Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 56889653 by security tracker role at 2022-03-28T20:10:26+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,3 +1,35 @@ +CVE-2022-28128 + RESERVED +CVE-2022-27496 + RESERVED +CVE-2022-25348 + RESERVED +CVE-2022-1122 + RESERVED +CVE-2022-1121 + RESERVED +CVE-2022-1120 + RESERVED +CVE-2022-1119 + RESERVED +CVE-2022-1118 + RESERVED +CVE-2022-1117 + RESERVED +CVE-2022-1116 + RESERVED +CVE-2022-1115 + RESERVED +CVE-2022-1114 + RESERVED +CVE-2022-1113 + RESERVED +CVE-2022-1112 + RESERVED +CVE-2022-1111 + RESERVED +CVE-2020-36520 + RESERVED CVE-2022-28125 RESERVED CVE-2022-28124 @@ -1084,8 +1116,8 @@ CVE-2022-27664 RESERVED CVE-2022-27663 RESERVED -CVE-2022-27658 - RESERVED +CVE-2022-27658 (Under certain conditions, SAP Innovation management - version 2.0, all ...) + TODO: check CVE-2022-27657 RESERVED CVE-2022-27656 @@ -1102,8 +1134,8 @@ CVE-2022-26420 RESERVED CVE-2022-26075 RESERVED -CVE-2022-1056 - RESERVED +CVE-2022-1056 (Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers ...) + TODO: check CVE-2022-XXXX [Possible man-in-the-middle attack in TLS connection to servers] - weechat 3.4.1-1 [stretch] - weechat <not-affected> (Vulnerable code introduced later) @@ -2848,8 +2880,8 @@ CVE-2022-26981 (Liblouis through 3.21.0 has a buffer overflow in compilePassOpco [bullseye] - liblouis <no-dsa> (Minor issue) [buster] - liblouis <no-dsa> (Minor issue) NOTE: https://github.com/liblouis/liblouis/issues/1171 -CVE-2022-26980 - RESERVED +CVE-2022-26980 (Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO. ...) + TODO: check CVE-2022-0942 (Stored XSS due to Unrestricted File Upload in GitHub repository star7t ...) NOT-FOR-US: ShowDoc CVE-2022-0941 (Stored XSS due to Unrestricted File Upload in GitHub repository star7t ...) @@ -4347,8 +4379,8 @@ CVE-2022-0847 (A flaw was found in the way the "flags" member of the new pipe bu NOTE: https://git.kernel.org/linus/9d2231c5d74e13b2a0546fee6737ee4446017903 (5.17-rc6) NOTE: https://www.openwall.com/lists/oss-security/2022/03/07/1 NOTE: https://dirtypipe.cm4all.com/ -CVE-2022-0846 - RESERVED +CVE-2022-0846 (The SpeakOut! Email Petitions WordPress plugin before 2.14.15.1 does n ...) + TODO: check CVE-2022-0845 (Code Injection in GitHub repository pytorchlightning/pytorch-lightning ...) NOT-FOR-US: pytorchlightning CVE-2022-26387 @@ -4475,8 +4507,8 @@ CVE-2022-0835 RESERVED CVE-2022-0834 (The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due ...) NOT-FOR-US: WordPress plugin -CVE-2022-0833 - RESERVED +CVE-2022-0833 (The Church Admin WordPress plugin before 3.4.135 does not have authori ...) + TODO: check CVE-2022-0832 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) NOT-FOR-US: pimcore CVE-2022-0831 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) @@ -4563,8 +4595,8 @@ CVE-2022-0820 (Cross-site Scripting (XSS) - Stored in GitHub repository orchardc NOT-FOR-US: Orchard CMS CVE-2022-0819 (Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1. ...) - dolibarr <removed> -CVE-2022-0818 - RESERVED +CVE-2022-0818 (The WooCommerce Affiliate Plugin WordPress plugin before 4.16.4.5 does ...) + TODO: check CVE-2022-0817 RESERVED CVE-2022-0816 @@ -5103,14 +5135,14 @@ CVE-2022-0789 NOTE: https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html CVE-2022-0788 RESERVED -CVE-2022-0787 - RESERVED +CVE-2022-0787 (The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 ...) + TODO: check CVE-2022-0786 RESERVED CVE-2022-0785 RESERVED -CVE-2022-0784 - RESERVED +CVE-2022-0784 (The Title Experiments Free WordPress plugin before 9.0.1 does not sani ...) + TODO: check CVE-2022-0783 RESERVED CVE-2022-0782 @@ -5141,8 +5173,8 @@ CVE-2022-0772 (Cross-site Scripting (XSS) - Stored in GitHub repository librenms NOT-FOR-US: LibreNMS CVE-2022-0771 RESERVED -CVE-2022-0770 - RESERVED +CVE-2022-0770 (The Translate WordPress with GTranslate