[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Thu Nov 14 20:12:57 GMT 2024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
38e980d2 by security tracker role at 2024-11-14T20:12:50+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,22 +1,208 @@
-CVE-2024-10979
+CVE-2024-9693 (An issue was discovered in GitLab CE/EE affecting all versions startin ...)
+ TODO: check
+CVE-2024-9633 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
+ TODO: check
+CVE-2024-9472 (A null pointer dereference in Palo Alto Networks PAN-OS software on PA ...)
+ TODO: check
+CVE-2024-8648 (An issue has been discovered in GitLab CE/EE affecting all versions fr ...)
+ TODO: check
+CVE-2024-8180 (An issue has been discovered in GitLab CE/EE affecting all versions fr ...)
+ TODO: check
+CVE-2024-7787 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
+ TODO: check
+CVE-2024-7404 (An issue was discovered in GitLab CE/EE affecting all versions startin ...)
+ TODO: check
+CVE-2024-7124 (Improper Neutralization of Input During Web Page Generation vulnerabil ...)
+ TODO: check
+CVE-2024-6068 (A memory corruption vulnerability exists in the affected products when ...)
+ TODO: check
+CVE-2024-5920 (A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-O ...)
+ TODO: check
+CVE-2024-5919 (A blind XML External Entities (XXE) injection vulnerability in the Pal ...)
+ TODO: check
+CVE-2024-5918 (An improper certificate validation vulnerability in Palo Alto Networks ...)
+ TODO: check
+CVE-2024-5917 (A server-side request forgery in PAN-OS software enables an unauthenti ...)
+ TODO: check
+CVE-2024-5125 (parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scriptin ...)
+ TODO: check
+CVE-2024-52524 (Giskard is an evaluation and testing framework for AI systems. A Remot ...)
+ TODO: check
+CVE-2024-52505 (matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging ...)
+ TODO: check
+CVE-2024-52396 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2024-52393 (Improper Neutralization of Special Elements Used in a Template Engine ...)
+ TODO: check
+CVE-2024-52384 (Unrestricted Upload of File with Dangerous Type vulnerability in Sage ...)
+ TODO: check
+CVE-2024-52383 (Missing Authorization vulnerability in KCT Ai Auto Tool Content Writin ...)
+ TODO: check
+CVE-2024-52382 (Missing Authorization vulnerability in Medma Technologies Matix Popup ...)
+ TODO: check
+CVE-2024-52381 (Improper Control of Filename for Include/Require Statement in PHP Prog ...)
+ TODO: check
+CVE-2024-52380 (Unrestricted Upload of File with Dangerous Type vulnerability in Softp ...)
+ TODO: check
+CVE-2024-52379 (Unrestricted Upload of File with Dangerous Type vulnerability in Kinet ...)
+ TODO: check
+CVE-2024-52378 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2024-52377 (Unrestricted Upload of File with Dangerous Type vulnerability in BdThe ...)
+ TODO: check
+CVE-2024-52376 (Unrestricted Upload of File with Dangerous Type vulnerability in cmsMi ...)
+ TODO: check
+CVE-2024-52375 (Unrestricted Upload of File with Dangerous Type vulnerability in Artti ...)
+ TODO: check
+CVE-2024-52374 (Unrestricted Upload of File with Dangerous Type vulnerability in DoTha ...)
+ TODO: check
+CVE-2024-52373 (Unrestricted Upload of File with Dangerous Type vulnerability in Team ...)
+ TODO: check
+CVE-2024-52372 (Unrestricted Upload of File with Dangerous Type vulnerability in WebTe ...)
+ TODO: check
+CVE-2024-52371 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
+ TODO: check
+CVE-2024-52370 (Unrestricted Upload of File with Dangerous Type vulnerability in Hive ...)
+ TODO: check
+CVE-2024-52369 (Unrestricted Upload of File with Dangerous Type vulnerability in Optim ...)
+ TODO: check
+CVE-2024-52302 (common-user-management is a robust Spring Boot application featuring u ...)
+ TODO: check
+CVE-2024-51688 (Cross-Site Request Forgery (CSRF) vulnerability in FraudLabs Pro Fraud ...)
+ TODO: check
+CVE-2024-50843 (A Directory listing issue was found in PHPGurukul User Registration & ...)
+ TODO: check
+CVE-2024-50842 (A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/ ...)
+ TODO: check
+CVE-2024-50841 (A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/ ...)
