[Git][security-tracker-team/security-tracker][master] Process some NFUs

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Mar 20 20:36:38 GMT 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a6abc538 by Salvatore Bonaccorso at 2025-03-20T21:36:18+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -85,11 +85,11 @@ CVE-2025-1040 (AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Sid
 CVE-2025-0655 (A vulnerability in man-group/dtale versions 3.15.1 allows an attacker  ...)
 	NOT-FOR-US: man-group/dtale
 CVE-2025-0628 (An improper authorization vulnerability exists in the main-latest vers ...)
-	TODO: check
+	NOT-FOR-US: BerriAI/litellm
 CVE-2025-0508 (A vulnerability in the SageMaker Workflow component of aws/sagemaker-p ...)
 	NOT-FOR-US: SageMaker
 CVE-2025-0454 (A Server-Side Request Forgery (SSRF) vulnerability was identified in t ...)
-	TODO: check
+	NOT-FOR-US: significant-gravitas/autogpt
 CVE-2025-0453 (In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable ...)
 	NOT-FOR-US: mlflow
 CVE-2025-0452 (eosphoros-ai/DB-GPT version latest is vulnerable to arbitrary file del ...)
@@ -105,53 +105,53 @@ CVE-2025-0313 (A vulnerability in ollama/ollama versions <=0.3.14 allows a malic
 CVE-2025-0312 (A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious  ...)
 	- ollama <itp> (bug #1094806)
 CVE-2025-0281 (A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/ ...)
-	TODO: check
+	NOT-FOR-US: lunary-ai/lunary
 CVE-2025-0254 (HCL Digital Experience components Ring API and dxclient may be vulnera ...)
 	NOT-FOR-US: HCL
 CVE-2025-0192 (A stored Cross-site Scripting (XSS) vulnerability exists in the latest ...)
-	TODO: check
+	NOT-FOR-US: wandb/openui
 CVE-2025-0191 (A Denial of Service (DoS) vulnerability exists in the file upload feat ...)
-	TODO: check
+	NOT-FOR-US: gaizhenbiao/chuanhuchatgpt
 CVE-2025-0190 (In version 3.25.0 of aimhubio/aim, a denial of service vulnerability e ...)
-	TODO: check
+	NOT-FOR-US: aimhubio/aim
 CVE-2025-0189 (In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable t ...)
-	TODO: check
+	NOT-FOR-US: aimhubio/aim
 CVE-2025-0188 (A Server-Side Request Forgery (SSRF) vulnerability was discovered in g ...)
-	TODO: check
+	NOT-FOR-US: gaizhenbiao/chuanhuchatgpt
 CVE-2025-0187 (A Denial of Service (DoS) vulnerability was discovered in the file upl ...)
-	TODO: check
+	NOT-FOR-US: Gradio
 CVE-2025-0185 (A vulnerability in the Dify Tools' Vanna module of the langgenius/dify ...)
 	TODO: check
 CVE-2025-0184 (A Server-Side Request Forgery (SSRF) vulnerability was identified in l ...)
-	TODO: check
+	NOT-FOR-US: langgenius/dify
 CVE-2025-0183 (A stored cross-site scripting (XSS) vulnerability exists in the Latex  ...)
-	TODO: check
+	NOT-FOR-US: binary-husky/gpt_academic
 CVE-2025-0182 (A vulnerability in danswer-ai/danswer version 0.9.0 allows for denial  ...)
-	TODO: check
+	NOT-FOR-US: danswer-ai/danswer
 CVE-2024-9920 (In version v12 of parisneo/lollms-webui, the 'Send file to AL' functio ...)
-	TODO: check
+	NOT-FOR-US: parisneo/lollms-webui
 CVE-2024-9919 (A missing authentication check in the uninstall endpoint of parisneo/l ...)
-	TODO: check
+	NOT-FOR-US: parisneo/lollms-webui
 CVE-2024-9901 (LocalAI version v2.19.4 (af0545834fd565ab56af0b9348550ca9c3cb5349) con ...)
-	TODO: check
+	NOT-FOR-US: LocalAI
 CVE-2024-9900 (mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) v ...)
-	TODO: check
+	NOT-FOR-US: LocalAI
 CVE-2024-9880 (A command injection vulnerability exists in the `pandas.DataFrame.quer ...)
 	TODO: check
 CVE-2024-9847 (FlatPress CMS version latest is vulnerable to Cross-Site Request Forge ...)
 	TODO: check
 CVE-2024-9840 (A Denial of Service (DoS) vulnerability exists in open-webui/open-webu ...)
-	TODO: check
+	NOT-FOR-US: open-webui/open-webui
 CVE-2024-9701 (A Remote Code Execution (RCE) vulnerability has been identified in the ...)
 	TODO: check
 CVE-2024-9699 (A vulnerability in the file upload functionality of the FlatPress CMS  ...)
 	TODO: check
 CVE-2024-9617 (An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker ...)
-	TODO: check
+	NOT-FOR-US: danswer-ai/danswer
 CVE-2024-9612 (In danswer-ai/danswer v0.3.94, administrators can set the visibility o ...)
-	TODO: check
+	NOT-FOR-US: danswer-ai/danswer
 CVE-2024-9606 (In berriai/litellm before version 1.44.12, the `litellm/litellm_core_u ...)
-	TODO: check
+	NOT-FOR-US: berriai/litellm
 CVE-2024-9597 (A Path Traversal vulnerability exists in the `/wipe_database` endpoint ...)
 	TODO: check
 CVE-2024-9447 (An information disclosure vulnerability exists in the latest version o ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6abc538ff4e7f9cad485202df25a02284800485

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6abc538ff4e7f9cad485202df25a02284800485
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250320/51ae2411/attachment.htm>

More information about the debian-security-tracker-commits mailing list