Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9b3b80d9 by security tracker role at 2022-05-20T20:10:25+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,7 +1,33 @@
-CVE-2022-31246
+CVE-2022-31257
+ RESERVED
+CVE-2022-31256
+ RESERVED
+CVE-2022-31255
+ RESERVED
+CVE-2022-31254
+ RESERVED
+CVE-2022-31253
+ RESERVED
+CVE-2022-31252
+ RESERVED
+CVE-2022-31251
RESERVED
-CVE-2022-31245
+CVE-2022-31250
RESERVED
+CVE-2022-31249
+ RESERVED
+CVE-2022-31248
+ RESERVED
+CVE-2022-31247
+ RESERVED
+CVE-2022-1807
+ RESERVED
+CVE-2022-1806 (Cross-site Scripting (XSS) - Reflected in GitHub repository
rtxteam/rt ...)
+ TODO: check
+CVE-2022-31246
+ RESERVED
+CVE-2022-31245 (mailcow before 2022-05d allows a remote authenticated user to
inject O ...)
+ TODO: check
CVE-2022-31244
RESERVED
CVE-2022-31243
@@ -78,8 +104,8 @@ CVE-2022-1799
RESERVED
CVE-2022-1798
RESERVED
-CVE-2022-31215
- RESERVED
+CVE-2022-31215 (In certain Goverlan products, the Windows Firewall is
temporarily turn ...)
+ TODO: check
CVE-2022-31214
RESERVED
CVE-2022-31213
@@ -556,7 +582,7 @@ CVE-2022-30977
RESERVED
CVE-2022-29496
RESERVED
-CVE-2022-1796 (Use After Free in GitHub repository vim/vim prior to 8.2. ...)
+CVE-2022-1796 (Use After Free in GitHub repository vim/vim prior to 8.2.4979.
...)
- vim <unfixed>
NOTE: https://huntr.dev/bounties/f6739b58-49f9-4056-a843-bf76bbc1253e
NOTE:
https://github.com/vim/vim/commit/28d032cc688ccfda18c5bbcab8b50aba6e18cde5
(v8.2.4979)
@@ -582,12 +608,12 @@ CVE-2022-1787
RESERVED
CVE-2022-1786
RESERVED
-CVE-2022-1785 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
...)
+CVE-2022-1785 (Out-of-bounds Write in GitHub repository vim/vim prior to
8.2.4977. ...)
- vim <unfixed>
NOTE: https://huntr.dev/bounties/8c969cba-eef2-4943-b44a-4e3089599109
NOTE:
https://github.com/vim/vim/commit/e2bd8600b873d2cd1f9d667c28cba8b1dba18839
(v8.2.4977)
-CVE-2022-1784
- RESERVED
+CVE-2022-1784 (Server-Side Request Forgery (SSRF) in GitHub repository
jgraph/drawio ...)
+ TODO: check
CVE-2022-1783
RESERVED
CVE-2022-1782 (Cross-site Scripting (XSS) - Generic in GitHub repository
erudika/para ...)
@@ -622,7 +648,7 @@ CVE-2022-1773
RESERVED
CVE-2022-1772
RESERVED
-CVE-2022-1771 (Stack-based Buffer Overflow in GitHub repository vim/vim prior
to 8.2. ...)
+CVE-2022-1771 (Uncontrolled Recursion in GitHub repository vim/vim prior to
8.2.4975. ...)
- vim <unfixed> (unimportant)
NOTE: https://huntr.dev/bounties/faa74175-5317-4b71-a363-dfc39094ecbb
NOTE:
https://github.com/vim/vim/commit/51f0bfb88a3554ca2dde777d78a59880d1ee37a8
(v8.2.4975)
@@ -631,8 +657,8 @@ CVE-2019-25061 (The random_password_generator (aka
RandomPasswordGenerator) gem
NOT-FOR-US: bvsatyaram/random_password_generator
CVE-2022-30973
RESERVED
-CVE-2022-1770
- RESERVED
+CVE-2022-1770 (Improper Privilege Management in GitHub repository
polonel/trudesk pri ...)
+ TODO: check
CVE-2022-1769 (Buffer Over-read in GitHub repository vim/vim prior to
8.2.4974. ...)
- vim <unfixed> (unimportant)
NOTE: https://huntr.dev/bounties/522076b2-96cb-4df6-a504-e6e2f64c171c
@@ -1038,10 +1064,10 @@ CVE-2022-30889
RESERVED
CVE-2022-30888
RESERVED
-CVE-2022-30887
- RESERVED
-CVE-2022-30886
- RESERVED
+CVE-2022-30887 (Pharmacy Management System v1.0 was discovered to contain a
remote cod ...)
+ TODO: check
+CVE-2022-30886 (School Dormitory Management System v1.0 was discovered to
contain a SQ ...)
+ TODO: check
CVE-2022-30885
RESERVED
CVE-2022-30884
@@ -1254,7 +1280,7 @@ CVE-2022-30779 (Laravel 9.1.8, when processing
attacker-controlled data for dese
TODO: check, issue seems to be in src:guzzle, check details
CVE-2022-30778 (Laravel 9.1.8, when processing attacker-controlled data for
deserializ ...)
TODO: check
-CVE-2022-30777 (Parallels H-Sphere 3.6.2 allows XSS via the index_en.php from
paramete ...)
+CVE-2022-30777 (Parallels H-Sphere 3.6.1713 allows XSS via the index_en.php
from param ...)
NOT-FOR-US: Parallels H-Sphere
CVE-2022-30776 (atmail 6.5.0 allows XSS via the index.php/admin/index/ error
parameter ...)
- atmailopen <removed>
@@ -1731,8 +1757,8 @@ CVE-2022-30553
RESERVED
CVE-2022-30552
RESERVED
-CVE-2022-30551
- RESERVED
+CVE-2022-30551 (OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker
to cause ...)
+ TODO: check
CVE-2022-30550
RESERVED
CVE-2022-1677
@@ -1973,8 +1999,8 @@ CVE-2022-30520
RESERVED
CVE-2022-30519
RESERVED
-CVE-2022-30518
- RESERVED
+CVE-2022-30518 (ChatBot Application with a Suggestion Feature 1.0 was
discovered to co ...)
+ TODO: check
CVE-2022-30517
RESERVED
CVE-2022-30516
@@ -5317,8 +5343,8 @@ CVE-2022-29322 (D-Link DIR-816 A2_v1.10CNB04 was
discovered to contain a stack o
NOT-FOR-US: D-Link
CVE-2022-29321 (D-Link DIR-816 A2_v1.10CNB04 was discovered to contain a stack
overflo ...)
NOT-FOR-US: D-Link
-CVE-2022-29320
- RESERVED
+CVE-2022-29320 (MiniTool Partition Wizard v12.0 contains an unquoted service
path whic ...)
+ TODO: check
CVE-2022-29319
RESERVED
CVE-2022-29318 (An arbitrary file upload vulnerability in the New Entry module
of Car ...)
@@ -5698,8 +5724,8 @@ CVE-2022-29179
RESERVED
CVE-2022-29178
RESERVED
-CVE-2022-29177
- RESERVED
+CVE-2022-29177 (Go Ethereum is the official Golang implementation of the
Ethereum prot ...)
+ TODO: check
CVE-2022-29176 (Rubygems is a package registry used to supply software for the
Ruby la ...)
NOT-FOR-US: rubygems/rubygems.org
CVE-2022-29175
@@ -5716,8 +5742,8 @@ CVE-2022-29172 (Auth0 is an authentication broker that
supports both social and
NOT-FOR-US: Auth0
CVE-2022-29171 (Sourcegraph is a fast and featureful code search and
navigation engine ...)
NOT-FOR-US: Sourcegraph
-CVE-2022-29170
- RESERVED
+CVE-2022-29170 (Grafana is an open-source platform for monitoring and
observability. I ...)
+ TODO: check
CVE-2022-29169
RESERVED
CVE-2022-29168
@@ -5726,13 +5752,12 @@ CVE-2022-29167 (Hawk is an HTTP authentication scheme
providing mechanisms for m
NOT-FOR-US: Hawk (mozilla/hawk, different from itp'ed hawk, #634344)
CVE-2022-29166 (matrix-appservice-irc is a Node.js IRC bridge for Matrix. The
vulnerab ...)
NOT-FOR-US: Matrix-appservice-bridge
-CVE-2022-29165
- RESERVED
+CVE-2022-29165 (Argo CD is a declarative, GitOps continuous delivery tool for
Kubernet ...)
NOT-FOR-US: Argo CD
CVE-2022-29164 (Argo Workflows is an open source container-native workflow
engine for ...)
NOT-FOR-US: Argo Workflows
-CVE-2022-29163
- RESERVED
+CVE-2022-29163 (Nextcloud Server is the file server software for Nextcloud, a
self-hos ...)
+ TODO: check
CVE-2022-29162 (runc is a CLI tool for spawning and running containers on
Linux accord ...)
- runc <unfixed>
[stretch] - runc <not-affected> (Vulnerable code not present)
@@ -5741,10 +5766,10 @@ CVE-2022-29162 (runc is a CLI tool for spawning and
running containers on Linux
NOTE:
https://github.com/opencontainers/runc/commit/98fe566c527479195ce3c8167136d2a555fe6b65
(main)
CVE-2022-29161 (XWiki Platform is a generic wiki platform offering runtime
services fo ...)
NOT-FOR-US: XWiki
-CVE-2022-29160
- RESERVED
-CVE-2022-29159
- RESERVED
+CVE-2022-29160 (Nextcloud Android is the Android client for Nextcloud, a
self-hosted p ...)
+ TODO: check
+CVE-2022-29159 (Nextcloud Deck is a Kanban-style project & personal
management too ...)
+ TODO: check
CVE-2022-29158
RESERVED
CVE-2022-1344 (Stored XSS due to no sanitization in the filename in GitHub
repository ...)
@@ -5801,7 +5826,7 @@ CVE-2022-29156 (drivers/infiniband/ulp/rtrs/rtrs-clt.c in
the Linux kernel befor
[stretch] - linux <not-affected> (Vulnerable code not present)
NOTE: Fixedy by:
https://git.kernel.org/linus/8700af2cc18c919b2a83e74e0479038fd113c15d (5.17-rc6)
CVE-2022-29155 (In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL
injection ...)
- {DSA-5140-1}
+ {DSA-5140-1 DLA-3017-1}
- openldap 2.5.12+dfsg-1
NOTE: https://bugs.openldap.org/show_bug.cgi?id=9815
NOTE:
https://git.openldap.org/openldap/openldap/-/commit/87df6c19915042430540931d199a39105544a134
(master)
@@ -6223,12 +6248,12 @@ CVE-2022-29025
RESERVED
CVE-2022-29024
RESERVED
-CVE-2022-29023
- RESERVED
-CVE-2022-29022
- RESERVED
-CVE-2022-29021
- RESERVED
+CVE-2022-29023 (A buffer overflow in the razermouse driver of OpenRazer v3.3.0
and bel ...)
+ TODO: check
+CVE-2022-29022 (A buffer overflow in the razeraccessory driver of OpenRazer
v3.3.0 and ...)
+ TODO: check
+CVE-2022-29021 (A buffer overflow in the razerkbd driver of OpenRazer v3.3.0
and below ...)
+ TODO: check
CVE-2022-29020 (ForestBlog through 2022-02-16 allows admin/profile/save
userAvatar XSS ...)
NOT-FOR-US: ForestBlog
CVE-2022-29019
@@ -6283,14 +6308,14 @@ CVE-2022-28995
RESERVED
CVE-2022-28994 (Small HTTP Server version 3.06 suffers from a remote buffer
overflow v ...)
NOT-FOR-US: Small HTTP Server
-CVE-2022-28993
- RESERVED
-CVE-2022-28992
- RESERVED
-CVE-2022-28991
- RESERVED
-CVE-2022-28990
- RESERVED
+CVE-2022-28993 (Multi Store Inventory Management System v1.0 allows attackers
to perfo ...)
+ TODO: check
+CVE-2022-28992 (A Cross-Site Request Forgery (CSRF) in Online Banquet Booking
System v ...)
+ TODO: check
+CVE-2022-28991 (Multi Store Inventory Management System v1.0 was discovered to
contain ...)
+ TODO: check
+CVE-2022-28990 (WASM3 v0.5.0 was discovered to contain a heap overflow via the
compone ...)
+ TODO: check
CVE-2022-28989
RESERVED
CVE-2022-28988
@@ -6361,6 +6386,7 @@ CVE-2022-28960 (A PHP injection vulnerability in Spip
before v3.2.8 allows attac
NOTE:
https://github.com/spip/SPIP/commit/0394b44774555ae8331b6e65e35065dfa0bb41e4
NOTE:
https://github.com/spip/SPIP/commit/6c1650713fc948318852ace759aab8f1a84791cf
CVE-2022-28959 (Multiple cross-site scripting (XSS) vulnerabilities in the
component / ...)
+ {DSA-4798-1}
- spip 3.2.8-1
NOTE:
https://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-SPIP-3-2-8-et-SPIP-3-1-13.html
NOTE: https://thinkloveshare.com/en/hacking/rce_on_spip_and_root_me/
@@ -7161,8 +7187,8 @@ CVE-2022-1237 (Improper Validation of Array Index in
GitHub repository radareorg
NOTE:
https://github.com/radareorg/radare2/commit/2d782cdaa2112c10b8dd5e7a93c134b2ada9c1a6
CVE-2022-1236 (Weak Password Requirements in GitHub repository weseek/growi
prior to ...)
NOT-FOR-US: GROWI
-CVE-2022-28660
- RESERVED
+CVE-2022-28660 (The querier component in Grafana Enterprise Logs 1.1.x through
1.3.x b ...)
+ TODO: check
CVE-2022-28659
RESERVED
CVE-2022-28658
@@ -8979,12 +9005,12 @@ CVE-2022-28108 (Selenium Server (Grid) before 4 allows
CSRF because it permits n
NOT-FOR-US: Selenium
CVE-2022-28107
RESERVED
-CVE-2022-28106
- RESERVED
-CVE-2022-28105
- RESERVED
-CVE-2022-28104
- RESERVED
+CVE-2022-28106 (Online Sports Complex Booking System v1.0 was discovered to
allow atta ...)
+ TODO: check
+CVE-2022-28105 (Online Sports Complex Booking System v1.0 was discovered to
contain a ...)
+ TODO: check
+CVE-2022-28104 (Foxit PDF Editor v11.3.1 was discovered to contain an
arbitrary file u ...)
+ TODO: check
CVE-2022-28103
RESERVED
CVE-2022-28102 (A cross-site scripting (XSS) vulnerability in PHP MySQL Admin
Panel Ge ...)
@@ -11824,14 +11850,14 @@ CVE-2022-27097
RESERVED
CVE-2022-27096
RESERVED
-CVE-2022-27095
- RESERVED
-CVE-2022-27094
- RESERVED
+CVE-2022-27095 (BattlEye v0.9 contains an unquoted service path which allows
attackers ...)
+ TODO: check
+CVE-2022-27094 (Sony PlayMemories Home v6.0 contains an unquoted service path
which al ...)
+ TODO: check
CVE-2022-27093
RESERVED
-CVE-2022-27092
- RESERVED
+CVE-2022-27092 (Private Internet Access v3.3 contains an unquoted service path
which a ...)
+ TODO: check
CVE-2022-27091
RESERVED
CVE-2022-27090 (Cscms Music Portal System v4.2 was discovered to contain a
redirection ...)
@@ -12987,12 +13013,12 @@ CVE-2022-26635 (PHP-Memcached v2.2.0 and below
contains an improper NULL termina
- php-memcached <unfixed> (bug #1009328)
[stretch] - php-memcached <no-dsa> (Minor issue)
NOTE: https://xhzeem.me/posts/Php5-memcached-Injection-Bypass/read/
-CVE-2022-26634
- RESERVED
-CVE-2022-26633
- RESERVED
-CVE-2022-26632
- RESERVED
+CVE-2022-26634 (HMA VPN v5.3.5913.0 contains an unquoted service path which
allows att ...)
+ TODO: check
+CVE-2022-26633 (Simple Student Quarterly Result/Grade System v1.0 was
discovered to co ...)
+ TODO: check
+CVE-2022-26632 (Multi-Vendor Online Groceries Management System v1.0 was
discovered to ...)
+ TODO: check
CVE-2022-26631 (Automatic Question Paper Generator v1.0 contains a Time-Based
Blind SQ ...)
NOT-FOR-US: Automatic Question Paper Generator
CVE-2022-26630 (Jellycms v3.8.1 and below was discovered to contain an
arbitrary file ...)
@@ -16888,18 +16914,18 @@ CVE-2022-25235 (xmltok_impl.c in Expat (aka libexpat)
before 2.4.5 lacks certain
NOTE:
https://github.com/libexpat/libexpat/commit/3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6
NOTE:
https://github.com/libexpat/libexpat/commit/c85a3025e7a1be086dc34e7559fbc543914d047f
NOTE:
https://github.com/libexpat/libexpat/commit/6a5510bc6b7efe743356296724e0b38300f05379
-CVE-2022-25229
- RESERVED
+CVE-2022-25229 (Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API
Server(s)'' fie ...)
+ TODO: check
CVE-2022-25228
RESERVED
-CVE-2022-25227
- RESERVED
+CVE-2022-25227 (Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource
Sharing (CORS ...)
+ TODO: check
CVE-2022-25226 (ThinVNC version 1.0b1 allows an unauthenticated user to bypass
the aut ...)
NOT-FOR-US: ThinVNC
CVE-2022-25225 (Network Olympus version 1.8.0 allows an authenticated admin
user to in ...)
NOT-FOR-US: Network Olympus
-CVE-2022-25224
- RESERVED
+CVE-2022-25224 (Proton v0.2.0 allows an attacker to create a malicious link
inside a m ...)
+ TODO: check
CVE-2022-25223 (Money Transfer Management System Version 1.0 allows an
authenticated u ...)
NOT-FOR-US: Money Transfer Management System
CVE-2022-25222 (Money Transfer Management System Version 1.0 allows an
unauthenticated ...)
@@ -17824,14 +17850,14 @@ CVE-2022-24908
RESERVED
CVE-2022-24907
RESERVED
-CVE-2022-24906
- RESERVED
-CVE-2022-24905
- RESERVED
-CVE-2022-24904
- RESERVED
+CVE-2022-24906 (Nextcloud Deck is a Kanban-style project & personal
management too ...)
+ TODO: check
+CVE-2022-24905 (Argo CD is a declarative, GitOps continuous delivery tool for
Kubernet ...)
+ TODO: check
+CVE-2022-24904 (Argo CD is a declarative, GitOps continuous delivery tool for
Kubernet ...)
NOT-FOR-US: Argo CD
CVE-2022-24903 (Rsyslog is a rocket-fast system for log processing. Modules
for TCP sy ...)
+ {DLA-3016-1}
- rsyslog 8.2204.1-1 (bug #1010619)
NOTE: https://www.openwall.com/lists/oss-security/2022/05/05/3
NOTE:
https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243
@@ -26857,8 +26883,8 @@ CVE-2022-22367
RESERVED
CVE-2022-22366
RESERVED
-CVE-2022-22365
- RESERVED
+CVE-2022-22365 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, with
the Ajax ...)
+ TODO: check
CVE-2022-22364
RESERVED
CVE-2022-22363
@@ -36322,10 +36348,10 @@ CVE-2021-43731
RESERVED
CVE-2021-43730
RESERVED
-CVE-2021-43729
- RESERVED
-CVE-2021-43728
- RESERVED
+CVE-2021-43729 (Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to
contain ...)
+ TODO: check
+CVE-2021-43728 (Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to
contain ...)
+ TODO: check
CVE-2021-43727
RESERVED
CVE-2021-43726
@@ -50493,8 +50519,8 @@ CVE-2021-39045
RESERVED
CVE-2021-39044 (IBM Financial Transaction Manager 3.2.4 is vulnerable to
cross-site re ...)
NOT-FOR-US: IBM
-CVE-2021-39043
- RESERVED
+CVE-2021-39043 (IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is
vulnerab ...)
+ TODO: check
CVE-2021-39042
RESERVED
CVE-2021-39041
@@ -73349,8 +73375,8 @@ CVE-2021-30030 (Cross Site Scripting (XSS) in Remote
Clinic v2.0 via the Full Na
NOT-FOR-US: Remote Clinic
CVE-2021-30029
RESERVED
-CVE-2021-30028
- RESERVED
+CVE-2021-30028 (SOOTEWAY Wi-Fi Range Extender v1.5 was discovered to use
default crede ...)
+ TODO: check
CVE-2021-30027 (md_analyze_line in md4c.c in md4c 0.4.7 allows attackers to
trigger us ...)
- md4c 0.4.7-2 (bug #987799)
NOTE: https://github.com/mity/md4c/issues/155
@@ -118542,7 +118568,7 @@ CVE-2020-24656 (Maltego before 4.2.12 allows XXE
attacks. ...)
CVE-2020-24655 (A race condition in the Twilio Authy 2-Factor Authentication
applicati ...)
NOT-FOR-US: Twilio Authy 2-Factor Authentication app
CVE-2020-24654 (In KDE Ark before 20.08.1, a crafted TAR archive with symlinks
can ins ...)
- {DSA-4759-1}
+ {DSA-4759-1 DLA-3015-1}
- ark 4:20.08.1-1 (bug #969437)
NOTE:
https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd
NOTE: https://kde.org/info/security/advisory-20200827-1.txt
@@ -136849,7 +136875,7 @@ CVE-2020-16117 (In GNOME evolution-data-server before
3.35.91, a malicious serve
NOTE:
https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/627c3cdbfd077e59aa288c85ff8272950577f1d7
NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/189
CVE-2020-16116 (In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted
archive can ...)
- {DSA-4738-1}
+ {DSA-4738-1 DLA-3015-1}
- ark 4:20.04.3-1
NOTE: https://kde.org/info/security/advisory-20200730-1.txt
NOTE:
https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
@@ -244749,6 +244775,7 @@ CVE-2018-16882 (A use-after-free issue was found in
the way the Linux kernel's K
NOTE: https://marc.info/?l=kvm&m=154514994222809&w=2
NOTE: Fixed by:
https://git.kernel.org/linus/c2dd5146e9fe1f22c77c1b011adf84eea0245806
CVE-2018-16881 (A denial of service vulnerability was found in rsyslog in the
imptcp m ...)
+ {DLA-3016-1}
- rsyslog 8.27.0-2
[jessie] - rsyslog <not-affected> (Vulnerable code introduced in 8.13.1)
NOTE: Fixed by:
https://github.com/rsyslog/rsyslog/commit/0381a0de64a5a048c3d48b79055bd9848d0c7fc2
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b3b80d9b6c7fe3b45e5a2fb61247754f37a1ef1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b3b80d9b6c7fe3b45e5a2fb61247754f37a1ef1
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