WordPress plugin before 2.9.9 ...) + TODO: check CVE-2022-0769 RESERVED CVE-2022-0768 (Server-Side Request Forgery (SSRF) in GitHub repository rudloff/alltub ...) @@ -5836,8 +5868,7 @@ CVE-2022-0753 (Cross-site Scripting (XSS) - Reflected in GitHub repository hesti NOT-FOR-US: Hestia Control Panel CVE-2022-0752 (Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hes ...) NOT-FOR-US: Hestia Control Panel -CVE-2022-0751 - RESERVED +CVE-2022-0751 (Inaccurate display of Snippet files containing special characters in a ...) [experimental] - gitlab 14.6.5+ds1-1 - gitlab <unfixed> NOTE: https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/ @@ -5937,16 +5968,14 @@ CVE-2022-0740 RESERVED CVE-2022-0739 (The BookingPress WordPress plugin before 1.0.11 fails to properly sani ...) NOT-FOR-US: WordPress plugin -CVE-2022-0738 - RESERVED +CVE-2022-0738 (An issue has been discovered in GitLab affecting all versions starting ...) - gitlab <not-affected> (Vulnerable code introduced later) NOTE: https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/ CVE-2022-0737 RESERVED CVE-2022-0736 (Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1. ...) NOT-FOR-US: mlflow -CVE-2022-0735 - RESERVED +CVE-2022-0735 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) [experimental] - gitlab 14.6.5+ds1-1 - gitlab <unfixed> NOTE: https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/ @@ -6317,8 +6346,8 @@ CVE-2022-0722 RESERVED CVE-2022-0721 (Insertion of Sensitive Information Into Debugging Code in GitHub repos ...) NOT-FOR-US: microweber -CVE-2022-0720 - RESERVED +CVE-2022-0720 (The Amelia WordPress plugin before 1.0.47 does not have proper authori ...) + TODO: check CVE-2022-0719 (Cross-site Scripting (XSS) - Reflected in GitHub repository microweber ...) NOT-FOR-US: microweber CVE-2022-0718 @@ -7156,10 +7185,10 @@ CVE-2022-0682 RESERVED CVE-2022-0681 (The Simple Membership WordPress plugin before 4.1.0 does not have CSRF ...) NOT-FOR-US: WordPress plugin -CVE-2022-0680 - RESERVED -CVE-2022-0679 - RESERVED +CVE-2022-0680 (The Plezi WordPress plugin before 1.0.3 has a REST endpoint allowing u ...) + TODO: check +CVE-2022-0679 (The Narnoo Distributor WordPress plugin through 2.5.1 fails to validat ...) + TODO: check CVE-2022-0678 (Cross-site Scripting (XSS) - Reflected in Packagist microweber/microwe ...) NOT-FOR-US: microweber CVE-2022-0677 @@ -7435,8 +7464,8 @@ CVE-2022-21142 (Authentication bypass vulnerability in a-blog cms Ver.2.8.x seri NOT-FOR-US: a-blog cms CVE-2022-0648 (The Team Circle Image Slider With Lightbox WordPress plugin before 1.0 ...) NOT-FOR-US: WordPress plugin -CVE-2022-0647 - RESERVED +CVE-2022-0647 (The Bulk Creator WordPress plugin through 1.0.1 does not sanitize and ...) + TODO: check CVE-2022-0646 (A flaw use after free in the Linux kernel Management Component Transpo ...) - linux <not-affected> (Vulnerable code introduced later) NOTE: https://lore.kernel.org/all/20220211011552.1861886-1...@codeconstruct.com.au/T/ @@ -7449,12 +7478,12 @@ CVE-2022-0644 [vfs: check fd has read access in kernel_read_file_from_fd()] [bullseye] - linux 5.10.84-1 [stretch] - linux 4.9.290-1 NOTE: https://git.kernel.org/linus/032146cda85566abcd1c4884d9d23e4e30a07e9a (5.15-rc7) -CVE-2022-0643 - RESERVED +CVE-2022-0643 (The Bank Mellat WordPress plugin through 1.3.7 does not sanitize and e ...) + TODO: check CVE-2022-0642 RESERVED -CVE-2022-0641 - RESERVED +CVE-2022-0641 (The Popup Like box WordPress plugin before 3.6.1 does not sanitize and ...) + TODO: check CVE-2022-0640 (The Pricing Table Builder WordPress plugin before 1.1.5 does not sanit ...) NOT-FOR-US: WordPress plugin CVE-2022-0639 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...) @@ -7600,12 +7629,12 @@ CVE-2022-0623 (Out-of-bounds Read in Homebrew mruby prior to 3.2. ...) NOTE: https://huntr.dev/bounties/5b908ac7-d8f1-4fcd-9355-85df565f7580 CVE-2022-0622 (Generation of Error Message Containing Sensitive Information in Packag ...) NOT-FOR-US: snipe-it -CVE-2022-0621 - RESERVED -CVE-2022-0620 - RESERVED -CVE-2022-0619 - RESERVED +CVE-2022-0621 (The dTabs WordPress plugin through 1.4 does not sanitize and escape th ...) + TODO: check +CVE-2022-0620 (The Delete Old Orders WordPress plugin through 0.2 does not sanitize a ...) + TODO: check +CVE-2022-0619 (The Database Peek WordPress plugin through 1.2 does not sanitize and e ...) + TODO: check CVE-2022-25209 (Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XM ...) NOT-FOR-US: Jenkins Chef Sinatra Plugin CVE-2022-25175 (Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier use ...) @@ -7830,18 +7859,18 @@ CVE-2022-0602 RESERVED CVE-2022-0601 (The Countdown, Coming Soon, Maintenance WordPress plugin before 2.2.9 ...) NOT-FOR-US: WordPress plugin -CVE-2022-0600 - RESERVED -CVE-2022-0599 - RESERVED +CVE-2022-0600 (The Conference Scheduler WordPress plugin before 2.4.3 does not saniti ...) + TODO: check +CVE-2022-0599 (The Mapping Multiple URLs Redirect Same Page WordPress plugin through ...) + TODO: check CVE-2022-0598 RESERVED CVE-2022-0597 (Open Redirect in Packagist microweber/microweber prior to 1.2.11. ...) NOT-FOR-US: microweber CVE-2022-0596 (Business Logic Errors in Packagist microweber/microweber prior to 1.2. ...) NOT-FOR-US: microweber -CVE-2022-0595 - RESERVED +CVE-2022-0595 (The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 ...) + TODO: check CVE-2022-0594 RESERVED CVE-2022-0593 (The Login with phone number WordPress plugin before 1.3.7 includes a f ...) @@ -8790,6 +8819,7 @@ CVE-2022-24766 (mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. CVE-2022-24765 RESERVED CVE-2022-24764 (PJSIP is a free and open source multimedia communication library writt ...) + {DLA-2962-1} - pjproject <unfixed> NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m NOTE: https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00 @@ -8831,6 +8861,7 @@ CVE-2022-24755 (Bareos is open source software for backup, archiving, and recove NOTE: https://github.com/bareos/bareos/pull/1121 NOTE: https://huntr.dev/bounties/480121f2-bc3c-427e-986e-5acffb1606c5/ CVE-2022-24754 (PJSIP is a free and open source multimedia communication library writt ...) + {DLA-2962-1} - pjproject <removed> NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-73f7-48m9-w662 NOTE: https://github.com/pjsip/pjproject/commit/d27f79da11df7bc8bb56c2f291d71e54df8d2c47 @@ -9029,8 +9060,7 @@ CVE-2022-0551 (Improper Input Validation vulnerability in project file upload in NOT-FOR-US: Nozomi Networks CVE-2022-0550 (Improper Input Validation vulnerability in custom report logo upload i ...) NOT-FOR-US: Nozomi Networks -CVE-2022-0549 - RESERVED +CVE-2022-0549 (An issue has been discovered in GitLab CE/EE affecting all versions be ...) [experimental] - gitlab 14.6.5+ds1-1 - gitlab <unfixed> NOTE: https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/ @@ -9815,8 +9845,8 @@ CVE-2022-0501 (Cross-site Scripting (XSS) - Reflected in Packagist ptrofimov/bea CVE-2022-0500 (A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leadi ...) - linux 5.16.10-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044578 -CVE-2022-0499 - RESERVED +CVE-2022-0499 (The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF ...) + TODO: check CVE-2022-0498 REJECTED CVE-2022-0497 @@ -9834,8 +9864,8 @@ CVE-2022-0495 CVE-2022-0494 (A kernel information leak flaw was identified in the scsi_ioctl functi ...) - linux 5.16.14-1 NOTE: https://git.kernel.org/linus/cc8f7fe1f5eab010191aa4570f27641876fa1267 (5.17-rc5) -CVE-2022-0493 - RESERVED +CVE-2022-0493 (The String locator WordPress plugin before 2.5.0 does not properly val ...) + TODO: check CVE-2021-46671 (options.c in atftp before 0.7.5 reads past the end of an array, and co ...) - atftp 0.7.git20210915-1 (bug #1004974) [bullseye] - atftp 0.7.git20120829-3.3+deb11u2 @@ -9897,8 +9927,8 @@ CVE-2022-0489 [experimental] - gitlab 14.6.5+ds1-1 - gitlab <unfixed> NOTE: https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/ -CVE-2022-0488 - RESERVED +CVE-2022-0488 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) + TODO: check CVE-2022-24399 (The SAP Focused Run (Real User Monitoring) - versions 200, 300, REST s ...) NOT-FOR-US: SAP CVE-2022-24398 (Under certain conditions SAP Business Objects Business Intelligence Pl ...) @@ -10125,8 +10155,8 @@ CVE-2022-0480 [stretch] - linux <ignored> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2049700 NOTE: https://git.kernel.org/linus/0f12156dff2862ac54235fc72703f18770769042 (5.15-rc1) -CVE-2022-0479 - RESERVED +CVE-2022-0479 (The Popup Builder WordPress plugin before 4.1.1 does not sanitise and ...) + TODO: check CVE-2022-0478 (The Event Manager and Tickets Selling for WooCommerce WordPress plugin ...) NOT-FOR-US: WordPress plugin CVE-2022-0477 @@ -10312,8 +10342,8 @@ CVE-2022-0452 [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2022-0451 (Dart SDK contains the HTTPClient in dart:io library whcih includes aut ...) NOT-FOR-US: Dart SDK -CVE-2022-0450 - RESERVED +CVE-2022-0450 (The Menu Image, Icons made easy WordPress plugin before 3.0.8 does not ...) + TODO: check CVE-2022-0449 (The Flexi WordPress plugin before 4.20 does not sanitise and escape va ...) NOT-FOR-US: WordPress plugin CVE-2022-0448 (The CP Blocks WordPress plugin before 1.0.15 does not sanitise and esc ...) @@ -10480,8 +10510,8 @@ CVE-2022-0429 (The WP Cerber Security, Anti-spam & Malware Scan WordPress pl NOT-FOR-US: WordPress plugin CVE-2022-0428 RESERVED -CVE-2022-0427 - RESERVED +CVE-2022-0427 (Missing sanitization of HTML attributes in Jupyter notebooks in all ve ...) + TODO: check CVE-2022-0426 (The Product Feed PRO for WooCommerce WordPress plugin before 11.2.3 do ...) NOT-FOR-US: WordPress plugin CVE-2022-0425 @@ -10930,10 +10960,10 @@ CVE-2022-0399 (The Advanced Product Labels for WooCommerce WordPress plugin befo NOT-FOR-US: WordPress plugin CVE-2022-0398 RESERVED -CVE-2022-0397 - RESERVED -CVE-2018-25030 - RESERVED +CVE-2022-0397 (The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.4 d ...) + TODO: check +CVE-2018-25030 (A vulnerability classified as problematic has been found in Mirmay Sec ...) + TODO: check CVE-2017-20016 RESERVED CVE-2017-20015 @@ -10946,8 +10976,8 @@ CVE-2017-20012 RESERVED CVE-2017-20011 RESERVED -CVE-2015-10002 - RESERVED +CVE-2015-10002 (A vulnerability classified as problematic has been found in Kiddoware ...) + TODO: check CVE-2010-10001 RESERVED CVE-2008-10001 @@ -11181,8 +11211,8 @@ CVE-2022-0390 RESERVED CVE-2022-0389 (The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not ...) NOT-FOR-US: WordPress plugin -CVE-2022-0388 - RESERVED +CVE-2022-0388 (The Interactive Medical Drawing of Human Body WordPress plugin through ...) + TODO: check CVE-2021-4217 [Null pointer dereference in Unicode strings code] RESERVED - unzip <unfixed> (unimportant) @@ -11614,8 +11644,8 @@ CVE-2022-23949 RESERVED CVE-2022-23948 RESERVED -CVE-2022-0371 - RESERVED +CVE-2022-0371 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) + TODO: check CVE-2022-0370 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...) NOT-FOR-US: livehelperchat CVE-2022-0369 @@ -11839,12 +11869,12 @@ CVE-2022-23886 RESERVED CVE-2022-23885 RESERVED -CVE-2022-23884 - RESERVED +CVE-2022-23884 (Mojang Bedrock Dedicated Server 1.18.2 is affected by an integer overf ...) + TODO: check CVE-2022-23883 RESERVED -CVE-2022-23882 - RESERVED +CVE-2022-23882 (TuziCMS 2.0.6 is affected by SQL injection in \App\Manage\Controller\B ...) + TODO: check CVE-2022-23881 (ZZZCMS zzzphp v2.1.0 was discovered to contain a remote command execut ...) NOT-FOR-US: zzzcms CVE-2022-23880 (An arbitrary file upload vulnerability in the File