[Git][security-tracker-team/security-tracker][master] Update status for same class of issues with disputed security impact

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sun Aug 10 20:35:51 BST 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
32b07d44 by Salvatore Bonaccorso at 2025-08-10T21:34:31+02:00
Update status for same class of issues with disputed security impact

All of the issues are similar and from same reporter as for
CVE-2025-45768, where the same argumets holds as back there provided by
upstream in https://github.com/jpadilla/pyjwt/issues/1080 .

Those CVEs might need to be rejected.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -637,9 +637,9 @@ CVE-2025-46387 (CWE-639 Authorization Bypass Through User-Controlled Key)
 CVE-2025-46386 (CWE-639 Authorization Bypass Through User-Controlled Key)
 	NOT-FOR-US: Emby MediaBrowser
 CVE-2025-45766 (poco v1.14.1-release was discovered to contain weak encryption.)
-	- poco <undetermined>
+	- poco <unfixed> (unimportant)
 	NOTE: https://github.com/pocoproject/poco/issues/4921
-	TODO: check upstream status, might not be a bug in poco
+	NOTE: Negligible and disputed security impact
 CVE-2025-45764 (jsrsasign v11.1.0 was discovered to contain weak encryption. NOTE: thi ...)
 	NOT-FOR-US: jsrsasign
 CVE-2025-3354 (IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 20 is vulne ...)
@@ -2026,8 +2026,9 @@ CVE-2025-50270 (A stored Cross Site Scripting (xss) vulnerability in the "conten
 CVE-2025-46809 (A Insertion of Sensitive Information into Log File vulnerability in SU ...)
 	NOT-FOR-US: SUSE Multi Linux Manager
 CVE-2025-45770 (jwt v5.4.3 was discovered to contain weak encryption.)
-	- php-lcobucci-jwt <unfixed>
+	- php-lcobucci-jwt <unfixed> (unimportant)
 	NOTE: https://github.com/lcobucci/jwt/security/advisories/GHSA-rp3h-65jh-3c3m
+	NOTE: Negligible security impact
 CVE-2025-45769 (php-jwt v6.11.0 was discovered to contain weak encryption.)
 	NOT-FOR-US: php-jwt
 CVE-2025-41688 (A high privileged remote attacker can execute arbitrary OS commands us ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32b07d44f018cf6bd81631b0812a6045c541ffdc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32b07d44f018cf6bd81631b0812a6045c541ffdc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250810/04105ad9/attachment.htm>

More information about the debian-security-tracker-commits mailing list