbo_boost-commands
 CVE-2024-27986 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2024-27301 (Support App is an opensource application specialized in managing Apple ...)
-	TODO: check
+	NOT-FOR-US: Support App
 CVE-2024-27266 (IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External  ...)
-	TODO: check
+	NOT-FOR-US: IBM X-Force ID:
 CVE-2024-27265 (IBM Integration Bus for z/OS 10.1 through 10.1.0.3 is vulnerable to cr ...)
-	TODO: check
+	NOT-FOR-US: IBM X-Force ID:
 CVE-2024-25156 (A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 ...)
-	TODO: check
+	NOT-FOR-US: GoAnywhere MFT
 CVE-2024-25139 (In TP-Link Omada er605 1.0.1 through (v2.6) 2.2.3, a cloud-brd binary  ...)
-	TODO: check
+	NOT-FOR-US: TP-Link
 CVE-2024-24770 (vantage6 is an open source framework built to enable, manage and deplo ...)
-	TODO: check
+	NOT-FOR-US: vantage6
 CVE-2024-24562 (vantage6-UI is the official user interface for the vantage6 server. In ...)
-	TODO: check
+	NOT-FOR-US: vantage6
 CVE-2024-23823 (vantage6 is an open source framework built to enable, manage and deplo ...)
-	TODO: check
+	NOT-FOR-US: vantage6
 CVE-2024-22346 (Db2 for IBM i 7.2, 7.3, 7.4, and 7.5 infrastructure could allow a loca ...)
-	TODO: check
+	NOT-FOR-US: IBM X-Force ID:
 CVE-2024-1998
 	REJECTED
 CVE-2024-1623 (Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone ...)
-	TODO: check
+	NOT-FOR-US: FAST3686 V2 Vodafone router from Sagemcom
 CVE-2024-0313 (A malicious insider exploiting this vulnerability can circumvent exist ...)
-	TODO: check
+	NOT-FOR-US: Trellix
 CVE-2024-0312 (A malicious insider can uninstall Skyhigh Client Proxy without a valid ...)
-	TODO: check
+	NOT-FOR-US: Trellix
 CVE-2024-0311 (A malicious insider can bypass the existing policy of Skyhigh Client P ...)
-	TODO: check
+	NOT-FOR-US: Trellix
 CVE-2023-50168 (Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF G ...)
-	TODO: check
+	NOT-FOR-US: Pega Platform
 CVE-2023-42938 (A logic issue was addressed with improved checks. This issue is fixed  ...)
-	TODO: check
+	NOT-FOR-US: Apple
 CVE-2023-35191 (Uncontrolled resource consumption for some Intel(R) SPS firmware versi ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2023-32633 (Improper input validation in the Intel(R) CSME installer software befo ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2023-28389 (Incorrect default permissions in some Intel(R) CSME installer software ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2024-25395
 	NOT-FOR-US: RT-Thread
 CVE-2024-25394
@@ -62397,7 +62400,7 @@ CVE-2023-27879 (Improper access control in firmware for some Intel(R) Optane(TM)
 CVE-2023-27519 (Improper input validation in firmware for some Intel(R) Optane(TM) SSD ...)
 	NOT-FOR-US: Intel
 CVE-2023-27502 (Insertion of sensitive information into log file for some Intel(R) Loc ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2023-27306 (Improper Initialization in firmware for some Intel(R) Optane(TM) SSD p ...)
 	NOT-FOR-US: Intel
 CVE-2023-27305 (Incorrect default permissions in some Intel(R) Arc(TM) & Iris(R) Xe Gr ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6de72b5ec2b6af6c959a91b15f80000685e8eee...63435ff9331cc205449673461c1c1278adf7c865

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6de72b5ec2b6af6c959a91b15f80000685e8eee...63435ff9331cc205449673461c1c1278adf7c865
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240314/e97f4bc9/attachment.htm>

More information about the debian-security-tracker-commits mailing list