[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri Mar 21 07:29:02 GMT 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
342291ff by Moritz Muehlenhoff at 2025-03-21T08:28:50+01:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -39,9 +39,9 @@ CVE-2025-29923 (go-redis is the official Redis client library for the Go program
NOTE: Fixed by: https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6
TODO: research introducing commit, might be post 9.5.1
CVE-2025-29922 (kcp is a Kubernetes-like control plane for form-factors and use-cases ...)
- TODO: check
+ NOT-FOR-US: kcp Kubernetes control plane
CVE-2025-29914 (OWASP Coraza WAF is a golang modsecurity compatible web application fi ...)
- TODO: check
+ NOT-FOR-US: OWASP Coraza WAF
CVE-2025-29412 (A cross-site scripting (XSS) vulnerability in the Client Profile Updat ...)
NOT-FOR-US: Mart Developers iBanking
CVE-2025-29411 (An arbitrary file upload vulnerability in the Client Profile Update se ...)
@@ -144,7 +144,7 @@ CVE-2024-9847 (FlatPress CMS version latest is vulnerable to Cross-Site Request
CVE-2024-9840 (A Denial of Service (DoS) vulnerability exists in open-webui/open-webu ...)
NOT-FOR-US: open-webui/open-webui
CVE-2024-9701 (A Remote Code Execution (RCE) vulnerability has been identified in the ...)
- TODO: check
+ NOT-FOR-US: Kedro
CVE-2024-9699 (A vulnerability in the file upload functionality of the FlatPress CMS ...)
- flatpress <itp> (bug #466297)
CVE-2024-9617 (An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker ...)
@@ -246,7 +246,7 @@ CVE-2024-8763 (A Regular Expression Denial of Service (ReDoS) vulnerability exis
CVE-2024-8736 (A Denial of Service (DoS) vulnerability exists in multiple file upload ...)
NOT-FOR-US: parisneo/lollms-webui
CVE-2024-8616 (In h2oai/h2o-3 version 3.46.0, the `/99/Models/{name}/json` endpoint a ...)
- TODO: check
+ NOT-FOR-US: h2oai/h2o-3
CVE-2024-8613 (A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240802 allows ...)
NOT-FOR-US: gaizhenbiao/chuanhuchatgpt
CVE-2024-8581 (A vulnerability in the `upload_app` function of parisneo/lollms-webui ...)
@@ -282,7 +282,7 @@ CVE-2024-8238 (In version 3.22.0 of aimhubio/aim, the AimQL query language uses
CVE-2024-8196 (In mintplex-labs/anything-llm v1.5.11 desktop version for Windows, the ...)
NOT-FOR-US: mintplex-labs/anything-llm
CVE-2024-8183 (A CORS (Cross-Origin Resource Sharing) misconfiguration in prefecthq/p ...)
- TODO: check
+ NOT-FOR-US: Prefect
CVE-2024-8156 (A command injection vulnerability exists in the workflow-checker.yml w ...)
NOT-FOR-US: significant-gravitas/autogpt
CVE-2024-8101 (A stored cross-site scripting (XSS) vulnerability exists in the Text E ...)
@@ -348,13 +348,13 @@ CVE-2024-7776 (A vulnerability in the `download_model` function of the onnx/onnx
CVE-2024-7773 (A vulnerability in ollama/ollama version 0.1.37 allows for remote code ...)
- ollama <itp> (bug #1094806)
CVE-2024-7771 (A vulnerability in the Dockerized version of mintplex-labs/anything-ll ...)
- TODO: check
+ NOT-FOR-US: anything-llm
CVE-2024-7768 (A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 versio ...)
- TODO: check
+ NOT-FOR-US: h2oai/h2o-3
CVE-2024-7767 (An improper access control vulnerability exists in danswer-ai/danswer ...)
NOT-FOR-US: danswer-ai/danswer
CVE-2024-7765 (In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploadin ...)
- TODO: check
+ NOT-FOR-US: h2oai/h2o-3
CVE-2024-7764 (Vanna-ai v0.6.2 is vulnerable to SQL Injection due to insufficient pro ...)
NOT-FOR-US: Vanna-ai
CVE-2024-7760 (aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSR ...)
@@ -394,9 +394,9 @@ CVE-2024-6982 (A remote code execution vulnerability exists in the Calculate fun
CVE-2024-6866 (corydolphin/flask-cors version 4.01 contains a vulnerability where the ...)
TODO: check
CVE-2024-6863 (In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom Encryptio ...)
- TODO: check
+ NOT-FOR-US: h2oai/h2o-3
CVE-2024-6854 (In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does ...)
- TODO: check
+ NOT-FOR-US: h2oai/h2o-3
CVE-2024-6851 (In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup funct ...)
NOT-FOR-US: aimhubio/aim
CVE-2024-6844 (A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inc ...)