+ TODO: check
+CVE-2024-50840 (A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/ ...)
+ TODO: check
+CVE-2024-50839 (A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/ ...)
+ TODO: check
+CVE-2024-50838 (A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/ ...)
+ TODO: check
+CVE-2024-50837 (A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/ ...)
+ TODO: check
+CVE-2024-50836 (A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/ ...)
+ TODO: check
+CVE-2024-50835 (A SQL Injection vulnerability was found in /admin/edit_student.php in ...)
+ TODO: check
+CVE-2024-50834 (A SQL Injection was found in /admin/teachers.php in KASHIPARA E-learni ...)
+ TODO: check
+CVE-2024-50833 (A SQL Injection vulnerability was found in /login.php in KASHIPARA E-l ...)
+ TODO: check
+CVE-2024-50832 (A SQL Injection vulnerability was found in /admin/edit_class.php in ka ...)
+ TODO: check
+CVE-2024-50831 (A SQL Injection was found in /admin/admin_user.php in kashipara E-lear ...)
+ TODO: check
+CVE-2024-50830 (A SQL Injection vulnerability was found in /admin/calendar_of_events.p ...)
+ TODO: check
+CVE-2024-50829 (A SQL Injection vulnerability was found in /admin/edit_subject.php in ...)
+ TODO: check
+CVE-2024-50828 (A SQL Injection vulnerability was found in /admin/edit_department.php ...)
+ TODO: check
+CVE-2024-50827 (A SQL Injection vulnerability was found in /admin/add_subject.php in k ...)
+ TODO: check
+CVE-2024-50826 (A SQL Injection vulnerability was found in /admin/add_content.php in k ...)
+ TODO: check
+CVE-2024-50825 (A SQL Injection vulnerability was found in /admin/school_year.php in k ...)
+ TODO: check
+CVE-2024-50824 (A SQL Injection vulnerability was found in /admin/class.php in kashipa ...)
+ TODO: check
+CVE-2024-50823 (A SQL Injection vulnerability was found in /admin/login.php in kashipa ...)
+ TODO: check
+CVE-2024-4343 (A Python command injection vulnerability exists in the `SagemakerLLM` ...)
+ TODO: check
+CVE-2024-4311 (zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due ...)
+ TODO: check
+CVE-2024-49362 (Joplin is a free, open source note taking and to-do application. Jopli ...)
+ TODO: check
+CVE-2024-49025 (Microsoft Edge (Chromium-based) Information Disclosure Vulnerability)
+ TODO: check
+CVE-2024-48284 (A Reflected Cross-Site Scripting (XSS) vulnerability was found in the ...)
+ TODO: check
+CVE-2024-47916 (Boa web server - CWE-22: Improper Limitation of a Pathname to a Restri ...)
+ TODO: check
+CVE-2024-47915 (VaeMendis - CWE-200: Exposure of Sensitive Information to an Unauthor ...)
+ TODO: check
+CVE-2024-47914 (VaeMendis - CWE-352: Cross-Site Request Forgery (CSRF))
+ TODO: check
+CVE-2024-45670 (IBM Security SOAR 51.0.1.0 and earlier contains a mechanism for users ...)
+ TODO: check
+CVE-2024-45642 (IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. This v ...)
+ TODO: check
+CVE-2024-45254 (VaeMendis - CWE-79: Improper Neutralization of Input During Web Page G ...)
+ TODO: check
+CVE-2024-45253 (Avigilon \u2013 CWE-22: Improper Limitation of a Pathname to a Restric ...)
+ TODO: check
+CVE-2024-45099 (IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. This v ...)
+ TODO: check
+CVE-2024-42188 (HCL Connections is vulnerable to a broken access control vulnerability ...)
+ TODO: check
+CVE-2024-3760 (In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on ...)
+ TODO: check
+CVE-2024-3502 (In lunary-ai/lunary versions up to and including 1.2.5, an information ...)
+ TODO: check
+CVE-2024-3501 (In lunary-ai/lunary versions up to and including 1.2.5, an information ...)
+ TODO: check
+CVE-2024-3379 (In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authori ...)
+ TODO: check
+CVE-2024-37285 (A deserialization issue in Kibana can lead to arbitrary code execution ...)
+ TODO: check
+CVE-2024-2552 (A command injection vulnerability in Palo Alto Networks PAN-OS softwar ...)
