[Git][security-tracker-team/security-tracker][master] 2 commits: auto-nfu: Add product based rule for Microsoft

Fri Mar 21 08:41:57 GMT 2025


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
099d42b8 by Moritz Muehlenhoff at 2025-03-21T09:37:34+01:00
auto-nfu: Add product based rule for Microsoft

- - - - -
26cad0cf by Moritz Muehlenhoff at 2025-03-21T09:41:34+01:00
NFUs

- - - - -


2 changed files:

- data/CVE/list
- data/packages/nfu.yaml


Changes:

=====================================
data/CVE/list
=====================================
@@ -31,9 +31,9 @@ CVE-2025-2538 (A specific type of ArcGIS Enterprise deployment, is vulnerable to
 CVE-2025-2198
 	REJECTED
 CVE-2025-29814 (Improper authorization in Microsoft Partner Center allows an authorize ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2025-29807 (Deserialization of untrusted data in Microsoft Dataverse allows an aut ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2025-26336 (Dell Chassis Management Controller Firmware for Dell PowerEdge FX2, ve ...)
 	NOT-FOR-US: Dell / EMC
 CVE-2025-25758 (An issue in KukuFM Android v1.12.7 (11207) allows attackers to access  ...)
@@ -686,7 +686,7 @@ CVE-2024-10950 (In binary-husky/gpt_academic version <= 3.83, the plugin `CodeIn
 CVE-2024-10948 (A vulnerability in the upload function of binary-husky/gpt_academic al ...)
 	NOT-FOR-US: binary-husky/gpt_academic
 CVE-2024-10940 (A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,< ...)
-	TODO: check
+	NOT-FOR-US: langchain-core
 CVE-2024-10935 (automatic1111/stable-diffusion-webui version 1.10.0 contains a vulnera ...)
 	NOT-FOR-US: automatic1111/stable-diffusion-webui
 CVE-2024-10912 (A Denial of Service (DoS) vulnerability exists in the file upload feat ...)
@@ -742,7 +742,7 @@ CVE-2024-10718 (In phpipam/phpipam version 1.5.1, the Secure attribute for sensi
 CVE-2024-10714 (A vulnerability in binary-husky/gpt_academic version 3.83 allows an at ...)
 	NOT-FOR-US: binary-husky/gpt_academic
 CVE-2024-10713 (A vulnerability in szad670401/hyperlpr v3.0 allows for a Denial of Ser ...)
-	TODO: check
+	NOT-FOR-US: szad670401/hyperlpr
 CVE-2024-10707 (gaizhenbiao/chuanhuchatgpt version git d4ec6a3 is affected by a local  ...)
 	NOT-FOR-US: gaizhenbiao/chuanhuchatgpt
 CVE-2024-10650 (An unauthenticated Denial of Service (DoS) vulnerability was identifie ...)
@@ -752,67 +752,67 @@ CVE-2024-10648 (A path traversal vulnerability exists in the Gradio Audio compon
 CVE-2024-10624 (A Regular Expression Denial of Service (ReDoS) vulnerability exists in ...)
 	NOT-FOR-US: Gradio
 CVE-2024-10572 (In h2oai/h2o-3 version 3.46.0.1, the `run_tool` command exposes classe ...)
-	TODO: check
+	NOT-FOR-US: h2oai/h2o-3
 CVE-2024-10569 (A vulnerability in the dataframe component of gradio-app/gradio (versi ...)
 	NOT-FOR-US: Gradio
 CVE-2024-10553 (A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows u ...)
-	TODO: check
+	NOT-FOR-US: h2oai/h2o-3
 CVE-2024-10550 (A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version ...)
-	TODO: check
+	NOT-FOR-US: h2oai/h2o-3
 CVE-2024-10549 (A vulnerability in the `/3/Parse` endpoint of h2oai/h2o-3 version 3.46 ...)
-	TODO: check
+	NOT-FOR-US: h2oai/h2o-3
 CVE-2024-10513 (A path traversal vulnerability exists in the 'document uploads manager ...)
-	TODO: check
+	NOT-FOR-US: anything-llm
 CVE-2024-10481 (A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v ...)
-	TODO: check
+	NOT-FOR-US: comfyanonymous/comfyui
 CVE-2024-10457 (Multiple Server-Side Request Forgery (SSRF) vulnerabilities were ident ...)
-	TODO: check
+	NOT-FOR-US: significant-gravitas/autogpt
 CVE-2024-10366 (An improper access control vulnerability (IDOR) exists in the delete a ...)
-	TODO: check
+	NOT-FOR-US: danny-avila/librechat
 CVE-2024-10363 (In version 0.7.5 of danny-avila/LibreChat, there is an improper access ...)
-	TODO: check
+	NOT-FOR-US: danny-avila/librechat
 CVE-2024-10361 (An arbitrary file deletion vulnerability exists in danny-avila/librech ...)
-	TODO: check
+	NOT-FOR-US: danny-avila/librechat
 CVE-2024-10359 (In danny-avila/librechat version v0.7.5-rc2, a vulnerability exists in ...)
-	TODO: check
+	NOT-FOR-US: danny-avila/librechat
 CVE-2024-10330 (In lunary-ai/lunary version 1.5.6, the `/v1/evaluators/` endpoint lack ...)
-	TODO: check
+	NOT-FOR-US: lunary-ai/lunary
 CVE-2024-10275 (In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where adm ...)
-	TODO: check
+	NOT-FOR-US: lunary-ai/lunary
 CVE-2024-10274 (An improper authorization vulnerability exists in lunary-ai/lunary ver ...)
-	TODO: check
+	NOT-FOR-US: lunary-ai/lunary
 CVE-2024-10273 (In lunary-ai/lunary v1.5.0, improper privilege management in the model ...)
-	TODO: check
+	NOT-FOR-US: lunary-ai/lunary
 CVE-2024-10272 (lunary-ai/lunary is vulnerable to broken access control in the latest  ...)
-	TODO: check
+	NOT-FOR-US: lunary-ai/lunary
 CVE-2024-10267 (An information disclosure vulnerability exists in the latest version o ...)
-	TODO: check
+	NOT-FOR-US: transformeroptimus/superagi
 CVE-2024-10264 (HTTP Request Smuggling vulnerability in netease-youdao/qanything versi ...)
-	TODO: check
+	NOT-FOR-US: netease-youdao/qanything
 CVE-2024-10252 (A vulnerability in langgenius/dify versions <=v0.9.1 allows for code i ...)
-	TODO: check
+	NOT-FOR-US: langgenius/dify
 CVE-2024-10225 (A vulnerability in haotian-liu/llava v1.2.0 allows an attacker to caus ...)
-	TODO: check
+	NOT-FOR-US: haotian-liu/llava
 CVE-2024-10190 (Horovod versions up to and including v0.28.1 are vulnerable to unauthe ...)
-	TODO: check
+	NOT-FOR-US: Horovod
 CVE-2024-10188 (A vulnerability in BerriAI/litellm, as of commit 26c03c9, allows unaut ...)
-	TODO: check
+	NOT-FOR-US: BerriAI/litellm
 CVE-2024-10110 (In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object  ...)
-	TODO: check
+	NOT-FOR-US: aimhubio/aim
 CVE-2024-10109 (A vulnerability in the mintplex-labs/anything-llm repository, as of co ...)
-	TODO: check
+	NOT-FOR-US: anything-llm
 CVE-2024-10096 (Dask versions <=2024.8.2 contain a vulnerability in the Dask Distribut ...)
 	TODO: check
 CVE-2024-10051 (Realchar version v0.0.4 is vulnerable to an unauthenticated denial of  ...)
-	TODO: check
+	NOT-FOR-US: Realchar
 CVE-2024-10047 (parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a  ...)
-	TODO: check
+	NOT-FOR-US: parisneo/lollms-webui
 CVE-2024-10019 (A vulnerability in the `start_app_server` function of parisneo/lollms- ...)
-	TODO: check
+	NOT-FOR-US: parisneo/lollms-webui
 CVE-2024-0640 (A stored cross-site scripting (XSS) vulnerability exists in chatwoot/c ...)
-	TODO: check
+	NOT-FOR-US: chatwoot/chatwoot
 CVE-2024-0245 (A misconfiguration in the AndroidManifest.xml file in hamza417/inure b ...)
-	TODO: check
+	NOT-FOR-US: hamza417/inure
 CVE-2025-30259 (The WhatsApp cloud service before late 2024 did not block certain craf ...)
 	NOT-FOR-US: WhatsApp
 CVE-2025-30092 (Intrexx Portal Server 12.x <= 12.0.2 and 11.x <= 11.9.2 allows XSS in  ...)


=====================================
data/packages/nfu.yaml
=====================================
@@ -144,6 +144,12 @@
     - cna: JetBrains
     - not:
         product: IntelliJ IDEA
+- reason: Microsoft
+  allOf:
+    - cna: microsoft
+    - anyOf:
+      - product: Microsoft Partner Center
+      - product: Microsoft Dataverse
 # Description based rules
 - reason: code-projects
   description: '.*\b(?i:code-projects)\s.*\s(?i:system)\b.*'



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9c05f2c6fa5add9f47c83f6099eeb9c76d180068...26cad0cfbdb6223cfcd6693dffe81109b8f200d4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9c05f2c6fa5add9f47c83f6099eeb9c76d180068...26cad0cfbdb6223cfcd6693dffe81109b8f200d4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250321/d116aeac/attachment-0001.htm>