@@ -434,7 +434,7 @@ CVE-2024-48591 (Inflectra SpiraTeam 7.2.00 is vulnerable to Cross Site Scripting
CVE-2024-48590 (Inflectra SpiraTeam 7.2.00 is vulnerable to Server-Side Request Forger ...)
NOT-FOR-US: Inflectra SpiraTeam
CVE-2024-2292 (Due to a lack of access control, unauthorized users are able to view a ...)
- TODO: check
+ NOT-FOR-US: changeweb/unifiedtransform
CVE-2024-13923 (The Order Export & Order Import for WooCommerce plugin for WordPress i ...)
NOT-FOR-US: WordPress plugin
CVE-2024-13922 (The Order Export & Order Import for WooCommerce plugin for WordPress i ...)
@@ -446,7 +446,7 @@ CVE-2024-13920 (The Order Export & Order Import for WooCommerce plugin for WordP
CVE-2024-13558 (The NP Quote Request for WooCommerce plugin for WordPress is vulnerabl ...)
NOT-FOR-US: WordPress plugin
CVE-2024-13060 (A vulnerability in AnythingLLM Docker version 1.3.1 allows users with ...)
- TODO: check
+ NOT-FOR-US: anything-llm
CVE-2024-12911 (A vulnerability in the `default_jsonalyzer` function of the `JSONalyze ...)
NOT-FOR-US: run-llama/llama_index
CVE-2024-12910 (A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama ...)
@@ -468,9 +468,9 @@ CVE-2024-12869 (In infiniflow/ragflow version v0.12.0, there is an improper auth
CVE-2024-12868 (In version 0.3.32 of open-webui, the application uses a vulnerable ver ...)
NOT-FOR-US: open-webui/open-webui
CVE-2024-12866 (A local file inclusion vulnerability exists in netease-youdao/qanythin ...)
- TODO: check
+ NOT-FOR-US: netease-youdao/qanything
CVE-2024-12864 (A Denial of Service (DoS) vulnerability was discovered in the file upl ...)
- TODO: check
+ NOT-FOR-US: netease-youdao/qanything
CVE-2024-12779 (A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflo ...)
NOT-FOR-US: infiniflow/ragflow
CVE-2024-12778 (A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of ...)
@@ -490,7 +490,7 @@ CVE-2024-12760 (An open redirect vulnerability in bentoml/bentoml v1.3.9 allows
CVE-2024-12759 (In bentoml/bentoml version 1.3.9, the `/login` endpoint of the newly i ...)
NOT-FOR-US: bentoml/bentoml
CVE-2024-12720 (A Regular Expression Denial of Service (ReDoS) vulnerability was ident ...)
- TODO: check
+ NOT-FOR-US: huggingface/transformers
CVE-2024-12704 (A vulnerability in the LangChainLLM class of the run-llama/llama_index ...)
NOT-FOR-US: run-llama/llama_index
CVE-2024-12580 (A vulnerability in danny-avila/librechat prior to version 0.7.6 allows ...)
@@ -524,9 +524,9 @@ CVE-2024-12374 (A stored cross-site scripting (XSS) vulnerability exists in auto
CVE-2024-12217 (A vulnerability in the gradio-app/gradio repository, version git 67e40 ...)
NOT-FOR-US: Gradio
CVE-2024-12216 (A vulnerability in the `ImageClassificationDataset.from_csv()` API of ...)
- TODO: check
+ NOT-FOR-US: gluon_cv
CVE-2024-12215 (In kedro-org/kedro version 0.19.8, the `pull_package()` API function a ...)
- TODO: check
+ NOT-FOR-US: Kedro
CVE-2024-12074 (A Denial of Service (DoS) vulnerability was discovered in the file upl ...)
NOT-FOR-US: automatic1111/stable-diffusion-webui
CVE-2024-12070 (A Denial of Service (DoS) vulnerability exists in the file upload feat ...)
@@ -566,7 +566,7 @@ CVE-2024-11449 (A vulnerability in haotian-liu/llava version 1.2.0 (LLaVA-1.6) a
CVE-2024-11441 (A stored cross-site scripting (XSS) vulnerability exists in Serge vers ...)
NOT-FOR-US: Serge
CVE-2024-11302 (A missing check_access() function in the lollms_binding_infos module o ...)
- TODO: check
+ NOT-FOR-US: parisneo/lollms
CVE-2024-11301 (In lunary-ai/lunary before version 1.6.3, the application allows the c ...)
NOT-FOR-US: lunary-ai/lunary
CVE-2024-11300 (In lunary-ai/lunary before version 1.6.3, an improper access control v ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/342291ff2fc2d42da5ec50ac960898a9feefeabe
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/342291ff2fc2d42da5ec50ac960898a9feefeabe
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250321/305aae33/attachment.htm>
More information about the debian-security-tracker-commits
mailing list