+ TODO: check
+CVE-2024-2551 (A null pointer dereference vulnerability in Palo Alto Networks PAN-OS ...)
+ TODO: check
+CVE-2024-2550 (A null pointer dereference vulnerability in the GlobalProtect gateway ...)
+ TODO: check
+CVE-2024-1682 (An unclaimed Amazon S3 bucket, 'codeconf', is referenced in an audio f ...)
+ TODO: check
+CVE-2024-11215 (Absolute path traversal (incorrect restriction of a path to a restrict ...)
+ TODO: check
+CVE-2024-11214 (A vulnerability has been found in SourceCodester Best Employee Managem ...)
+ TODO: check
+CVE-2024-11213 (A vulnerability, which was classified as critical, was found in Source ...)
+ TODO: check
+CVE-2024-11212 (A vulnerability, which was classified as critical, has been found in S ...)
+ TODO: check
+CVE-2024-11211 (A vulnerability classified as critical has been found in EyouCMS 1.5.6 ...)
+ TODO: check
+CVE-2024-11210 (A vulnerability was found in EyouCMS 1.51. It has been rated as critic ...)
+ TODO: check
+CVE-2024-11209 (A vulnerability was found in Apereo CAS 6.6. It has been classified as ...)
+ TODO: check
+CVE-2024-11208 (A vulnerability was found in Apereo CAS 6.6 and classified as problema ...)
+ TODO: check
+CVE-2024-11207 (A vulnerability has been found in Apereo CAS 6.6 and classified as pro ...)
+ TODO: check
+CVE-2024-11136 (The default TCL Camera application exposes a provider vulnerable to pa ...)
+ TODO: check
+CVE-2024-10962 (The Migration, Backup, Staging \u2013 WPvivid plugin for WordPress is ...)
+ TODO: check
+CVE-2024-10921 (An authorized user may trigger crashes or receive the contents of buff ...)
+ TODO: check
+CVE-2024-10571 (The Chartify \u2013 WordPress Chart Plugin plugin for WordPress is vul ...)
+ TODO: check
+CVE-2024-10979 (Incorrect control of environment variables in PostgreSQL PL/Perl allow ...)
- postgresql-17 17.1-1
- postgresql-16 <unfixed>
- postgresql-15 <removed>
- postgresql-13 <removed>
NOTE: https://www.postgresql.org/support/security/CVE-2024-10979/
-CVE-2024-10978
+CVE-2024-10978 (Incorrect privilege assignment in PostgreSQL allows a less-privileged ...)
- postgresql-17 17.1-1
- postgresql-16 <unfixed>
- postgresql-15 <removed>
- postgresql-13 <removed>
NOTE: https://www.postgresql.org/support/security/CVE-2024-10978/
-CVE-2024-10977
+CVE-2024-10977 (Client use of server error message in PostgreSQL allows a server not t ...)
- postgresql-17 17.1-1
- postgresql-16 <unfixed>
- postgresql-15 <removed>
- postgresql-13 <removed>
NOTE: https://www.postgresql.org/support/security/CVE-2024-10977/
-CVE-2024-10976
+CVE-2024-10976 (Incomplete tracking in PostgreSQL of tables with row security allows a ...)
- postgresql-17 17.1-1
- postgresql-16 <unfixed>
- postgresql-15 <removed>
@@ -224,18 +410,18 @@ CVE-2024-11193 (An information disclosure vulnerability exists in Yugabyte Anywh
NOT-FOR-US: Yugabyte
CVE-2024-10146 (The Simple File List WordPress plugin before 6.1.13 does not sanitise ...)
NOT-FOR-US: WordPress plugin
-CVE-2024-50306 [ATS: Server process can fail to drop privileges]
+CVE-2024-50306 (Unchecked return value can allow Apache Traffic Server to retain privi ...)
- trafficserver <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2024/11/13/1
NOTE: https://github.com/apache/trafficserver/pull/11855
NOTE: https://github.com/apache/trafficserver/commit/27f504883547502b1f5e4e389edd7f26e3ab246f (9.2.6-rc0)
NOTE: https://github.com/apache/trafficserver/commit/ae638096e259121d92d46a9f57026a5ff5bc328b (master)
-CVE-2024-38479 [ATS: Cache key plugin is vulnerable to cache poisoning attack]
+CVE-2024-38479 (Improper Input Validation vulnerability in Apache Traffic Server. Thi ...)
