[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2025-23122

Salvatore Bonaccorso (@carnil) carnil at debian.org
Mon May 19 21:31:29 BST 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
06845dc2 by Salvatore Bonaccorso at 2025-05-19T22:19:37+02:00
Remove notes from CVE-2025-23122

After thinking bit more on this: The CVE-2025-23165 is more widespread
and was used as well in the Node.js advisory. As both CVEs were assigned
by the same CNA, a rejection of the CVE-2025-23122 might be possible.

Thus mark the CVE already in advance just with a note.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -479,13 +479,7 @@ CVE-2025-23164 (A misconfigured access token mechanism in the Unifi Protect Appl
 CVE-2025-23123 (A malicious actor with access to the management network could execute  ...)
 	NOT-FOR-US: UniFi Protect
 CVE-2025-23122 (In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a  ...)
-	- nodejs 20.19.2+dfsg-1 (bug #1105832)
-	[bullseye] - nodejs <not-affected> (The vulnerable code was introduced later)
-	NOTE: https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low
-	NOTE: https://github.com/nodejs/node/issues/57800
-	NOTE: Fixed by: https://github.com/nodejs/node/commit/9e13bf0a81e15c7b3a9f1826dccbcea991d7e63a (v20.19.2)
-	NOTE: Introduced by: https://github.com/nodejs/node/commit/938471ef556f2d64257059b60889a8c84621eea6 (v20.8.0)
-	TODO: check, duplicate of CVE-2025-23165, contacting both CNAs to see which to retain
+	NOTE: Duplicate of CVE-2025-23165 (CNA contacted for rejection)
 CVE-2025-1627 (The Qi Blocks WordPress plugin before 1.4 does not validate and escape ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2025-1626 (The Qi Blocks WordPress plugin before 1.4 does not validate and escape ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06845dc20f09513464892edea262b3672789567d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06845dc20f09513464892edea262b3672789567d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250519/5faa36f0/attachment.htm>

More information about the debian-security-tracker-commits mailing list