Management function ...) @@ -11900,12 +11930,12 @@ CVE-2022-0346 RESERVED CVE-2022-0345 (The Customize WordPress Emails and Alerts WordPress plugin before 1.8. ...) NOT-FOR-US: WordPress plugin -CVE-2022-0344 - RESERVED +CVE-2022-0344 (An issue has been discovered in GitLab affecting all versions starting ...) + TODO: check CVE-2022-0343 RESERVED -CVE-2022-0342 - RESERVED +CVE-2022-0342 (An authentication bypass vulnerability in the CGI program of Zyxel USG ...) + TODO: check CVE-2021-46558 (Multiple cross-site scripting (XSS) vulnerabilities in the Add User mo ...) NOT-FOR-US: Issabel CVE-2021-46557 (Vicidial 2.14-783a was discovered to contain a cross-site scripting (X ...) @@ -12154,10 +12184,10 @@ CVE-2021-46436 RESERVED CVE-2021-46435 RESERVED -CVE-2021-46434 - RESERVED -CVE-2021-46433 - RESERVED +CVE-2021-46434 (** UNSUPPORTED WHEN ASSIGNED ** EMQ X Dashboard V3.0.0 is affected by ...) + TODO: check +CVE-2021-46433 (In fenom 2.12.1 and before, there is a way in fenom/src/Fenom/Template ...) + TODO: check CVE-2021-46432 RESERVED CVE-2021-46431 @@ -12961,6 +12991,7 @@ CVE-2022-23610 (wire-server provides back end services for Wire, an open source CVE-2022-23609 (iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows ...) NOT-FOR-US: iTunesRPC-Remastered CVE-2022-23608 (PJSIP is a free and open source multimedia communication library writt ...) + {DLA-2962-1} - asterisk <unfixed> - pjproject <removed> - ring <unfixed> @@ -13467,8 +13498,8 @@ CVE-2022-0284 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2045943 NOTE: https://github.com/ImageMagick/ImageMagick/issues/4729 NOTE: https://github.com/ImageMagick/ImageMagick/commit/e50f19fd73c792ebe912df8ab83aa51a243a3da7 -CVE-2022-0283 - RESERVED +CVE-2022-0283 (An issue has been discovered affecting GitLab versions prior to 13.5. ...) + TODO: check CVE-2022-0282 (Code Injection in Packagist microweber/microweber prior to 1.2.11. ...) NOT-FOR-US: microweber CVE-2022-0281 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...) @@ -14072,8 +14103,8 @@ CVE-2022-0251 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/ NOT-FOR-US: pimcore CVE-2022-0250 RESERVED -CVE-2022-0249 - RESERVED +CVE-2022-0249 (A vulnerability was discovered in GitLab starting with version 12. Git ...) + TODO: check CVE-2022-0248 (The Contact Form Submissions WordPress plugin before 1.7.3 does not sa ...) NOT-FOR-US: WordPress plugin CVE-2022-0247 (An issue exists in Fuchsia where VMO data can be modified through acce ...) @@ -14422,8 +14453,8 @@ CVE-2022-0223 RESERVED CVE-2022-0222 RESERVED -CVE-2022-0221 - RESERVED +CVE-2022-0221 (A CWE-611: Improper Restriction of XML External Entity Reference vulne ...) + TODO: check CVE-2022-0220 (The check_privacy_settings AJAX action of the WordPress GDPR WordPress ...) NOT-FOR-US: WordPress plugin CVE-2022-0219 (Improper Restriction of XML External Entity Reference in GitHub reposi ...) @@ -16340,8 +16371,8 @@ CVE-2022-0138 (MMP: All versions prior to v1.0.3, PTP C-series: Device versions NOT-FOR-US: Airspan Networks CVE-2022-0137 RESERVED -CVE-2022-0136 - RESERVED +CVE-2022-0136 (A vulnerability was discovered in GitLab versions 10.5 to 14.5.4, 14.6 ...) + TODO: check CVE-2022-0135 [out-of-bounds write in read_transfer_data()] RESERVED - virglrenderer <undetermined> @@ -16468,8 +16499,8 @@ CVE-2022-0125 (An issue has been discovered in GitLab affecting all versions sta - gitlab <unfixed> CVE-2022-0124 (An issue has been discovered affecting GitLab versions prior to 14.4.5 ...) - gitlab <unfixed> -CVE-2022-0123 - RESERVED +CVE-2022-0123 (An issue has been discovered affecting GitLab versions prior to 14.4.5 ...) + TODO: check CVE-2021-4200 RESERVED CVE-2022-22677 @@ -18097,8 +18128,7 @@ CVE-2021-4192 (vim is vulnerable to Use After Free ...) [buster] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/6dd9cb2e-a940-4093-856e-59b502429f22 NOTE: Fixed