- trafficserver <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2024/11/13/1
NOTE: https://github.com/apache/trafficserver/pull/11856
NOTE: https://github.com/apache/trafficserver/commit/b8861231702ac5df7d5de401e82440c1cf20b633 (9.2.6-rc0)
-CVE-2024-50305 [ATS: Valid Host field value can cause crashes]
+CVE-2024-50305 (Valid Host header field can cause Apache Traffic Server to crash on so ...)
- trafficserver <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2024/11/13/1
NOTE: https://github.com/apache/trafficserver/issues/8461
@@ -558,7 +744,8 @@ CVE-2024-10778 (The BuddyPress Builder for Elementor \u2013 BuddyBuilder plugin
NOT-FOR-US: WordPress plugin
CVE-2024-10717 (The Styler for Ninja Forms plugin for WordPress is vulnerable to unaut ...)
NOT-FOR-US: WordPress plugin
-CVE-2024-10686 (The Design for Contact Form 7 Style WordPress Plugin \u2013 CF7 WOW St ...)
+CVE-2024-10686
+ REJECTED
NOT-FOR-US: WordPress plugin
CVE-2024-10684 (The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable ...)
NOT-FOR-US: WordPress plugin
@@ -580,20 +767,20 @@ CVE-2024-10174 (The WP Project Manager \u2013 Task, team, and project management
NOT-FOR-US: WordPress plugin
CVE-2024-10038 (The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site ...)
NOT-FOR-US: WordPress plugin
-CVE-2023-4458 [ksmbd: fix wrong DataOffset validation of create context]
+CVE-2023-4458 (A flaw was found within the parsing of extended attributes in the kern ...)
- linux 6.5.3-1
[bookworm] - linux 6.1.52-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/17d5b135bb720832364e8f55f6a887a3c7ec8fdb (6.6-rc1)
-CVE-2024-10397 [OPENAFS-SA-2024-003: buffer overflows in XDR responses]
+CVE-2024-10397 (A malicious server can crash the OpenAFS cache manager and other clien ...)
- openafs 1.8.13-1 (bug #1087406; bug #1087407)
NOTE: http://openafs.org/pages/security/OPENAFS-SA-2024-003.txt
NOTE: https://lists.openafs.org/pipermail/openafs-devel/2024-November/020961.html
-CVE-2024-10396 [OPENAFS-SA-2024-002: fileserver crash on malformed StoreACL]
+CVE-2024-10396 (An authenticated user can provide a malformed ACL to the fileserver's ...)
- openafs 1.8.13-1 (bug #1087406; bug #1087407)
NOTE: http://openafs.org/pages/security/OPENAFS-SA-2024-002.txt
NOTE: https://lists.openafs.org/pipermail/openafs-devel/2024-November/020961.html
-CVE-2024-10394 [OPENAFS-SA-2024-001: theft of credentials from Unix PAGs]
+CVE-2024-10394 (A local user can bypass the OpenAFS PAG (Process Authentication Group) ...)
- openafs 1.8.13-1 (bug #1087406; bug #1087407)
NOTE: http://openafs.org/pages/security/OPENAFS-SA-2024-001.txt
NOTE: https://lists.openafs.org/pipermail/openafs-devel/2024-November/020961.html
@@ -12462,6 +12649,7 @@ CVE-2024-0123 (NVIDIA CUDA toolkit for Windows and Linux contains a vulnerabilit
CVE-2023-37822 (The Eufy Homebase 2 before firmware version 3.3.4.1h creates a dedicat ...)
NOT-FOR-US: Eufy HomeBase 2 model T8010X
CVE-2024-8508 (NLnet Labs Unbound up to and including version 1.21.0 contains a vulne ...)
+ {DLA-3952-1}
- unbound 1.21.1-1 (bug #1083282)
[bookworm] - unbound <no-dsa> (Minor issue)
NOTE: Advisory: https://nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt
@@ -17003,6 +17191,7 @@ CVE-2024-21529 (Versions of the package dset before 3.1.4 are vulnerable to Prot
CVE-2024-1656 (Affected versions of Octopus Server had a weak content security policy ...)
NOT-FOR-US: Octopus Server
CVE-2024-8096 (When curl is told to use the Certificate Status Request TLS extension, ...)
