Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
14a1bfef by security tracker role at 2023-01-31T08:10:17+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,15 @@
+CVE-2023-24833
+ RESERVED
+CVE-2023-24832
+ RESERVED
+CVE-2023-0587
+ RESERVED
+CVE-2023-0586
+ RESERVED
+CVE-2023-0585
+ RESERVED
+CVE-2016-15023
+ RESERVED
CVE-2023-24831
RESERVED
CVE-2023-24828
@@ -475,8 +487,8 @@ CVE-2023-0573
RESERVED
CVE-2023-0572 (Unchecked Error Condition in GitHub repository froxlor/froxlor
prior t ...)
- froxlor <itp> (bug #581792)
-CVE-2022-4898
- RESERVED
+CVE-2022-4898 (In affected versions of Octopus Server the help sidebar can be
customi ...)
+ TODO: check
CVE-2022-48304
RESERVED
CVE-2022-48303 (GNU Tar through 1.34 has a one-byte out-of-bounds read that
results in ...)
@@ -1083,16 +1095,16 @@ CVE-2023-24467
RESERVED
CVE-2023-24466
RESERVED
-CVE-2023-24020
- RESERVED
-CVE-2023-23582
- RESERVED
-CVE-2023-22389
- RESERVED
+CVE-2023-24020 (Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior
could bypass ...)
+ TODO: check
+CVE-2023-23582 (Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior are
vulnerab ...)
+ TODO: check
+CVE-2023-22389 (Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior
store passwo ...)
+ TODO: check
CVE-2023-22371
RESERVED
-CVE-2023-22315
- RESERVED
+CVE-2023-22315 (Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior use
a propri ...)
+ TODO: check
CVE-2023-0456
RESERVED
CVE-2023-0455 (Unrestricted Upload of File with Dangerous Type in GitHub
repository u ...)
@@ -1952,7 +1964,7 @@ CVE-2023-0435 (Excessive Attack Surface in GitHub
repository pyload/pyload prior
CVE-2022-4895
RESERVED
CVE-2022-48281 (processCropSelections in tools/tiffcrop.c in LibTIFF through
4.5.0 has ...)
- {DSA-5333-1}
+ {DSA-5333-1 DLA-3297-1}
- tiff 4.5.0-4 (bug #1029653)
NOTE:
https://gitlab.com/libtiff/libtiff/-/commit/d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/488
@@ -2048,6 +2060,7 @@ CVE-2023-24040 (** UNSUPPORTED WHEN ASSIGNED **
dtprintinfo in Common Desktop En
CVE-2023-24039 (** UNSUPPORTED WHEN ASSIGNED ** A stack-based buffer overflow
in Parse ...)
NOT-FOR-US: Oracle
CVE-2023-24038 (The HTML-StripScripts module through 1.06 for Perl allows
_hss_attval_ ...)
+ {DLA-3296-1}
- libhtml-stripscripts-perl 1.06-4 (bug #1029400)
NOTE: https://github.com/clintongormley/perl-html-stripscripts/issues/3
NOTE: https://github.com/clintongormley/perl-html-stripscripts/pull/4
@@ -6140,8 +6153,8 @@ CVE-2023-0099
RESERVED
CVE-2023-0098
RESERVED
-CVE-2023-0097
- RESERVED
+CVE-2023-0097 (The Post Grid, Post Carousel, & List Category Posts
WordPress plug ...)
+ TODO: check
CVE-2023-0096
RESERVED
CVE-2023-0095
@@ -6382,14 +6395,14 @@ CVE-2023-0076
RESERVED
CVE-2023-0075
RESERVED
-CVE-2023-0074
- RESERVED
+CVE-2023-0074 (The WP Social Widget WordPress plugin before 2.2.4 does not
validate a ...)
+ TODO: check
CVE-2023-0073
RESERVED
CVE-2023-0072
RESERVED
-CVE-2023-0071
- RESERVED
+CVE-2023-0071 (The WP Tabs WordPress plugin before 2.1.17 does not validate
and escap ...)
+ TODO: check
CVE-2023-0070
RESERVED
CVE-2023-0069
@@ -6506,8 +6519,8 @@ CVE-2022-4874 (Authentication bypass in Netcomm router
models NF20MESH, NF20, an
NOT-FOR-US: Netcomm
CVE-2022-4873 (On Netcomm router models NF20MESH, NF20, and NL1902 a stack
based buff ...)
NOT-FOR-US: Netcomm
-CVE-2022-4872
- RESERVED
+CVE-2022-4872 (The Chained Products WordPress plugin before 2.12.0 does not
have auth ...)
+ TODO: check
CVE-2022-48217 (** DISPUTED ** The tf_remapper_node component 1.1.1 for Robot
Operatin ...)
NOT-FOR-US: ROS tf_remapper_node
CVE-2022-48216 (Uniswap Universal Router before 1.1.0 mishandles reentrancy.
This woul ...)
@@ -6617,8 +6630,8 @@ CVE-2012-10002 (A vulnerability was found in ahmyi
RivetTracker. It has been dec
NOT-FOR-US: ahmyi RivetTracker
CVE-2023-0034
RESERVED
-CVE-2023-0033
- RESERVED
+CVE-2023-0033 (The PDF Viewer WordPress plugin before 1.0.0 does not validate
and esc ...)
+ TODO: check
CVE-2022-4870
RESERVED
CVE-2015-10011 (A vulnerability classified as problematic has been found in
OpenDNS Op ...)
@@ -6986,20 +6999,20 @@ CVE-2023-22488 (Flarum is a forum software for building
communities. Using the n
CVE-2023-22487 (Flarum is a forum software for building communities. Using the
mention ...)
NOT-FOR-US: Flarum
CVE-2023-22486 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
renderin ...)
- - cmark-gfm <unfixed>
+ - cmark-gfm <unfixed>
NOTE:
https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p
NOTE:
https://github.com/github/cmark-gfm/commit/ece074cc3378f7a8dec0395f00123e9fa6981f7b
(0.29.0.gfm.7)
TODO: check other codebase, python-cmarkgfm, ghostwriter,
ruby-commonmarker and r-cran-commonmark
CVE-2023-22485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
renderin ...)
- - cmark-gfm <unfixed>
+ - cmark-gfm <unfixed>
NOTE:
https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr
TODO: check other codebase, python-cmarkgfm, ghostwriter,
ruby-commonmarker and r-cran-commonmark
CVE-2023-22484 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
renderin ...)
- - cmark-gfm <unfixed>
+ - cmark-gfm <unfixed>
NOTE:
https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r
TODO: check other codebase, python-cmarkgfm, ghostwriter,
ruby-commonmarker and r-cran-commonmark
CVE-2023-22483 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
renderin ...)
- - cmark-gfm <unfixed>
+ - cmark-gfm <unfixed>
NOTE:
https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c
TODO: check other codebase, python-cmarkgfm, ghostwriter,
ruby-commonmarker and r-cran-commonmark
CVE-2023-22482 (Argo CD is a declarative, GitOps continuous delivery tool for
Kubernet ...)
@@ -7058,26 +7071,26 @@ CVE-2022-4839 (Cross-site Scripting (XSS) - Stored in
GitHub repository usememos
NOT-FOR-US: usememos
CVE-2022-4838
RESERVED
-CVE-2022-4837
- RESERVED
+CVE-2022-4837 (The CPO Companion WordPress plugin before 1.1.0 does not
validate and ...)
+ TODO: check
CVE-2022-4836
RESERVED
-CVE-2022-4835
- RESERVED
-CVE-2022-4834
- RESERVED
+CVE-2022-4835 (The Social Sharing Toolkit WordPress plugin through 2.6 does
not valid ...)
+ TODO: check
+CVE-2022-4834 (The CPT Bootstrap Carousel WordPress plugin through 1.12 does
not vali ...)
+ TODO: check
CVE-2022-4833
RESERVED
CVE-2022-4832 (The Store Locator WordPress plugin before 1.4.9 does not
validate and ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4831
- RESERVED
+CVE-2022-4831 (The Custom User Profile Fields for User Registration WordPress
plugin ...)
+ TODO: check
CVE-2022-4830
RESERVED
CVE-2022-4829
RESERVED
-CVE-2022-4828
- RESERVED
+CVE-2022-4828 (The Bold Timeline Lite WordPress plugin before 1.1.5 does not
validate ...)
+ TODO: check
CVE-2022-4827
RESERVED
CVE-2022-4826
@@ -7196,10 +7209,10 @@ CVE-2022-48178
RESERVED
CVE-2022-48177
RESERVED
-CVE-2022-48176
- RESERVED
-CVE-2022-48175
- RESERVED
+CVE-2022-48176 (Netgear routers R7000P before v1.3.3.154, R6900P before
v1.3.3.154, R7 ...)
+ TODO: check
+CVE-2022-48175 (Rukovoditel v3.2.1 was discovered to contain a remote code
execution ( ...)
+ TODO: check
CVE-2022-48174
RESERVED
CVE-2022-48173
@@ -7536,8 +7549,8 @@ CVE-2022-48008 (An arbitrary file upload vulnerability in
the plugin manager of
- limesurvey <itp> (bug #472802)
CVE-2022-48007 (A stored cross-site scripting (XSS) vulnerability in
identification.ph ...)
- piwigo <removed>
-CVE-2022-48006
- RESERVED
+CVE-2022-48006 (An arbitrary file upload vulnerability in taocms v3.0.2 allows
attacke ...)
+ TODO: check
CVE-2022-48005
RESERVED
CVE-2022-48004
@@ -7650,12 +7663,12 @@ CVE-2022-4796 (Incorrect Use of Privileged APIs in
GitHub repository usememos/me
NOT-FOR-US: usememos
CVE-2022-4795
RESERVED
-CVE-2022-4794
- RESERVED
-CVE-2022-4793
- RESERVED
-CVE-2022-4792
- RESERVED
+CVE-2022-4794 (The AAWP WordPress plugin before 3.12.3 can be used to abuse
trusted d ...)
+ TODO: check
+CVE-2022-4793 (The Blog Designer WordPress plugin before 2.4.1 does not
validate and ...)
+ TODO: check
+CVE-2022-4792 (The News & Blog Designer Pack WordPress plugin before 3.3
does not ...)
+ TODO: check
CVE-2022-4791
RESERVED
CVE-2022-4790 (The WP Google My Business Auto Publish WordPress plugin before
3.4 doe ...)
@@ -7664,8 +7677,8 @@ CVE-2022-4789 (The WPZOOM Portfolio WordPress plugin
before 1.2.2 does not valid
NOT-FOR-US: WordPress plugin
CVE-2022-4788
RESERVED
-CVE-2022-4787
- RESERVED
+CVE-2022-4787 (Themify Shortcodes WordPress plugin before 2.0.8 does not
validate and ...)
+ TODO: check
CVE-2022-4786
RESERVED
CVE-2022-4785
@@ -7676,8 +7689,8 @@ CVE-2022-4783
RESERVED
CVE-2022-4782
RESERVED
-CVE-2022-4781
- RESERVED
+CVE-2022-4781 (The Accordion Shortcodes WordPress plugin through 2.4.2 does
not valid ...)
+ TODO: check
CVE-2022-4780 (ISOS firmwares from versions 1.81 to 2.00 contain hardcoded
credential ...)
NOT-FOR-US: ISOS firmwares
CVE-2022-4779 (StreamX applications from versions 6.02.01 to 6.04.34 are
affected by ...)
@@ -7800,8 +7813,8 @@ CVE-2022-47969
RESERVED
CVE-2022-4777
RESERVED
-CVE-2022-4776
- RESERVED
+CVE-2022-4776 (The CC Child Pages WordPress plugin before 1.43 does not
validate and ...)
+ TODO: check
CVE-2022-4775 (The GeoDirectory WordPress plugin before 2.2.22 does not
validate and ...)
NOT-FOR-US: WordPress plugin
CVE-2022-4774
@@ -7819,11 +7832,13 @@ CVE-2022-4769
CVE-2022-4768 (A vulnerability was found in Dropbox merou. It has been
classified as ...)
NOT-FOR-US: Dropbox merou
CVE-2022-47318 (ruby-git versions prior to v1.13.0 allows a remote
authenticated attac ...)
+ {DLA-3303-1}
- ruby-git 1.13.1-1
[bullseye] - ruby-git <no-dsa> (Minor issue)
NOTE: https://github.com/ruby-git/ruby-git/pull/602
NOTE:
https://github.com/ruby-git/ruby-git/commit/4fe8738e8348567255ab4be25867684b5d0d282d
(v1.13.0)
CVE-2022-46648 (ruby-git versions prior to v1.13.0 allows a remote
authenticated attac ...)
+ {DLA-3303-1}
- ruby-git 1.13.1-1
[bullseye] - ruby-git <no-dsa> (Minor issue)
NOTE: https://github.com/ruby-git/ruby-git/pull/602
@@ -7914,12 +7929,12 @@ CVE-2022-4767 (Denial of Service in GitHub repository
usememos/memos prior to 0.
NOT-FOR-US: usememos
CVE-2022-4766 (A vulnerability was found in dolibarr_project_timesheet up to
4.5.5. I ...)
NOT-FOR-US: dolibarr_project_timesheet
-CVE-2022-4765
- RESERVED
+CVE-2022-4765 (The Portfolio for Elementor WordPress plugin before 2.3.1 does
not val ...)
+ TODO: check
CVE-2022-4764
RESERVED
-CVE-2022-4763
- RESERVED
+CVE-2022-4763 (The Icon Widget WordPress plugin before 1.3.0 does not validate
and es ...)
+ TODO: check
CVE-2022-4762
RESERVED
CVE-2022-4761
@@ -7946,8 +7961,8 @@ CVE-2022-4751 (The Word Balloon WordPress plugin before
4.19.3 does not validate
NOT-FOR-US: WordPress plugin
CVE-2022-4750
RESERVED
-CVE-2022-4749
- RESERVED
+CVE-2022-4749 (The Posts List Designer by Category WordPress plugin before 3.2
does n ...)
+ TODO: check
CVE-2022-4748 (A vulnerability was found in FlatPress. It has been classified
as crit ...)
NOT-FOR-US: FlatPress
CVE-2022-4747
@@ -8064,6 +8079,7 @@ CVE-2022-47952 (lxc-user-nic in lxc through 5.0.1 is
installed setuid root, and
NOTE:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591/comments/45
NOTE: Different issue than CVE-2018-6556
CVE-2022-47951 (An issue was discovered in OpenStack Cinder before 19.1.2,
20.x before ...)
+ {DLA-3302-1 DLA-3301-1 DLA-3300-1}
- nova 2:26.0.0-6 (bug #1029561)
- cinder 2:21.0.0-3 (bug #1029562)
- glance 2:25.0.0-2 (bug #1029563)
@@ -8186,8 +8202,8 @@ CVE-2022-4701 (The Royal Elementor Addons plugin for
WordPress is vulnerable to
NOT-FOR-US: Royal Elementor Addons plugin for WordPress
CVE-2022-4700 (The Royal Elementor Addons plugin for WordPress is vulnerable
to insuf ...)
NOT-FOR-US: Royal Elementor Addons plugin for WordPress
-CVE-2022-4699
- RESERVED
+CVE-2022-4699 (The MediaElement.js WordPress plugin through 4.2.8 does not
validate a ...)
+ TODO: check
CVE-2022-4698 (The ProfilePress plugin for WordPress is vulnerable to Stored
Cross-Si ...)
NOT-FOR-US: ProfilePress plugin for WordPress
CVE-2022-4697 (The ProfilePress plugin for WordPress is vulnerable to Stored
Cross-Si ...)
@@ -8285,8 +8301,8 @@ CVE-2022-47927 (An issue was discovered in MediaWiki
before 1.35.9, 1.36.x throu
NOTE: https://phabricator.wikimedia.org/T322637
CVE-2022-47914
RESERVED
-CVE-2022-4680
- RESERVED
+CVE-2022-4680 (The Revive Old Posts WordPress plugin before 9.0.11
unserializes user ...)
+ TODO: check
CVE-2022-4679
RESERVED
CVE-2022-4678
@@ -8309,16 +8325,16 @@ CVE-2022-4673 (The Rate my Post WordPress plugin before
3.3.9 does not validate
NOT-FOR-US: WordPress plugin
CVE-2022-4672 (The WordPress Simple Shopping Cart WordPress plugin before
4.6.2 does ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4671
- RESERVED
+CVE-2022-4671 (The PixCodes WordPress plugin before 2.3.7 does not validate
and escap ...)
+ TODO: check
CVE-2022-4670
RESERVED
CVE-2022-4669
RESERVED
CVE-2022-4668 (The Easy Appointments WordPress plugin before 3.11.2 does not
validate ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4667
- RESERVED
+CVE-2022-4667 (The RSS Aggregator by Feedzy WordPress plugin before 4.1.1 does
not va ...)
+ TODO: check
CVE-2022-4666
RESERVED
CVE-2022-4665 (Unrestricted Upload of File with Dangerous Type in GitHub
repository a ...)
@@ -8370,18 +8386,18 @@ CVE-2022-4656
RESERVED
CVE-2022-4655 (The Welcart e-Commerce WordPress plugin before 2.8.9 does not
validate ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4654
- RESERVED
+CVE-2022-4654 (The Pricing Tables WordPress Plugin WordPress plugin before
3.2.3 does ...)
+ TODO: check
CVE-2022-4653 (The Greenshift WordPress plugin before 4.8.9 does not validate
and esc ...)
NOT-FOR-US: WordPress plugin
CVE-2022-4652
RESERVED
-CVE-2022-4651
- RESERVED
+CVE-2022-4651 (The Justified Gallery WordPress plugin before 1.7.1 does not
validate ...)
+ TODO: check
CVE-2022-4650 (The HashBar WordPress plugin before 1.3.6 does not validate and
escape ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4649
- RESERVED
+CVE-2022-4649 (The WP Extended Search WordPress plugin before 2.1.2 does not
validate ...)
+ TODO: check
CVE-2020-36625 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in
destiny.g ...)
NOT-FOR-US: destiny.gg chat
CVE-2020-36624 (A vulnerability was found in ahorner text-helpers up to 1.0.x.
It has ...)
@@ -10631,10 +10647,10 @@ CVE-2022-4555 (The WP Shamsi plugin for WordPress is
vulnerable to authorization
NOT-FOR-US: WP Shamsi plugin for WordPress
CVE-2022-4554 (B2B Customer Ordering System developed by ID Software Project
and Cons ...)
NOT-FOR-US: B2B Customer Ordering System
-CVE-2022-4553
- RESERVED
-CVE-2022-4552
- RESERVED
+CVE-2022-4553 (The FL3R FeelBox WordPress plugin through 8.1 does not have
CSRF check ...)
+ TODO: check
+CVE-2022-4552 (The FL3R FeelBox WordPress plugin through 8.1 does not have
CSRF check ...)
+ TODO: check
CVE-2022-4551
RESERVED
CVE-2022-4550
@@ -11008,8 +11024,8 @@ CVE-2022-4498 (In TP-Link routers, Archer C5 and
WR710N-V1, running the latest a
NOT-FOR-US: TP-Link
CVE-2022-4497 (The Jetpack CRM WordPress plugin before 5.5 does not validate
and esca ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4496
- RESERVED
+CVE-2022-4496 (The SAML SSO Standard WordPress plugin version 16.0.0 before
16.0.8, S ...)
+ TODO: check
CVE-2022-4495 (A vulnerability, which was classified as problematic, has been
found i ...)
NOT-FOR-US: collective.dms.basecontent
CVE-2022-4494 (A vulnerability, which was classified as critical, has been
found in b ...)
@@ -11194,12 +11210,12 @@ CVE-2022-4474 (The Easy Social Feed WordPress plugin
before 6.4.0 does not valid
NOT-FOR-US: WordPress plugin
CVE-2022-4473
RESERVED
-CVE-2022-4472
- RESERVED
+CVE-2022-4472 (The Simple Sitemap WordPress plugin before 3.5.8 does not
validate and ...)
+ TODO: check
CVE-2022-4471
RESERVED
-CVE-2022-4470
- RESERVED
+CVE-2022-4470 (The Widgets for Google Reviews WordPress plugin before 9.8 does
not va ...)
+ TODO: check
CVE-2022-4469 (The Simple Membership WordPress plugin before 4.2.2 does not
validate ...)
NOT-FOR-US: WordPress plugin
CVE-2022-4468 (The WP Recipe Maker WordPress plugin before 8.6.1 does not
validate an ...)
@@ -11720,8 +11736,8 @@ CVE-2022-44454
RESERVED
CVE-2022-44450
RESERVED
-CVE-2022-4441
- RESERVED
+CVE-2022-4441 (Incorrect Privilege Assignment vulnerability in Hitachi Storage
Plug-i ...)
+ TODO: check
CVE-2022-4440 (Use after free in Profiles in Google Chrome prior to
108.0.5359.124 al ...)
{DSA-5302-1}
- chromium 108.0.5359.124-1
@@ -12521,8 +12537,8 @@ CVE-2022-46894
RESERVED
CVE-2022-46893
RESERVED
-CVE-2022-4395
- RESERVED
+CVE-2022-4395 (The Membership For WooCommerce WordPress plugin before 2.1.7
does not ...)
+ TODO: check
CVE-2022-4394 (The iPages Flipbook For WordPress plugin through 1.4.6 does not
saniti ...)
NOT-FOR-US: WordPress plugin
CVE-2022-4393 (The ImageLinks Interactive Image Builder for WordPress plugin
through ...)
@@ -13353,8 +13369,8 @@ CVE-2022-4308
RESERVED
CVE-2022-4307 (The پلاگین
پرد&# ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4306
- RESERVED
+CVE-2022-4306 (The Panda Pods Repeater Field WordPress plugin before 1.5.4
does not s ...)
+ TODO: check
CVE-2022-4305 (The Login as User or Customer WordPress plugin before 3.3 lacks
author ...)
NOT-FOR-US: WordPress plugin
CVE-2022-4304
@@ -15610,8 +15626,8 @@ CVE-2022-4139 (An incorrect TLB flush issue was found
in the Linux kernel’
[buster] - linux <not-affected> (Vulnerable code not present, only
affects gen12 video and compute engines)
NOTE: https://www.openwall.com/lists/oss-security/2022/11/30/1
NOTE:
https://git.kernel.org/linus/04aa64375f48a5d430b5550d9271f8428883e550
-CVE-2022-45897
- RESERVED
+CVE-2022-45897 (On Xerox WorkCentre 3550 25.003.03.000 devices, an
authenticated attac ...)
+ TODO: check
CVE-2022-45896 (Planet eStream before 6.72.10.07 allows unauthenticated upload
of arbi ...)
NOT-FOR-US: Planet eStream
CVE-2022-45895 (Planet eStream before 6.72.10.07 discloses sensitive
information, rela ...)
@@ -15903,8 +15919,8 @@ CVE-2022-45791
RESERVED
CVE-2022-45790
RESERVED
-CVE-2022-45789
- RESERVED
+CVE-2022-45789 (A CWE-294: Authentication Bypass by Capture-replay
vulnerability exist ...)
+ TODO: check
CVE-2022-45788 (A CWE-754: Improper Check for Unusual or Exceptional
Conditions vulner ...)
TODO: check
CVE-2022-45787 (Unproper laxist permissions on the temporary files used by
MIME4J Temp ...)
@@ -16761,8 +16777,8 @@ CVE-2022-4043 (The WP Custom Admin Interface WordPress
plugin before 7.29 unseri
NOT-FOR-US: WordPress plugin
CVE-2022-4042 (The Paytium: Mollie payment forms & donations WordPress
plugin thr ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-4041
- RESERVED
+CVE-2022-4041 (Incorrect Privilege Assignment vulnerability in Hitachi Storage
Plug-i ...)
+ TODO: check
CVE-2022-4040
RESERVED
CVE-2022-4039
@@ -18632,8 +18648,8 @@ CVE-2022-44899
RESERVED
CVE-2022-44898 (The MsIo64.sys component in Asus Aura Sync through v1.07.79
does not p ...)
NOT-FOR-US: Asus Aura Sync
-CVE-2022-44897
- RESERVED
+CVE-2022-44897 (A cross-site scripting (XSS) vulnerability in ApolloTheme AP
PageBuild ...)
+ TODO: check
CVE-2022-44896
RESERVED
CVE-2022-44895
@@ -20608,18 +20624,21 @@ CVE-2022-44573
RESERVED
CVE-2022-44572 [rack: Forbid control characters in attributes]
RESERVED
+ {DLA-3298-1}
- ruby-rack <unfixed> (bug #1029832)
NOTE:
https://github.com/rack/rack/commit/dc50f8e495f67eb933b1fc33ebee550908d945e6
(v2.0.9.2)
NOTE:
https://github.com/rack/rack/commit/8291f502b0e1dcf514cc25c34e4bf0beec7a92ae
(v2.1.4.2)
NOTE:
https://github.com/rack/rack/commit/19e49f0f185d7e42ed5b402baec6c897a8c48029
(v2.2.6.1)
CVE-2022-44571 [rack: Fix ReDoS vulnerability in multipart parser]
RESERVED
+ {DLA-3298-1}
- ruby-rack <unfixed> (bug #1029832)
NOTE:
https://github.com/rack/rack/commit/4e33ad10bf5f16d25c156f905bcc548e7f787bc3
(v2.0.9.2)
NOTE:
https://github.com/rack/rack/commit/9b5fb5c7ef0e39b959a6c5c0005d9af44a29d6f8
(v2.1.4.2)
NOTE:
https://github.com/rack/rack/commit/ee25ab9a7ee981d7578f559701085b0cf39bde77
(v2.2.6.1)
CVE-2022-44570 [rack: Fix ReDoS in Rack::Utils.get_byte_ranges]
RESERVED
+ {DLA-3298-1}
- ruby-rack <unfixed> (bug #1029832)
NOTE:
https://github.com/rack/rack/commit/52721ae0b730e3920ad5375dfd5a3ea9b4f9e359
(v2.0.9.2)
NOTE:
https://github.com/rack/rack/commit/f66ef5c8255dcea82c1b2665fc9ab948b76bb437
(v2.1.4.2)
@@ -33681,8 +33700,8 @@ CVE-2022-40260
RESERVED
CVE-2022-40259 (AMI MegaRAC Redfish Arbitrary Code Execution ...)
NOT-FOR-US: AMI MegaRAC Redfish
-CVE-2022-40258
- RESERVED
+CVE-2022-40258 (AMI Megarac Weak password hashes for Redfish & API ...)
+ TODO: check
CVE-2022-40257 (An HTML injection vulnerability exists in CERT/CC VINCE
software prior ...)
NOT-FOR-US: CERT/CC VINCE
CVE-2022-40256
@@ -34048,14 +34067,14 @@ CVE-2022-3144 (The Wordfence Security –
Firewall & Malware Scan plugin
NOT-FOR-US: WordPress plugin
CVE-2022-3143 (wildfly-elytron: possible timing attacks via use of unsafe
comparator. ...)
NOT-FOR-US: WildFly Elytron
-CVE-2022-40137
- RESERVED
-CVE-2022-40136
- RESERVED
-CVE-2022-40135
- RESERVED
-CVE-2022-40134
- RESERVED
+CVE-2022-40137 (A buffer overflow in the WMI SMI Handler in some Lenovo models
may all ...)
+ TODO: check
+CVE-2022-40136 (An information leak vulnerability in SMI Handler used to
configure pla ...)
+ TODO: check
+CVE-2022-40135 (An information leak vulnerability in the Smart USB Protection
SMI Hand ...)
+ TODO: check
+CVE-2022-40134 (An information leak vulnerability in the SMI Set BIOS Password
SMI Han ...)
+ TODO: check
CVE-2022-40127 (A vulnerability in Example Dags of Apache Airflow allows an
attacker w ...)
- airflow <itp> (bug #819700)
CVE-2022-38972 (Cross-site scripting vulnerability in Movable Type plugin
A-Form versi ...)
@@ -48319,16 +48338,16 @@ CVE-2022-34890 (This vulnerability allows local
attackers to disclose sensitive
NOT-FOR-US: Parallels
CVE-2022-34889 (This vulnerability allows local attackers to escalate
privileges on af ...)
NOT-FOR-US: Parallels
-CVE-2022-34888
- RESERVED
+CVE-2022-34888 (The Remote Mount feature can potentially be abused by valid,
authentic ...)
+ TODO: check
CVE-2022-34887
RESERVED
CVE-2022-34886
RESERVED
-CVE-2022-34885
- RESERVED
-CVE-2022-34884
- RESERVED
+CVE-2022-34885 (An improper input sanitization vulnerability in the Motorola
MR2600 ro ...)
+ TODO: check
+CVE-2022-34884 (A buffer overflow exists in the Remote Presence subsystem
which can po ...)
+ TODO: check
CVE-2022-34883 (OS Command Injection vulnerability in Hitachi RAID Manager
Storage Rep ...)
NOT-FOR-US: Hitachi
CVE-2022-34882 (Information Exposure Through an Error Message vulnerability in
Hitachi ...)
@@ -53987,10 +54006,10 @@ CVE-2022-32749 (Improper Check for Unusual or
Exceptional Conditions vulnerabili
NOTE: https://github.com/apache/trafficserver/pull/9243
NOTE:
https://github.com/apache/trafficserver/commit/71a80d1abb3fbcb2e30ff850c8bca0a371589b5a
(master)
NOTE:
https://github.com/apache/trafficserver/commit/590f87304b233791169af3d5899c5ba135bb61fa
(9.1.x)
-CVE-2022-32748
- RESERVED
-CVE-2022-32747
- RESERVED
+CVE-2022-32748 (A CWE-295: Improper Certificate Validation vulnerability
exists that c ...)
+ TODO: check
+CVE-2022-32747 (A CWE-290: Authentication Bypass by Spoofing vulnerability
exists that ...)
+ TODO: check
CVE-2022-32746 (A flaw was found in the Samba AD LDAP server. The AD DC
database audit ...)
{DSA-5205-1}
- samba 2:4.16.4+dfsg-1 (bug #1016449)
@@ -54551,42 +54570,42 @@ CVE-2022-2014 (Code Injection in GitHub repository
jgraph/drawio prior to 19.0.2
NOT-FOR-US: jgraph/drawio
CVE-2022-32530 (A CWE-668 Exposure of Resource to Wrong Sphere vulnerability
exists th ...)
NOT-FOR-US: Geo SCADA Mobile
-CVE-2022-32529
- RESERVED
-CVE-2022-32528
- RESERVED
-CVE-2022-32527
- RESERVED
-CVE-2022-32526
- RESERVED
-CVE-2022-32525
- RESERVED
-CVE-2022-32524
- RESERVED
-CVE-2022-32523
- RESERVED
-CVE-2022-32522
- RESERVED
-CVE-2022-32521
- RESERVED
-CVE-2022-32520
- RESERVED
-CVE-2022-32519
- RESERVED
-CVE-2022-32518
- RESERVED
-CVE-2022-32517
- RESERVED
-CVE-2022-32516
- RESERVED
-CVE-2022-32515
- RESERVED
-CVE-2022-32514
- RESERVED
-CVE-2022-32513
- RESERVED
-CVE-2022-32512
- RESERVED
+CVE-2022-32529 (A CWE-120: Buffer Copy without Checking Size of Input
vulnerability ex ...)
+ TODO: check
+CVE-2022-32528 (A CWE-306: Missing Authentication for Critical Function
vulnerability ...)
+ TODO: check
+CVE-2022-32527 (A CWE-120: Buffer Copy without Checking Size of Input
vulnerability ex ...)
+ TODO: check
+CVE-2022-32526 (A CWE-120: Buffer Copy without Checking Size of Input
vulnerability ex ...)
+ TODO: check
+CVE-2022-32525 (A CWE-120: Buffer Copy without Checking Size of Input
vulnerability ex ...)
+ TODO: check
+CVE-2022-32524 (A CWE-120: Buffer Copy without Checking Size of Input
vulnerability ex ...)
+ TODO: check
+CVE-2022-32523 (A CWE-120: Buffer Copy without Checking Size of Input
vulnerability ex ...)
+ TODO: check
+CVE-2022-32522 (A CWE-120: Buffer Copy without Checking Size of Input
vulnerability ex ...)
+ TODO: check
+CVE-2022-32521 (A CWE 502: Deserialization of Untrusted Data vulnerability
exists that ...)
+ TODO: check
+CVE-2022-32520 (A CWE-522: Insufficiently Protected Credentials vulnerability
exists t ...)
+ TODO: check
+CVE-2022-32519 (A CWE-257: Storing Passwords in a Recoverable Format
vulnerability exi ...)
+ TODO: check
+CVE-2022-32518 (A CWE-522: Insufficiently Protected Credentials vulnerability
exists t ...)
+ TODO: check
+CVE-2022-32517 (A CWE-1021: Improper Restriction of Rendered UI Layers or
Frames vulne ...)
+ TODO: check
+CVE-2022-32516 (A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability
exists that ...)
+ TODO: check
+CVE-2022-32515 (A CWE-307: Improper Restriction of Excessive Authentication
Attempts v ...)
+ TODO: check
+CVE-2022-32514 (A CWE-287: Improper Authentication vulnerability exists that
could all ...)
+ TODO: check
+CVE-2022-32513 (A CWE-521: Weak Password Requirements vulnerability exists
that could ...)
+ TODO: check
+CVE-2022-32512 (A CWE-119: Improper Restriction of Operations within the
Bounds of a M ...)
+ TODO: check
CVE-2022-32511 (jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses
JSON.load in a s ...)
- ruby-jmespath 1.6.1-1 (bug #1014807)
[bullseye] - ruby-jmespath <no-dsa> (Minor issue)
@@ -58704,6 +58723,7 @@ CVE-2022-31131 (Nextcloud mail is a Mail app for the
Nextcloud home server produ
CVE-2022-31130 (Grafana is an open source observability and data visualization
platfor ...)
- grafana <removed>
CVE-2022-31129 (moment is a JavaScript date library for parsing, validating,
manipulat ...)
+ {DLA-3295-1}
- node-moment 2.29.4+ds-1 (bug #1014845)
[bullseye] - node-moment 2.29.1+ds-2+deb11u2
NOTE:
https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3
(2.29.4)
@@ -60958,8 +60978,8 @@ CVE-2022-30423 (Merchandise Online Store v1.0 by
oretnom23 has an arbitrary code
NOT-FOR-US: Merchandise Online Store
CVE-2022-30422 (Proietti Tech srl Planet Time Enterprise
4.2.0.1,4.2.0.0,4.1.0.0,4.0.0 ...)
NOT-FOR-US: Proietti Tech srl Planet Time Enterprise
-CVE-2022-30421
- RESERVED
+CVE-2022-30421 (Improper Authentication vulnerability in Toshiba Storage
Security Soft ...)
+ TODO: check
CVE-2022-30420
RESERVED
CVE-2022-30419
@@ -69436,10 +69456,10 @@ CVE-2022-27540
RESERVED
CVE-2022-27539
RESERVED
-CVE-2022-27538
- RESERVED
-CVE-2022-27537
- RESERVED
+CVE-2022-27538 (A potential Time-of-Check to Time-of-Use (TOCTOU)
vulnerability has be ...)
+ TODO: check
+CVE-2022-27537 (Potential vulnerabilities have been identified in the system
BIOS of c ...)
+ TODO: check
CVE-2022-27536 (Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1
can be ca ...)
- golang-1.18 <not-affected> (MacOS-specific)
- golang-1.17 <not-affected> (MacOS-specific)
@@ -73842,8 +73862,8 @@ CVE-2022-25982
RESERVED
CVE-2022-25981
RESERVED
-CVE-2022-25979
- RESERVED
+CVE-2022-25979 (Versions of the package jsuites before 5.0.1 are vulnerable to
Cross-s ...)
+ TODO: check
CVE-2022-25978
RESERVED
CVE-2022-25977
@@ -74000,8 +74020,8 @@ CVE-2022-25883
RESERVED
CVE-2022-25882 (Versions of the package onnx before 1.13.0 are vulnerable to
Directory ...)
TODO: check
-CVE-2022-25881
- RESERVED
+CVE-2022-25881 (This affects versions of the package http-cache-semantics
before 4.1.1 ...)
+ TODO: check
CVE-2022-25879
RESERVED
CVE-2022-25878 (The package protobufjs before 6.11.3 are vulnerable to
Prototype Pollu ...)
@@ -74109,6 +74129,7 @@ CVE-2022-25759 (The package convert-svg-core before
0.6.2 are vulnerable to Remo
CVE-2022-25758 (All versions of package scss-tokenizer are vulnerable to
Regular Expre ...)
- node-scss-tokenizer <itp> (bug #885456)
CVE-2022-25648 (The package git before 1.11.0 are vulnerable to Command
Injection via ...)
+ {DLA-3303-1}
- ruby-git 1.13.1-1 (bug #1009926)
[bullseye] - ruby-git <no-dsa> (Minor issue)
NOTE: https://github.com/ruby-git/ruby-git/pull/569
@@ -74322,8 +74343,8 @@ CVE-2022-21149 (The package s-cart/s-cart before 6.9;
the package s-cart/core be
NOT-FOR-US: s-cart/core
CVE-2022-21144 (This affects all versions of package libxmljs. When invoking
the libxm ...)
NOT-FOR-US: Node libxmljs
-CVE-2022-21129
- RESERVED
+CVE-2022-21129 (Versions of the package nemo-appium before 0.0.9 are
vulnerable to Com ...)
+ TODO: check
CVE-2022-21126 (The package com.github.samtools:htsjdk before 3.0.1 are
vulnerable to ...)
TODO: check
CVE-2022-21122 (The package metacalc before 0.0.2 are vulnerable to Arbitrary
Code Exe ...)
@@ -76730,6 +76751,7 @@ CVE-2022-25001
CVE-2022-25000
RESERVED
CVE-2022-24999 (qs before 6.10.3, as used in Express before 4.17.3 and other
products, ...)
+ {DLA-3299-1}
- node-qs 6.10.3+ds+~6.9.7-1
[bullseye] - node-qs 6.9.4+ds-1+deb11u1
NOTE: https://github.com/ljharb/qs/pull/428
@@ -77433,6 +77455,7 @@ CVE-2022-24786 (PJSIP is a free and open source
multimedia communication library
NOTE:
https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q
NOTE:
https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508
CVE-2022-24785 (Moment.js is a JavaScript date library for parsing,
validating, manipu ...)
+ {DLA-3295-1}
- node-moment 2.29.2+ds-1 (bug #1009327)
[bullseye] - node-moment 2.29.1+ds-2+deb11u1
[stretch] - node-moment <end-of-life> (Nodejs in stretch not covered by
security support)
@@ -82231,12 +82254,12 @@ CVE-2022-0299
RESERVED
CVE-2022-23456 (Potential arbitrary file deletion vulnerability has been
identified in ...)
NOT-FOR-US: HP
-CVE-2022-23455
- RESERVED
-CVE-2022-23454
- RESERVED
-CVE-2022-23453
- RESERVED
+CVE-2022-23455 (Potential security vulnerabilities have been identified in HP
Support ...)
+ TODO: check
+CVE-2022-23454 (Potential security vulnerabilities have been identified in HP
Support ...)
+ TODO: check
+CVE-2022-23453 (Potential security vulnerabilities have been identified in HP
Support ...)
+ TODO: check
CVE-2022-23452 (An authorization flaw was found in openstack-barbican, where
anyone wi ...)
- barbican 1:14.0.0~rc1-2
[bullseye] - barbican <no-dsa> (Minor issue)
@@ -83361,8 +83384,8 @@ CVE-2022-0225 (A flaw was found in Keycloak. This flaw
allows a privileged attac
NOT-FOR-US: Keycloak
CVE-2022-0224 (dolibarr is vulnerable to Improper Neutralization of Special
Elements ...)
- dolibarr <removed>
-CVE-2022-0223
- RESERVED
+CVE-2022-0223 (A CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ...)
+ TODO: check
CVE-2022-0222 (A CWE-269: Improper Privilege Management vulnerability exists
that cou ...)
NOT-FOR-US: Modicon
CVE-2022-0221 (A CWE-611: Improper Restriction of XML External Entity
Reference vulne ...)
@@ -85240,10 +85263,10 @@ CVE-2021-46152 (A vulnerability has been identified
in Simcenter Femap V2020.2 (
NOT-FOR-US: Siemens
CVE-2021-46151 (A vulnerability has been identified in Simcenter Femap V2020.2
(All ve ...)
NOT-FOR-US: Siemens
-CVE-2022-22732
- RESERVED
-CVE-2022-22731
- RESERVED
+CVE-2022-22732 (A CWE-668: Exposure of Resource to Wrong Sphere vulnerability
exists t ...)
+ TODO: check
+CVE-2022-22731 (A CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ...)
+ TODO: check
CVE-2022-0144 (shelljs is vulnerable to Improper Privilege Management ...)
- node-shelljs 0.8.5+~cs0.8.10-1
[bullseye] - node-shelljs <no-dsa> (Minor issue)
@@ -104692,10 +104715,10 @@ CVE-2021-3811 (adminlte is vulnerable to Improper
Neutralization of Input During
NOT-FOR-US: adminlte
CVE-2021-3810 (code-server is vulnerable to Inefficient Regular Expression
Complexity ...)
NOT-FOR-US: code-server
-CVE-2021-3809
- RESERVED
-CVE-2021-3808
- RESERVED
+CVE-2021-3809 (Potential security vulnerabilities have been identified in the
BIOS (U ...)
+ TODO: check
+CVE-2021-3808 (Potential security vulnerabilities have been identified in the
BIOS (U ...)
+ TODO: check
CVE-2021-3807 (ansi-regex is vulnerable to Inefficient Regular Expression
Complexity ...)
- node-ansi-regex 5.0.1-1 (bug #994568)
[bullseye] - node-ansi-regex 5.0.1-1~deb11u1
@@ -138106,8 +138129,8 @@ CVE-2021-3441 (A potential security vulnerability has
been identified for the HP
NOT-FOR-US: HP
CVE-2021-3440 (HP Print and Scan Doctor, an application within the HP Smart
App for W ...)
NOT-FOR-US: HP
-CVE-2021-3439
- RESERVED
+CVE-2021-3439 (HP has identified a potential vulnerability in BIOS firmware of
some W ...)
+ TODO: check
CVE-2021-3438 (A potential buffer overflow in the software drivers for certain
HP Las ...)
NOT-FOR-US: HP LaserJet products and Samsung product printers
CVE-2021-3437 (Potential security vulnerabilities have been identified in an
OMEN Gam ...)
@@ -219714,7 +219737,7 @@ CVE-2020-8185 (A denial of service vulnerability
exists in Rails <6.0.3.2 tha
- rails <not-affected> (Introduced in rails 6.x)
NOTE: https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0
CVE-2020-8184 (A reliance on cookies without validation/integrity check
security vuln ...)
- {DLA-2275-1}
+ {DLA-3298-1 DLA-2275-1}
- ruby-rack 2.1.1-6 (bug #963477)
NOTE: https://hackerone.com/reports/895727
NOTE: Fixed by:
https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c
@@ -219813,7 +219836,7 @@ CVE-2020-8162 (A client side enforcement of server
side security vulnerability e
NOTE:
https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
NOTE:
https://github.com/rails/rails/commit/e8df5648515a0e8324d3b3c4bdb7bde6802cd8be
(5.2)
CVE-2020-8161 (A directory traversal vulnerability exists in rack < 2.2.0
that all ...)
- {DLA-2275-1 DLA-2216-1}
+ {DLA-3298-1 DLA-2275-1 DLA-2216-1}
- ruby-rack 2.1.1-5
NOTE:
https://groups.google.com/forum/#!msg/rubyonrails-security/IOO1vNZTzPA/Ylzi1UYLAAAJ
NOTE: Fixed by:
https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14a1bfefebed3975fdfac231624773aa001d028c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14a1bfefebed3975fdfac231624773aa001d028c
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
