[Git][security-tracker-team/security-tracker][master] NFUS
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Thu May 9 12:28:55 BST 2024
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
41e49df1 by Moritz Muehlenhoff at 2024-05-09T13:26:56+02:00
NFUS
also track xpdf issues as NFU, poppler forked from xpdf almost 20 years ago
and is regularly fuzzed by oss-fuzz, no real point to assume that new xpdf
issues still affect it and if no PoC is available we can't reliably track
this down anyway and these end up causing spam
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -29,7 +29,7 @@ CVE-2024-2454 (An issue has been discovered in GitLab CE/EE affecting all versio
CVE-2024-28759 (A crafted network packet may cause a buffer overrun in Wind River VxWo ...)
NOT-FOR-US: Wind River
CVE-2024-27793 (The issue was addressed with improved checks. This issue is fixed in i ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2024-26517 (SQL Injection vulnerability in School Task Manager v.1.0 allows a remo ...)
NOT-FOR-US: School Task Manager
CVE-2023-6688 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
@@ -37,7 +37,7 @@ CVE-2023-6688 (An issue has been discovered in GitLab CE/EE affecting all versio
CVE-2023-6682 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
- gitlab <unfixed>
CVE-2023-5971 (The Save as PDF Plugin by Pdfcrowd WordPress plugin before 3.2.0 does ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-29510
- ghostscript <unfixed>
NOTE: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html
@@ -529,7 +529,7 @@ CVE-2024-29150 (An issue was discovered in Alcatel-Lucent ALE NOE deskphones thr
CVE-2024-29149 (An issue was discovered in Alcatel-Lucent ALE NOE deskphones through 8 ...)
NOT-FOR-US: Alcatel-Lucent ALE NOE deskphones
CVE-2024-28148 (An authenticated user could potentially access metadata for a datasour ...)
- TODO: check
+ NOT-FOR-US: Apache Superset
CVE-2024-25514 (RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vu ...)
NOT-FOR-US: RuvarOA
CVE-2024-25513 (RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vu ...)
@@ -547,13 +547,13 @@ CVE-2024-25508 (RuvarOA v6.01 and v12.01 were discovered to contain a SQL inject
CVE-2024-25507 (RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vu ...)
NOT-FOR-US: RuvarOA
CVE-2023-7240 (An improper authorization level has been detected in the login panel. ...)
- TODO: check
+ NOT-FOR-US: NetIQ Identity Console
CVE-2023-6810 (The ClickCease Click Fraud Protection plugin for WordPress is vulnerab ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-46012 (Buffer Overflow vulnerability LINKSYS EA7500 3.0.1.207964 allows a rem ...)
- TODO: check
+ NOT-FOR-US: LINKSYS
CVE-2023-42757 (Process Explorer before 17.04 allows attackers to make it functionally ...)
- TODO: check
+ NOT-FOR-US: Buffer Overflow
CVE-2024-4559 (Heap buffer overflow in WebAudio in Google Chrome prior to 124.0.6367. ...)
{DSA-5683-1}
- chromium 124.0.6367.155-1
@@ -647,7 +647,7 @@ CVE-2024-1695 (A potential security vulnerability has been identified in the HP
CVE-2023-33548 (Cross Site Scripting (XSS) vulnerability in ASUS RT-AC51U with firmwar ...)
NOT-FOR-US: ASUS
CVE-2024-4568 (In Xpdf 4.05 (and earlier), a PDF object loop in the PDF resources lea ...)
- TODO: check
+ NOT-FOR-US: xpdf (Debian uses poppler, which forked a long time ago)
CVE-2024-4549 (A denial of service vulnerability exists in Delta Electronics DIAEnerg ...)
NOT-FOR-US: Delta Electronics
CVE-2024-4548 (An SQLi vulnerability exists inDelta Electronics DIAEnergie v1.10.1.86 ...)
@@ -731,7 +731,7 @@ CVE-2024-34524 (In XLANG OpenAgents through fe73ac4, the allowed_file protection
CVE-2024-34519 (Avantra Server 24.x before 24.0.7 and 24.1.x before 24.1.1 mishandles ...)
NOT-FOR-US: Avantra Server
CVE-2024-34515 (image-optimizer before 1.7.3 allows PHAR deserialization, e.g., the ph ...)
- TODO: check
+ NOT-FOR-US: PHP image-optimizer
CVE-2024-34472 (An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18 ...)
NOT-FOR-US: HSC Mailinspector
CVE-2024-34471 (An issue was discovered in HSC Mailinspector 5.2.17-3. A Path Traversa ...)
@@ -868,7 +868,7 @@ CVE-2024-33121 (Roothub v2.6 was discovered to contain a SQL injection vulnerabi
CVE-2024-33118 (LuckyFrameWeb v3.5.2 was discovered to contain an arbitrary read vulne ...)
NOT-FOR-US: LuckyFrameWeb
CVE-2024-33117 (crmeb_java v1.3.4 was discovered to contain a Server-Side Request Forg ...)
- TODO: check
+ NOT-FOR-US: crmeb_java
CVE-2024-33113 (D-LINK DIR-845L <=v1.01KRb03 is vulnerable to Information disclosurey ...)
NOT-FOR-US: D-LINK
CVE-2024-33112 (D-Link DIR-845L router v1.01KRb03 and before is vulnerable to Command ...)