+ {DLA-3951-1}
- curl 8.10.0-1
[bookworm] - curl 7.88.1-10+deb12u8
NOTE: https://curl.se/docs/CVE-2024-8096.html
@@ -23551,7 +23740,7 @@ CVE-2024-20083 (In venc, there is a possible out of bounds write due to a missin
NOT-FOR-US: Mediatek
CVE-2024-20082 (In Modem, there is a possible memory corruption due to a missing bound ...)
NOT-FOR-US: Mediatek
-CVE-2024-7730
+CVE-2024-7730 (A heap buffer overflow was found in the virtio-snd device in QEMU. Whe ...)
- qemu 1:9.1.0+ds-1
[bookworm] - qemu <no-dsa> (Minor issue)
NOTE: https://lore.kernel.org/qemu-devel/virtio-snd-fuzz-2427-fix-v1-manos.pitsidianakis@linaro.org/
@@ -61761,7 +61950,7 @@ CVE-2024-26815 (In the Linux kernel, the following vulnerability has been resolv
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/343041b59b7810f9cdca371f445dd43b35c740b1 (6.9-rc1)
-CVE-2024-3447
+CVE-2024-3447 (A heap-based buffer overflow was found in the SDHCI device emulation o ...)
- qemu 1:8.2.3+ds-1 (bug #1068821)
[bookworm] - qemu 1:7.2+dfsg-7+deb12u6
[bullseye] - qemu <no-dsa> (Minor issue)
@@ -111845,7 +112034,7 @@ CVE-2023-4138 (Allocation of Resources Without Limits or Throttling in GitHub re
- rdiffweb <itp> (bug #969974)
CVE-2023-4136 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
NOT-FOR-US: CrafterCMS
-CVE-2023-4134 [Input: cyttsp4_core - change del_timer_sync() to timer_shutdown_sync()]
+CVE-2023-4134 (A use-after-free vulnerability was found in the cyttsp4_core driver in ...)
- linux 6.4.4-1 (unimportant)
NOTE: https://git.kernel.org/linus/dbe836576f12743a7d2d170ad4ad4fd324c4d47a (6.5-rc1)
NOTE: TOUCHSCREEN_CYTTSP4_CORE not enabled in Debian
@@ -193000,8 +193189,7 @@ CVE-2022-2234 (An authenticated mySCADA myPRO 8.26.0 user may be able to modify
NOT-FOR-US: mySCADA myPRO
CVE-2022-2233 (The Banner Cycler plugin for WordPress is vulnerable to Cross-Site Req ...)
NOT-FOR-US: Banner Cycler plugin for WordPress
-CVE-2022-2232
- RESERVED
+CVE-2022-2232 (A flaw was found in the Keycloak package. This flaw allows an attacker ...)
NOT-FOR-US: Keycloak
CVE-2022-2231 (NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.)
- vim 2:9.0.0135-1 (unimportant)
@@ -201445,18 +201633,18 @@ CVE-2022-31673 (VMware vRealize Operations contains an information disclosure vu
NOT-FOR-US: VMware
CVE-2022-31672 (VMware vRealize Operations contains a privilege escalation vulnerabili ...)
NOT-FOR-US: VMware
-CVE-2022-31671
- RESERVED
-CVE-2022-31670
- RESERVED
-CVE-2022-31669
- RESERVED
-CVE-2022-31668
- RESERVED
-CVE-2022-31667
- RESERVED
-CVE-2022-31666
- RESERVED
+CVE-2022-31671 (Harbor fails to validate user permissions when reading and updating jo ...)
+ TODO: check
+CVE-2022-31670 (Harbor fails to validate the user permissions when updating tag retent ...)
+ TODO: check
+CVE-2022-31669 (Harbor fails to validate the user permissions when updating tag immuta ...)
+ TODO: check
+CVE-2022-31668 (Harbor fails to validate the user permissions when updating p2p prehea ...)
+ TODO: check
+CVE-2022-31667 (Harbor fails to validate the user permissions when updating a robot ac ...)
+ TODO: check
+CVE-2022-31666 (Harbor fails to validate user permissions while deleting Webhook polic ...)
+ TODO: check
CVE-2022-31665 (VMware Workspace ONE Access, Identity Manager and vRealize Automation ...)
NOT-FOR-US: VMware
CVE-2022-31664 (VMware Workspace ONE Access, Identity Manager and vRealize Automation ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38e980d2108a9b7f54546633e3f2c27b01ba44c9
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38e980d2108a9b7f54546633e3f2c27b01ba44c9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241114/c687c1d2/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list