by: https://github.com/vim/vim/commit/4c13e5e6763c6eb36a343a2b8235ea227202e952 (v8.2.3949) -CVE-2021-4191 - RESERVED +CVE-2021-4191 (An issue has been discovered in GitLab CE/EE affecting versions 13.0 t ...) [experimental] - gitlab 14.6.5+ds1 - gitlab <unfixed> NOTE: https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/ @@ -24362,8 +24392,8 @@ CVE-2021-44126 RESERVED CVE-2021-44125 RESERVED -CVE-2021-44124 - RESERVED +CVE-2021-44124 (Hiby Music Hiby OS R3 Pro 1.5 and 1.6 is vulnerable to Directory Trave ...) + TODO: check CVE-2021-44123 (SPIP 4.0.0 is affected by a remote command execution vulnerability. To ...) {DSA-5028-1 DLA-2867-1} - spip 3.2.12-1 @@ -24421,8 +24451,8 @@ CVE-2021-44105 RESERVED CVE-2021-44104 RESERVED -CVE-2021-44103 - RESERVED +CVE-2021-44103 (Vertical Privilege Escalation in KONGA 0.14.9 allows attackers to high ...) + TODO: check CVE-2021-44102 RESERVED CVE-2021-44101 @@ -24931,6 +24961,7 @@ CVE-2022-21724 (pgjdbc is the offical PostgreSQL JDBC Driver. A security hole wa NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4 NOTE: https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813 (REL42.3.2) CVE-2022-21723 (PJSIP is a free and open source multimedia communication library writt ...) + {DLA-2962-1} - asterisk <unfixed> - pjproject <removed> - ring <unfixed> @@ -24940,6 +24971,7 @@ CVE-2022-21723 (PJSIP is a free and open source multimedia communication library NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm NOTE: https://github.com/pjsip/pjproject/commit/077b465c33f0aec05a49cd2ca456f9a1b112e896 CVE-2022-21722 (PJSIP is a free and open source multimedia communication library writt ...) + {DLA-2962-1} - asterisk <unfixed> - pjproject <removed> - ring <unfixed> @@ -25463,6 +25495,7 @@ CVE-2021-43847 (HumHub is an open-source social network kit written in PHP. Prio CVE-2021-43846 (`solidus_frontend` is the cart and storefront for the Solidus e-commer ...) NOT-FOR-US: solidus_frontend CVE-2021-43845 (PJSIP is a free and open source multimedia communication library. In v ...) + {DLA-2962-1} - asterisk <unfixed> - pjproject <removed> - ring <unfixed> @@ -25565,6 +25598,7 @@ CVE-2021-43806 (Tuleap is a Libre and Open Source tool for end to end traceabili CVE-2021-43805 (Solidus is a free, open-source ecommerce platform built on Rails. Vers ...) NOT-FOR-US: Solidus CVE-2021-43804 (PJSIP is a free and open source multimedia communication library writt ...) + {DLA-2962-1} - asterisk <unfixed> - pjproject <removed> - ring <unfixed> @@ -26630,16 +26664,16 @@ CVE-2021-43727 RESERVED CVE-2021-43726 RESERVED -CVE-2021-43725 - RESERVED +CVE-2021-43725 (There is a Cross Site Scripting (XSS) vulnerability in SpotPage_login. ...) + TODO: check CVE-2021-43724 (A Cross Site Scripting (XSS) vulnerability exits in Subrion CMS throug ...) NOT-FOR-US: Subrion CMS CVE-2021-43723 RESERVED CVE-2021-43722 RESERVED -CVE-2021-43721 - RESERVED +CVE-2021-43721 (Leanote 2.7.0 is vulnerable to Cross Site Scripting (XSS) in the markd ...) + TODO: check CVE-2021-43720 RESERVED CVE-2021-43719 @@ -27797,30 +27831,35 @@ CVE-2021-43304 (Heap buffer overflow in Clickhouse's LZ4 compression codec when NOTE: https://github.com/ClickHouse/ClickHouse/pull/27136 NOTE: https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms/ CVE-2021-43303 (Buffer overflow in PJSUA API when calling pjsua_call_dump. An attacker ...) + {DLA-2962-1} - asterisk <unfixed> - pjproject <removed> - ring <unfixed> NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 CVE-2021-43302 (Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An ...) + {DLA-2962-1} - asterisk <unfixed> - pjproject <removed> - ring <unfixed> NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 CVE-2021-43301 (Stack overflow in PJSUA API when calling pjsua_playlist_create. An att ...) + {DLA-2962-1} - asterisk <unfixed> - pjproject <removed> - ring <unfixed> NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 CVE-2021-43300 (Stack overflow in PJSUA API when calling pjsua_recorder_create. An att ...) + {DLA-2962-1} - asterisk <unfixed> - pjproject <removed> - ring <unfixed> NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 CVE-2021-43299 (Stack overflow in PJSUA API when calling pjsua_player_create. An attac ...) + {DLA-2962-1} - asterisk <unfixed> - pjproject <removed> - ring <unfixed> @@ -35337,6 +35376,7 @@ CVE-2021-41143 CVE-2021-41142 (Tuleap Open ALM is a libre and open source tool for end to end traceab ...) NOT-FOR-US: Tuleap CVE-2021-41141 (PJSIP is a free and open source multimedia communication library writt ...) + {DLA-2962-1} - pjproject <removed> NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-8fmx-hqw7-6gmc NOTE: https://github.com/pjsip/pjproject/commit/1aa2c0e0fb60a1b0bf793e0d834073ffe50fb196 @@ -38493,8 +38533,8 @@ CVE-2021-39878 (A stored Reflected Cross-Site Scripting vulnerability in the Jir - gitlab <unfixed> CVE-2021-39877 (A vulnerability was discovered in GitLab starting with version 12.2 th ...) - gitlab <unfixed> -CVE-2021-39876 - RESERVED +CVE-2021-39876 (In all versions of GitLab CE/EE since version 11.3, the endpoint for a ...) + TODO: check CVE-2021-39875 (In all versions of GitLab CE/EE since version 13.6, it is possible to ...) - gitlab <unfixed> CVE-2021-39874 (In all versions of GitLab CE/EE since version 11.0, the requirement to ...) @@ -44063,6 +44103,7 @@ CVE-2021-37708 (Shopware is an open source eCommerce platform. Versions prior to CVE-2021-37707 (Shopware is an open source eCommerce platform. Versions prior to 6.4.3 ...) NOT-FOR-US: Shopware CVE-2021-37706 (PJSIP is a free and open source multimedia communication library writt ...) + {DLA-2962-1} - asterisk <unfixed> - pjproject <removed> - ring <unfixed> @@ -56123,7 +56164,7 @@ CVE-2021-32687 (Redis is an open source, in-memory database that persists on dis - redis 5:6.0.16-1 NOTE: https://github.com/redis/redis/security/advisories/GHSA-m3mf-8x9w-r27q CVE-2021-32686 (PJSIP is a free and open source multimedia communication library writt ...) - {DSA-4999-1} + {DSA-4999-1 DLA-2962-1} - asterisk 1:16.16.1~dfsg-2 (bug #991931) [stretch] - asterisk <not-affected> (Vulnerable code not present) - pjproject <removed> @@ -75937,22 +75978,22 @@ CVE-2021-25073 (The WP125 WordPress plugin before 1.5.5 does not have CSRF check NOT-FOR-US: WordPress plugin CVE-2021-25072 (The NextScripts: Social Networks Auto-Poster WordPress plugin before 4 ...) NOT-FOR-US: WordPress plugin -CVE-2021-25071 - RESERVED -CVE-2021-25070 - RESERVED +CVE-2021-25071 (The WordPress plugin through 2.0.1 does not sanitise and escape the tr ...) + TODO: check +CVE-2021-25070 (The Block Bad Bots WordPress plugin before 6.88 does not properly sani ...) + TODO: check CVE-2021-25069 (The Download Manager WordPress plugin before 3.2.34 does not sanitise ...) NOT-FOR-US: WordPress plugin -CVE-2021-25068 - RESERVED +CVE-2021-25068 (The Sync WooCommerce Product feed to Google Shopping WordPress plugin ...) + TODO: check CVE-2021-25067 (The Landing Page Builder WordPress plugin before 1.4.9.6 was affected ...) NOT-FOR-US: WordPress plugin CVE-2021-25066 RESERVED CVE-2021-25065 (The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was a ...) NOT-FOR-US: WordPress plugin -CVE-2021-25064 - RESERVED +CVE-2021-25064 (The Wow Countdowns WordPress plugin through 3.1.2 does not sanitize us ...) + TODO: check CVE-2021-25063 (The Skins for Contact Form 7 WordPress plugin before 2.5.1 does not sa ...) NOT-FOR-US: WordPress plugin CVE-2021-25062 (The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 doe ...) @@ -76055,8 +76096,8 @@ CVE-2021-25014 (The Ibtana WordPress plugin before 1.1.4.9 does not have authori NOT-FOR-US: WordPress plugin CVE-2021-25013 (The Qubely WordPress plugin before 1.7.8 does not have