[Git][security-tracker-team/security-tracker][master] 4 commits: Track new mattermost-server CVEs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Sep 26 23:19:32 BST 2024 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8bfd6fe1 by Salvatore Bonaccorso at 2024-09-26T23:49:20+02:00
Track new mattermost-server CVEs

- - - - -
9752c31e by Salvatore Bonaccorso at 2024-09-26T23:49:22+02:00
Add CVE-2024-8118/grafana

- - - - -
52a2e7e9 by Salvatore Bonaccorso at 2024-09-26T23:49:24+02:00
Process some NFUs

- - - - -
8c3a6572 by Salvatore Bonaccorso at 2024-09-26T23:49:25+02:00
Add CVE-2024-46632/assimp

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -35,17 +35,17 @@ CVE-2024-8633 (The Form Maker by 10Web \u2013 Mobile-Friendly Drag & Drop Contac
 CVE-2024-8126 (The Advanced File Manager plugin for WordPress is vulnerable to arbitr ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-8118 (In Grafana, the wrong permission is applied to the alert rule write AP ...)
-	TODO: check
+	- grafana <removed>
 CVE-2024-7594 (Vault\u2019s SSH secrets engine did not require the valid_principals l ...)
-	TODO: check
+	NOT-FOR-US: HashiCorp Vault
 CVE-2024-7259 (A flaw was found in oVirt. A user with administrator privileges, inclu ...)
 	TODO: check
 CVE-2024-7108 (Incorrect Authorization vulnerability in National Keep Cyber Security  ...)
-	TODO: check
+	NOT-FOR-US: National Keep Cyber SecurityServices CyberMath
 CVE-2024-7107 (Files or Directories Accessible to External Parties vulnerability in N ...)
-	TODO: check
+	NOT-FOR-US: National Keep Cyber Security Services CyberMath
 CVE-2024-47337 (Missing Authorization vulnerability in Stuart Wilson Joy Of Text Lite. ...)
-	TODO: check
+	NOT-FOR-US: Stuart Wilson Joy Of Text Lite
 CVE-2024-47197 (Exposure of Sensitive Information to an Unauthorized Actor, Insecure S ...)
 	TODO: check
 CVE-2024-47180 (Shields.io is a service for concise, consistent, and legible badges in ...)
@@ -55,109 +55,110 @@ CVE-2024-47179 (RSSHub is an RSS network. Prior to commit 64e00e7, RSSHub's `doc
 CVE-2024-47174 (Nix is a package manager for Linux and other Unix systems. Starting in ...)
 	TODO: check
 CVE-2024-47171 (Agnai is an artificial-intelligence-agnostic multi-user, mult-bot role ...)
-	TODO: check
+	NOT-FOR-US: Agnai
 CVE-2024-47170 (Agnai is an artificial-intelligence-agnostic multi-user, mult-bot role ...)
-	TODO: check
+	NOT-FOR-US: Agnai
 CVE-2024-47169 (Agnai is an artificial-intelligence-agnostic multi-user, mult-bot role ...)
-	TODO: check
+	NOT-FOR-US: Agnai
 CVE-2024-47145 (Mattermost versions 9.5.x <= 9.5.8 fail to properly authorize access t ...)
-	TODO: check
+	- mattermost-server <itp> (bug #823556)
 CVE-2024-47130 (The goTenna Pro series allows unauthenticated attackers to remotely up ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-47129 (The goTenna Pro has a payload length vulnerability that makes it possi ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-47128 (The goTenna Pro broadcast key name is always sent unencrypted and coul ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-47127 (In the goTenna Pro there is a vulnerability that makes it possible to  ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-47126 (The goTenna Pro series does not use SecureRandom when generating its c ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-47125 (The goTenna Pro series does not authenticate public keys which allows  ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-47124 (The goTenna pro series does not encrypt the callsigns of its users. Th ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-47123 (The goTenna Pro series use AES CTR mode for short, encrypted messages  ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-47122 (In the goTenna Pro application, the encryption keys are stored along w ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-47121 (The goTenna Pro series uses a weak password for the QR broadcast messa ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-47075 (LayUI is a native minimalist modular Web UI component library. Version ...)
 	TODO: check
 CVE-2024-47044 (Multiple Home GateWay/Hikari Denwa routers provided by NIPPON TELEGRAP ...)
-	TODO: check
+	NOT-FOR-US: Home GateWay/Hikari Denwa routers
 CVE-2024-47003 (Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to valida ...)
-	TODO: check
+	- mattermost-server <itp> (bug #823556)
 CVE-2024-46632 (Assimp v5.4.3 is vulnerable to Buffer Overflow via the MD5Importer::Lo ...)
-	TODO: check
+	- assimp <unfixed>
+	NOTE: https://github.com/assimp/assimp/issues/5771
 CVE-2024-46627 (Incorrect access control in BECN DATAGERRY v2.2 allows attackers to ex ...)
-	TODO: check
+	NOT-FOR-US: BECN DATAGERRY
 CVE-2024-46330 (VONETS VAP11G-300 v3.3.23.6.9 was discovered to contain a command inje ...)
-	TODO: check
+	NOT-FOR-US: VONETS VAP11G-300
 CVE-2024-46329 (VONETS VAP11G-300 v3.3.23.6.9 was discovered to contain a command inje ...)
-	TODO: check
+	NOT-FOR-US: VONETS VAP11G-300
 CVE-2024-46328 (VONETS VAP11G-300 v3.3.23.6.9 was discovered to contain hardcoded cred ...)
-	TODO: check
