[Git][security-tracker-team/security-tracker][master] 4 commits: Add CVE-2024-8796/ruby-devise-two-factor

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue Sep 17 21:43:17 BST 2024 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
87a777c1 by Salvatore Bonaccorso at 2024-09-17T22:43:02+02:00
Add CVE-2024-8796/ruby-devise-two-factor

- - - - -
e021c076 by Salvatore Bonaccorso at 2024-09-17T22:43:02+02:00
Process some NFUs

- - - - -
1c7c7886 by Salvatore Bonaccorso at 2024-09-17T22:43:03+02:00
Add CVE-2024-7788/libreoffice

- - - - -
57560f31 by Salvatore Bonaccorso at 2024-09-17T22:43:03+02:00
Add two new druid CVEs, itp'ed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -30,27 +30,29 @@ CVE-2024-8897 (Under certain conditions, an attacker with the ability to redirec
 	- firefox <not-affected> (Only affects Firefox on Android)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-45/#CVE-2024-8897
 CVE-2024-8796 (Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & ...)
-	TODO: check
+	- ruby-devise-two-factor <unfixed>
+	NOTE: https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2
 CVE-2024-8767 (Sensitive data disclosure and manipulation due to unnecessary privileg ...)
-	TODO: check
+	NOT-FOR-US: Acronis
 CVE-2024-8761 (The Share This Image plugin for WordPress is vulnerable to Open Redire ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2024-8660 (Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS ...)
-	TODO: check
+	NOT-FOR-US: Concrete CMS
 CVE-2024-7873 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
 	TODO: check
 CVE-2024-7788 (Improper Digital Signature Invalidation vulnerability in Zip Repair Mo ...)
-	TODO: check
+	- libreoffice 4:24.2.5-1
+	NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2024-7788
 CVE-2024-5998 (A vulnerability in the FAISS.deserialize_from_bytes function of langch ...)
-	TODO: check
+	NOT-FOR-US: langchain-ai/langchain
 CVE-2024-47049 (The czim/file-handling package before 1.5.0 and 2.x before 2.3.0 (used ...)
 	TODO: check
 CVE-2024-47047 (An issue was discovered in the powermail extension through 12.4.0 for  ...)
-	TODO: check
+	NOT-FOR-US: TYPO3 extension
 CVE-2024-46362 (FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery  ...)
-	TODO: check
+	NOT-FOR-US: FrogCMS
 CVE-2024-46085 (FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery  ...)
-	TODO: check
+	NOT-FOR-US: FrogCMS
 CVE-2024-45812 (Vite a frontend build tooling framework for javascript. Affected versi ...)
 	TODO: check
 CVE-2024-45811 (Vite a frontend build tooling framework for javascript. In affected ve ...)
@@ -64,21 +66,21 @@ CVE-2024-45798 (arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-
 CVE-2024-45682 (There is a command injection vulnerability that may allow an attacker  ...)
 	TODO: check
 CVE-2024-45612 (Contao is an Open Source CMS. In affected versions an untrusted user c ...)
-	TODO: check
+	NOT-FOR-US: Contao CMS
 CVE-2024-45606 (Sentry is a developer-first error tracking and performance monitoring  ...)
 	TODO: check
 CVE-2024-45605 (Sentry is a developer-first error tracking and performance monitoring  ...)
 	TODO: check
 CVE-2024-45604 (Contao is an Open Source CMS. In affected versions authenticated users ...)
-	TODO: check
+	NOT-FOR-US: Contao CMS
 CVE-2024-45537 (Apache Druid allows users with certain permissions to read data from o ...)
-	TODO: check
+	- druid <itp> (bug #825797)
 CVE-2024-45398 (Contao is an Open Source CMS. In affected versions a back end user wit ...)
-	TODO: check
+	NOT-FOR-US: Contao CMS
 CVE-2024-45384 (Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. T ...)
-	TODO: check
+	- druid <itp> (bug #825797)
 CVE-2024-43460 (Improper authorization in Dynamics 365 Business Central resulted in a  ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2024-42503 (Authenticated command execution vulnerability exist in the  ArubaOS co ...)
 	TODO: check
 CVE-2024-42502 (Authenticated command injection vulnerability exists in the ArubaOS co ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/725dc4cdd2481883503e7bfef02d07185d448edf...57560f31e90256d9c2ccb1b07acd711210f864a8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/725dc4cdd2481883503e7bfef02d07185d448edf...57560f31e90256d9c2ccb1b07acd711210f864a8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240917/cfed796e/attachment.htm>

More information about the debian-security-tracker-commits mailing list