@@ -878,7 +878,7 @@ CVE-2024-33111 (D-Link DIR-845L router <=v1.01KRb03 is vulnerable to Cross Site
CVE-2024-33110 (D-Link DIR-845L router v1.01KRb03 and before is vulnerable to Permissi ...)
NOT-FOR-US: D-LINK
CVE-2024-32982 (Litestar and Starlite is an Asynchronous Server Gateway Interface (ASG ...)
- TODO: check
+ NOT-FOR-US: litestar
CVE-2024-32972 (go-ethereum (geth) is a golang execution layer implementation of the E ...)
- golang-github-go-ethereum <itp> (bug #890541)
CVE-2024-32807 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
@@ -888,51 +888,51 @@ CVE-2024-2041
CVE-2024-26312 (Archer Platform 6 before 2024.03 contains a sensitive information disc ...)
NOT-FOR-US: Archer Platform
CVE-2024-23354 (Memory corruption when the IOCTL call is interrupted by a signal.)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2024-23351 (Memory corruption as GPU registers beyond the last protected range can ...)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2024-23193 (E-Mails exported as PDF were stored in a cache that did not consider s ...)
- TODO: check
+ NOT-FOR-US: Open-Xchange
CVE-2024-23188 (Maliciously crafted E-Mail attachment names could be used to temporari ...)
- TODO: check
+ NOT-FOR-US: Open-Xchange
CVE-2024-23187 (Content-ID based embedding of resources in E-Mails could be abused to ...)
- TODO: check
+ NOT-FOR-US: Open-Xchange
CVE-2024-23186 (E-Mail containing malicious display-name information could trigger cli ...)
- TODO: check
+ NOT-FOR-US: Open-Xchange
CVE-2024-21480 (Memory corruption while playing audio file having large-sized input bu ...)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2024-21477 (Transient DOS while parsing a protected 802.11az Fine Time Measurement ...)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2024-21476 (Memory corruption when the channel ID passed by user is not validated ...)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2024-21475 (Memory corruption when the payload received from firmware is not as pe ...)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2024-21474 (Memory corruption when size of buffer from previous call is used witho ...)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2024-21471 (Memory corruption when IOMMU unmap of a GPU buffer fails in Linux.)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2024-20064 (In wlan service, there is a possible out of bounds write due to improp ...)
- TODO: check
+ NOT-FOR-US: MediaTek
CVE-2024-20060 (In da, there is a possible escalation of privilege due to an incorrect ...)
- TODO: check
+ NOT-FOR-US: MediaTek
CVE-2024-20059 (In da, there is a possible escalation of privilege due to an incorrect ...)
- TODO: check
+ NOT-FOR-US: MediaTek
CVE-2024-20058 (In keyInstall, there is a possible out of bounds read due to a missing ...)
- TODO: check
+ NOT-FOR-US: MediaTek
CVE-2024-20057 (In keyInstall, there is a possible out of bounds write due to a missin ...)
- TODO: check
+ NOT-FOR-US: MediaTek
CVE-2024-20056 (In preloader, there is a possible escalation of privilege due to an in ...)
- TODO: check
+ NOT-FOR-US: MediaTek
CVE-2024-20021 (In atf spm, there is a possible way to remap physical memory to virtua ...)
- TODO: check
+ NOT-FOR-US: MediaTek
CVE-2024-0904 (The Fancy Product Designer WordPress plugin before 6.1.81 does not san ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-6854 (The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-49676 (An unauthenticated local attacker may trick a user to open corrupted p ...)
- TODO: check
+ NOT-FOR-US: CODESYS
CVE-2023-49675 (An unauthenticated local attacker may trick a user to open corrupted p ...)
- TODO: check
+ NOT-FOR-US: CODESYS
CVE-2023-43531 (Memory corruption while verifying the serialized header when the key p ...)
TODO: check
CVE-2023-43530 (Memory corruption in HLOS while checking for the storage type.)
@@ -5506,8 +5506,7 @@ CVE-2024-4058 (Type confusion in ANGLE in Google Chrome prior to 124.0.6367.78 a
[bullseye] - chromium <end-of-life> (see #1061268)
[buster] - chromium <end-of-life> (see DSA 5046)
CVE-2024-4141 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an in ...)
- - poppler <undetermined>
- NOTE: Might possibly affect poppler, xpdf in Debian uses it
+ NOT-FOR-US: xpdf (Debian uses poppler, which forked a long time ago)
CVE-2024-4127 (A vulnerability was found in Tenda W15E 15.11.0.14. It has been classi ...)
NOT-FOR-US: Tenda
CVE-2024-4126 (A vulnerability was found in Tenda W15E 15.11.0.14 and classified as c ...)
@@ -6806,8 +6805,7 @@ CVE-2024-3906 (A vulnerability was found in Tenda AC500 2.0.1.9(1307). It has be
CVE-2024-3905 (A vulnerability was found in Tenda AC500 2.0.1.9(1307). It has been cl ...)
NOT-FOR-US: Tenda
CVE-2024-3900 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by long ...)
- - poppler <undetermined>
- NOTE: Might possibly affect poppler, pdf in Debian uses it
+ NOT-FOR-US: xpdf (Debian uses poppler, which forked a long time ago)
CVE-2024-3825 (Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a flaw ...)
NOT-FOR-US: Jenkins plugin
CVE-2024-3817 (HashiCorp\u2019s go-getter library is vulnerable to argument injection ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e49df1c704238ba743f7d0d7e5063b67b20c01
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e49df1c704238ba743f7d0d7e5063b67b20c01
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240509/1e30ed83/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list