+	NOT-FOR-US: VONETS VAP11G-300
 CVE-2024-46327 (An issue in the Http_handle object of VONETS VAP11G-300 v3.3.23.6.9 al ...)
-	TODO: check
+	NOT-FOR-US: VONETS VAP11G-300
 CVE-2024-45989 (Monica AI Assistant desktop application v2.3.0 is vulnerable to Exposu ...)
-	TODO: check
+	NOT-FOR-US: Monica AI Assistant desktop application
 CVE-2024-45987 (Projectworld Online Voting System Version 1.0 is vulnerable to Cross S ...)
-	TODO: check
+	NOT-FOR-US: Projectworld Online Voting System
 CVE-2024-45985 (A Cross Site Scripting (XSS) vulnerability in update_contact.php of Bl ...)
-	TODO: check
+	NOT-FOR-US: Blood Bank and Donation Management System
 CVE-2024-45984 (A Cross Site Scripting (XSS) vulnerability in add_donor.php of Blood B ...)
-	TODO: check
+	NOT-FOR-US: Blood Bank and Donation Management System
 CVE-2024-45983 (A Cross-Site Request Forgery (CSRF) vulnerability exists in kishan0725 ...)
-	TODO: check
+	NOT-FOR-US: kishan0725's Hospital Management System
 CVE-2024-45982 (A host header injection vulnerability in scheduleR v0.0.18 allows atta ...)
 	TODO: check
 CVE-2024-45981 (A host header injection vulnerability in BookReviewLibrary 1.0 allows  ...)
-	TODO: check
+	NOT-FOR-US: BookReviewLibrary
 CVE-2024-45980 (A host header injection vulnerability in MEANStore 1.0 allows attacker ...)
-	TODO: check
+	NOT-FOR-US: MEANStore
 CVE-2024-45979 (A host header injection vulnerability in Lines Police CAD 1.0 allows a ...)
-	TODO: check
+	NOT-FOR-US: Lines Police CAD
 CVE-2024-45843 (Mattermost versions 9.5.x <= 9.5.8 fail to include themetadata endpoin ...)
-	TODO: check
+	- mattermost-server <itp> (bug #823556)
 CVE-2024-45838 (The goTenna Pro ATAK Plugin does not encrypt the callsigns of its user ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-45723 (The goTenna Pro ATAK Plugin does not use SecureRandom when generating  ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-45374 (In the goTenna Pro ATAK Plugin application, the encryption keys are  s ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-45042 (Ory Kratos is an identity, user management and authentication system f ...)
 	TODO: check
 CVE-2024-44860 (An information disclosure vulnerability in the /Letter/PrintQr/ endpoi ...)
-	TODO: check
+	NOT-FOR-US: Solvait
 CVE-2024-43814 (goTenna Pro ATAK Plugin by default enables frequent unencrypted  Posit ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-43694 (In the goTenna Pro ATAK Plugin application, the encryption keys are  s ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-43191 (IBM ManageIQ could allow a remote authenticated attacker to execute ar ...)
-	TODO: check
+	NOT-FOR-US: IBM
 CVE-2024-43108 (The goTenna Pro ATAK Plugin use AES CTR mode for short, encrypted  mes ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-42406 (Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 ...)
-	TODO: check
+	- mattermost-server <itp> (bug #823556)
 CVE-2024-41931 (The goTenna Pro ATAK Plugin broadcast key name is always sent unencryp ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-41722 (In the goTenna Pro ATAK Plugin there is a vulnerability that makes it  ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-41715 (The goTenna Pro ATAK Plugin has a payload length vulnerability that  m ...)
-	TODO: check
+	NOT-FOR-US: goTenna Pro
 CVE-2024-41605 (An issue in Foxit Software Foxit PDF Reader v.2024.2.2.25170 allows a  ...)
-	TODO: check
+	NOT-FOR-US: Foxit PDF Reader
 CVE-2024-39577 (Dell SmartFabric OS10 Software, versions 10.5.6.x, 10.5.5.x, 10.5.4.x, ...)
-	TODO: check
+	NOT-FOR-US: Dell
 CVE-2024-39319 (aimeos/ai-controller-frontend is the Aimeos frontend controller packag ...)
-	TODO: check
+	NOT-FOR-US: Aimeos frontend controller
 CVE-2024-37125 (Dell SmartFabric OS10 Software, versions 10.5.6.x, 10.5.5.x, 10.5.4.x, ...)
-	TODO: check
+	NOT-FOR-US: Dell
 CVE-2024-31899 (IBM Cognos Command Center 10.2.4.1 and 10.2.5 could disclose highly se ...)
 	NOT-FOR-US: IBM
 CVE-2024-30134 (The HCL Traveler for Microsoft Outlook executable (HTMO.exe) is being  ...)
-	TODO: check
+	NOT-FOR-US: HCL
 CVE-2023-46175 (IBM Cloud Pak for Multicloud Management 2.3 through 2.3 FP8 stores use ...)
 	NOT-FOR-US: IBM
 CVE-2024-47177
@@ -139915,7 +139916,7 @@ CVE-2023-0012 (In SAP Host Agent (Windows) - versions 7.21, 7.22, an attacker wh
 CVE-2022-4542 (The Compact WP Audio Player WordPress plugin before 1.9.8 does not val ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2022-4541 (The WordPress Visitors plugin for WordPress is vulnerable to Stored Cr ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2022-4540
 	REJECTED
 CVE-2022-4539 (The Web Application Firewall plugin for WordPress is vulnerable to IP  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5373c95798688a93bb6cc7d33a35b1926e09f705...8c3a65727d66795cdae9ede414dc7c57e8ae89dc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5373c95798688a93bb6cc7d33a35b1926e09f705...8c3a65727d66795cdae9ede414dc7c57e8ae89dc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240926/26ef194b/attachment.htm>

More information about the debian-security-tracker-commits mailing list