authorisation a ...) NOT-FOR-US: WordPress plugin -CVE-2021-25012 - RESERVED +CVE-2021-25012 (The Pz-LinkCard WordPress plugin through 2.4.4.4 does not sanitise and ...) + TODO: check CVE-2021-25011 (The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 do ...) NOT-FOR-US: WordPress plugin CVE-2021-25010 (The Post Snippets WordPress plugin before 3.1.4 does not have CSRF che ...) @@ -76123,8 +76164,8 @@ CVE-2021-24980 (The Gwolle Guestbook WordPress plugin before 4.2.0 does not sani NOT-FOR-US: WordPress plugin CVE-2021-24979 (The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape ...) NOT-FOR-US: WordPress plugin -CVE-2021-24978 - RESERVED +CVE-2021-24978 (The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to ...) + TODO: check CVE-2021-24977 (The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 ...) NOT-FOR-US: WordPress plugin CVE-2021-24976 (The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and ...) @@ -76155,8 +76196,8 @@ CVE-2021-24964 (The LiteSpeed Cache WordPress plugin before 4.4.4 does not prope NOT-FOR-US: WordPress plugin CVE-2021-24963 (The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the ...) NOT-FOR-US: WordPress plugin -CVE-2021-24962 - RESERVED +CVE-2021-24962 (The WordPress File Upload Free and Pro WordPress plugins before 4.16.3 ...) + TODO: check CVE-2021-24961 (The WordPress File Upload WordPress plugin before 4.16.3, wordpress-fi ...) NOT-FOR-US: WordPress plugin CVE-2021-24960 (The WordPress File Upload WordPress plugin before 4.16.3, wordpress-fi ...) @@ -76587,8 +76628,8 @@ CVE-2021-24748 (The Email Before Download WordPress plugin before 6.8 does not p NOT-FOR-US: WordPress plugin CVE-2021-24747 (The SEO Booster WordPress plugin before 3.8 allows for authenticated S ...) NOT-FOR-US: WordPress plugin -CVE-2021-24746 - RESERVED +CVE-2021-24746 (The Social Sharing Plugin WordPress plugin before 3.3.40 does not esca ...) + TODO: check CVE-2021-24745 (The About Author Box WordPress plugin before 1.0.2 does not sanitise a ...) NOT-FOR-US: WordPress plugin CVE-2021-24744 (The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 ...) @@ -81035,14 +81076,14 @@ CVE-2021-22799 (A CWE-331: Insufficient Entropy vulnerability exists that could NOT-FOR-US: Schneider Electric CVE-2021-22798 (A CWE-522: Insufficiently Protected Credentials vulnerability exists t ...) NOT-FOR-US: Schneider Electric -CVE-2021-22797 - RESERVED +CVE-2021-22797 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) + TODO: check CVE-2021-22796 (A CWE-287: Improper Authentication vulnerability exists that could all ...) NOT-FOR-US: Schneider Electric -CVE-2021-22795 - RESERVED -CVE-2021-22794 - RESERVED +CVE-2021-22795 (A CWE-78 Improper Neutralization of Special Elements used in an OS Com ...) + TODO: check +CVE-2021-22794 (A CWE-22 Improper Limitation of a Pathname to a Restricted Directory ( ...) + TODO: check CVE-2021-22793 (A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor ...) NOT-FOR-US: Schneider Electric CVE-2021-22792 (A CWE-476: NULL Pointer Dereference vulnerability that could cause a D ...) @@ -208586,8 +208627,8 @@ CVE-2019-6836 (A CWE-863: Incorrect Authorization vulnerability exists in U.moti NOT-FOR-US: Schneider CVE-2019-6835 (A Cross-Site Scripting (XSS) CWE-79 vulnerability exists in U.motion S ...) NOT-FOR-US: Schneider -CVE-2019-6834 - RESERVED +CVE-2019-6834 (A CWE-502: Deserialization of Untrusted Data vulnerability exists whic ...) + TODO: check CVE-2019-6833 (A CWE-754 – Improper Check for Unusual or Exceptional Conditions ...) NOT-FOR-US: Schneider CVE-2019-6832 (A CWE-287: Authentication vulnerability exists in spaceLYnk (all versi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56889653f5815c97ae05ee066c9d0c8e845f9b03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56889653f5815c97ae05ee066c9d0c8e845f9b03 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits