[Git][security-tracker-team/security-tracker][master] Associate some CVEs with zulip-server
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Feb 14 09:15:26 GMT 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
48602a08 by Salvatore Bonaccorso at 2025-02-14T10:14:46+01:00
Associate some CVEs with zulip-server
Though this migh be revisited.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -8150,7 +8150,7 @@ CVE-2024-57159 (07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request F
CVE-2024-56515 (Matrix Media Repo (MMR) is a highly configurable multi-homeserver medi ...)
NOT-FOR-US: Matrix Media Repo (MMR)
CVE-2024-56136 (Zulip server provides an open-source team chat that helps teams stay p ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2024-55954 (OpenObserve is a cloud-native observability platform. A vulnerability ...)
NOT-FOR-US: OpenObserve
CVE-2024-52791 (Matrix Media Repo (MMR) is a highly configurable multi-homeserver medi ...)
@@ -21572,9 +21572,9 @@ CVE-2024-36671 (nodemcu before v3.0.0-release_20240225 was discovered to contain
CVE-2024-36626 (In prestashop 8.1.4, a NULL pointer dereference was identified in the ...)
NOT-FOR-US: PrestaShop
CVE-2024-36625 (Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the replace_ ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2024-36624 (Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the construc ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2024-36623 (moby v25.0.3 has a Race Condition vulnerability in the streamformatter ...)
- docker.io 26.1.4+dfsg1-9
[bookworm] - docker.io <no-dsa> (Minor issue)
@@ -21616,7 +21616,7 @@ CVE-2024-36615 (FFmpeg n7.0 has a race condition vulnerability in the VP9 decode
[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
NOTE: https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61 (n7.1)
CVE-2024-36612 (Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the hand ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2024-36611 (In Symfony v7.07, a security vulnerability was identified in the FormL ...)
[experimental] - symfony 7.1.0~beta1+dfsg-1
- symfony <unfixed> (unimportant; bug #1088817)
@@ -95502,7 +95502,7 @@ CVE-2024-28231 (eprosima Fast DDS is a C++ implementation of the Data Distributi
CVE-2024-28179 (Jupyter Server Proxy allows users to run arbitrary external processes ...)
NOT-FOR-US: Jupyter Server Proxy
CVE-2024-27286 (Zulip is an open-source team collaboration. When a user moves a Zulip ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2024-27105 (Frappe is a full-stack web application framework. Prior to versions 14 ...)
NOT-FOR-US: Frappe Framework
CVE-2024-24813 (Frappe is a full-stack web application framework. Prior to versions 14 ...)
@@ -108985,7 +108985,7 @@ CVE-2024-22529 (TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injectio
CVE-2024-22432 (Networker 19.9 and all prior versions contains a Plain-text Password s ...)
NOT-FOR-US: Dell Networker
CVE-2024-21630 (Zulip is an open-source team collaboration tool. A vulnerability in ve ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2024-0883 (A vulnerability was found in SourceCodester Online Tours & Travels Man ...)
NOT-FOR-US: SourceCodester Online Tours & Travels Management System
CVE-2024-0882 (A vulnerability was found in qwdigital LinkWechat 5.1.0. It has been c ...)
@@ -121875,7 +121875,7 @@ CVE-2023-47686 (Cross-Site Request Forgery (CSRF) vulnerability in Kiboko Labs A
CVE-2023-47675 (CubeCart prior to 6.5.3 allows a remote authenticated attacker with an ...)
NOT-FOR-US: CubeCart
CVE-2023-47642 (Zulip is an open-source team collaboration tool. It was discovered by ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2023-47283 (Directory traversal vulnerability in CubeCart prior to 6.5.3 allows a ...)
NOT-FOR-US: CubeCart
CVE-2023-47112 (Rundeck is an open source automation service with a web console, comma ...)
@@ -135998,7 +135998,7 @@ CVE-2023-32756 (e-Excellence U-Office Force has a path traversal vulnerability w
CVE-2023-32755 (e-Excellence U-Office Force generates an error message in webiste serv ...)
NOT-FOR-US: e-Excellence U-Office Force
CVE-2023-32678 (Zulip is an open-source team collaboration tool with topic-based threa ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2023-32603 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RedNao D ...)
NOT-FOR-US: WordPress plugin
CVE-2023-32598 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in A. R. Jo ...)
@@ -147047,7 +147047,7 @@ CVE-2023-33191 (Kyverno is a policy engine designed for Kubernetes. Kyverno secc
CVE-2023-33189 (Pomerium is an identity and context-aware access proxy. With specially ...)
NOT-FOR-US: Pomerium
CVE-2023-33186 (Zulip is an open-source team collaboration tool with unique topic-base ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2023-33183 (Calendar app for Nextcloud easily sync events from various devices wit ...)
NOT-FOR-US: Nextcloud addon
CVE-2023-33182 (Contacts app for Nextcloud easily syncs contacts from various devices ...)
@@ -147856,7 +147856,7 @@ CVE-2023-2713 (Authorization Bypass Through User-Controlled Key vulnerability i
CVE-2023-2712 (Unrestricted Upload of File with Dangerous Type vulnerability in "Ren ...)
NOT-FOR-US: Rental Module for Ideasoft's E-commerce Platform
CVE-2023-32677 (Zulip is an open-source team collaboration tool with unique topic-base ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2023-2824 (A vulnerability was found in SourceCodester Dental Clinic Appointment ...)
NOT-FOR-US: SourceCodester Dental Clinic Appointment Reservation System
CVE-2023-2823 (A vulnerability was found in SourceCodester Class Scheduling System 1. ...)
@@ -157701,7 +157701,7 @@ CVE-2023-28625 (mod_auth_openidc is an authentication and authorization module f
CVE-2023-28624
RESERVED
CVE-2023-28623 (Zulip is an open-source team collaboration tool with unique topic-base ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2023-28622 (Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerability in Tri ...)
NOT-FOR-US: WordPress plugin
CVE-2023-28621 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
@@ -176093,7 +176093,7 @@ CVE-2023-22737 (wire-server provides back end services for Wire, a team communic
CVE-2023-22736 (Argo CD is a declarative, GitOps continuous delivery tool for Kubernet ...)
NOT-FOR-US: Argo CD
CVE-2023-22735 (Zulip is an open-source team collaboration tool. In versions of zulip ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2023-22734 (Shopware is an open source commerce platform based on Symfony Framewor ...)
NOT-FOR-US: Shopware
CVE-2023-22733 (Shopware is an open source commerce platform based on Symfony Framewor ...)
@@ -200364,7 +200364,7 @@ CVE-2022-41915 (Netty project is an event-driven asynchronous network applicatio
NOTE: https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp
NOTE: Fixed by https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4 (netty-4.1.86.Final)
CVE-2022-41914 (Zulip is an open-source team collaboration tool. For organizations wit ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2022-41913 (Discourse-calendar is a plugin for the Discourse messaging platform wh ...)
NOT-FOR-US: Discourse plugin
CVE-2022-41912 (The crewjam/saml go library prior to version 0.4.9 is vulnerable to an ...)
@@ -216382,7 +216382,7 @@ CVE-2022-36050
CVE-2022-36049 (Flux2 is a tool for keeping Kubernetes clusters in sync with sources o ...)
NOT-FOR-US: Flux project fluxcd
CVE-2022-36048 (Zulip is an open-source team collaboration tool with topic-based threa ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2022-36047
RESERVED
CVE-2022-36046 (Next.js is a React framework that can provide building blocks to creat ...)
@@ -216569,7 +216569,7 @@ CVE-2022-35964 (TensorFlow is an open source platform for machine learning. The
CVE-2022-35963 (TensorFlow is an open source platform for machine learning. The implem ...)
- tensorflow <itp> (bug #804612)
CVE-2022-35962 (Zulip is an open source team chat and Zulip Mobile is an app for iOS a ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2022-35961 (OpenZeppelin Contracts is a library for secure smart contract developm ...)
NOT-FOR-US: OpenZeppelin
CVE-2022-35960 (TensorFlow is an open source platform for machine learning. In `core/k ...)
@@ -229984,7 +229984,7 @@ CVE-2022-31170 (OpenZeppelin Contracts is a library for smart contract developme
CVE-2022-31169 (Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wa ...)
NOT-FOR-US: wasmtime
CVE-2022-31168 (Zulip is an open source team chat tool. Due to an incorrect authorizat ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2022-31167 (XWiki Platform Security Parent POM contains the security APIs for XWik ...)
NOT-FOR-US: XWiki
CVE-2022-31166 (XWiki Platform Old Core is a core package for XWiki Platform, a generi ...)
@@ -230073,7 +230073,7 @@ CVE-2022-31136 (Bookwyrm is an open source social reading and reviewing program.
CVE-2022-31135 (Akashi is an open source server implementation of the Attorney Online ...)
NOT-FOR-US: Akashi
CVE-2022-31134 (Zulip is an open-source team collaboration tool. Zulip Server versions ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2022-31133 (HumHub is an Open Source Enterprise Social Network. Affected versions ...)
NOT-FOR-US: HumHub
CVE-2022-31132 (Nextcloud Mail is an email application for the nextcloud personal clou ...)
@@ -573740,7 +573740,7 @@ CVE-2017-0882 (Multiple versions of GitLab expose sensitive user credentials whe
NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/29661
NOTE: https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/
CVE-2017-0881 (An error in the implementation of an autosubscribe feature in the chec ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2016-9754 (The ring_buffer_resize function in kernel/trace/ring_buffer.c in the p ...)
- linux 4.6.1-1
[jessie] - linux 3.16.39-1
@@ -593090,9 +593090,9 @@ CVE-2016-4428 (Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (
- horizon 3:9.0.1-2 (bug #828967)
NOTE: https://bugs.launchpad.net/bugs/1567673
CVE-2016-4427 (In zulip before 1.3.12, deactivated users could access messages if SSO ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2016-4426 (In zulip before 1.3.12, bot API keys were accessible to other users in ...)
- NOT-FOR-US: Zulip
+ - zulip-server <itp> (bug #800052)
CVE-2016-4424
RESERVED
CVE-2016-4423 (The attemptAuthentication function in Component/Security/Http/Firewall ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48602a08d234e7cdc8dafb3b20141862cf280328
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48602a08d234e7cdc8dafb3b20141862cf280328
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250214/06632660/attachment.htm>
More information about the debian-security-tracker-commits
mailing list