Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 52408497 by security tracker role at 2023-07-26T08:12:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,11 +1,127 @@ -CVE-2023-3773 [xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH] +CVE-2023-3947 (The Video Conferencing with Zoom plugin for WordPress is vulnerable to ...) + TODO: check +CVE-2023-3946 (A reflected cross-site scripting (XSS) vulnerability in ePO prior to 5 ...) + TODO: check +CVE-2023-3945 (A vulnerability was found in phpscriptpoint Lawyer 1.6. It has been cl ...) + TODO: check +CVE-2023-3944 (A vulnerability was found in phpscriptpoint Lawyer 1.6 and classified ...) + TODO: check +CVE-2023-3897 (Username enumeration is possible through Bypassing CAPTCHA in On-premi ...) + TODO: check +CVE-2023-3890 (A vulnerability classified as problematic has been found in Campcodes ...) + TODO: check +CVE-2023-3548 (An unauthorized user could gain account access to IQ Wifi 6 versions p ...) + TODO: check +CVE-2023-3486 (An authentication bypass exists in PaperCut NG versions 22.0.12 and pr ...) + TODO: check +CVE-2023-39175 (In JetBrains TeamCity before 2023.05.2 reflected XSS via GitHub integr ...) + TODO: check +CVE-2023-39174 (In JetBrains TeamCity before 2023.05.2 a ReDoS attack was possible via ...) + TODO: check +CVE-2023-39173 (In JetBrains TeamCity before 2023.05.2 a token with limited permission ...) + TODO: check +CVE-2023-39130 (GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap bu ...) + TODO: check +CVE-2023-39129 (GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap us ...) + TODO: check +CVE-2023-39128 (GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a stack o ...) + TODO: check +CVE-2023-38555 (Authentication bypass vulnerability in Fujitsu network devices Si-R se ...) + TODO: check +CVE-2023-38503 (Directus is a real-time API and App dashboard for managing SQL databas ...) + TODO: check +CVE-2023-38502 (TDengine is an open source, time-series database optimized for Interne ...) + TODO: check +CVE-2023-38501 (copyparty is file server software. Prior to version 1.8.7, the applica ...) + TODO: check +CVE-2023-38500 (TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to p ...) + TODO: check +CVE-2023-38499 (TYPO3 is an open source PHP based web content management system. Start ...) + TODO: check +CVE-2023-38496 (Apptainer is an open source container platform. Version 1.2.0-rc.2 int ...) + TODO: check +CVE-2023-38493 (Armeria is a microservice framework Spring supports Matrix variables. ...) + TODO: check +CVE-2023-38435 (An improper neutralization of input during web page generation ('Cross ...) + TODO: check +CVE-2023-38433 (Fujitsu Real-time Video Transmission Gear "IP series" use hard-coded c ...) + TODO: check +CVE-2023-37920 (Certifi is a curated collection of Root Certificates for validating th ...) + TODO: check +CVE-2023-37919 (Cal.com is open-source scheduling software. A vulnerability allows act ...) + TODO: check +CVE-2023-37907 (Cryptomator is data encryption software for users who store their file ...) + TODO: check +CVE-2023-37902 (Vyper is a Pythonic programming language that targets the Ethereum Vir ...) + TODO: check +CVE-2023-37677 (Pligg CMS v2.0.2 (also known as Kliqqi) was discovered to contain a re ...) + TODO: check +CVE-2023-37460 (Plexis Archiver is a collection of Plexus components to create archive ...) + TODO: check +CVE-2023-37258 (DataEase is an open source data visualization analysis tool. Prior to ...) + TODO: check +CVE-2023-37257 (DataEase is an open source data visualization analysis tool. Prior to ...) + TODO: check +CVE-2023-36826 (Sentry is an error tracking and performance monitoring platform. Start ...) + TODO: check +CVE-2023-36806 (Contao is an open source content management system. Starting in versio ...) + TODO: check +CVE-2023-36503 (Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Max F ...) + TODO: check +CVE-2023-36502 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-36501 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Michael ...) + TODO: check +CVE-2023-36385 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in wpxpo Po ...) + TODO: check +CVE-2023-35982 (There are buffer overflow vulnerabilities in multiple underlying servi ...) + TODO: check +CVE-2023-35981 (There are buffer overflow vulnerabilities in multiple underlying servi ...) + TODO: check +CVE-2023-35980 (There are buffer overflow vulnerabilities in multiple underlying servi ...) + TODO: check +CVE-2023-35944 (Envoy is an open source edge and service proxy designed for cloud-nati ...) + TODO: check +CVE-2023-35943 (Envoy is an open source edge and service proxy designed for cloud-nati ...) + TODO: check +CVE-2023-35942 (Envoy is an open source edge and service proxy designed for cloud-nati ...) + TODO: check +CVE-2023-35941 (Envoy is an open source edge and service proxy designed for cloud-nati ...) + TODO: check +CVE-2023-35929 (Tuleap is a free and open source suite to improve management of softwa ...) + TODO: check +CVE-2023-35043 (Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Neha Goel R ...) + TODO: check +CVE-2023-34798 (An arbitrary file upload vulnerability in eoffice before v9.5 allows a ...) + TODO: check +CVE-2023-34369 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gran ...) + TODO: check +CVE-2023-34235 (Strapi is an open-source headless content management system. Prior to ...) + TODO: check +CVE-2023-34093 (Strapi is an open-source headless content management system. Prior to ...) + TODO: check +CVE-2023-34017 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FiveStar ...) + TODO: check +CVE-2023-33925 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in PluginFo ...) + TODO: check +CVE-2023-32629 (Local privilege escalation vulnerability in Ubuntu Kernels overlayfs o ...) + TODO: check +CVE-2023-32468 (Dell ECS Streamer, versions prior to 2.0.7.1, contain an insertion of ...) + TODO: check +CVE-2023-2850 (NodeBB is affected by a Cross-Site WebSocket Hijacking vulnerability d ...) + TODO: check +CVE-2023-2640 (On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overl ...) + TODO: check +CVE-2023-2626 (There exists an authentication bypass vulnerability in OpenThread bord ...) + TODO: check +CVE-2023-3773 (A flaw was found in the Linux kernel\u2019s IP framework for transform ...) - linux <unfixed> [buster] - linux <not-affected> (Vulnerable code not present) NOTE: https://lore.kernel.org/all/20230723074110.3705047-1-li...@zju.edu.cn/T/#u -CVE-2023-3772 [xfrm: add NULL check in xfrm_update_ae_params] +CVE-2023-3772 (A flaw was found in the Linux kernel\u2019s IP framework for transform ...) - linux <unfixed> NOTE: https://lore.kernel.org/netdev/20230721145103.2714073-1-li...@zju.edu.cn/ -CVE-2023-37895 +CVE-2023-37895 (Java object deserialization issue in Jackrabbit webapp/standalone on a ...) - jackrabbit <unfixed> NOTE: https://www.openwall.com/lists/oss-security/2023/07/25/8 CVE-2023-3888 (A vulnerability was found in Campcodes Beauty Salon Management System ...) @@ -227,7 +343,7 @@ CVE-2023-3819 (Exposure of Sensitive Information to an Unauthorized Actor in Git NOT-FOR-US: pimcore CVE-2023-3102 (A sensitive information leak issue has been discovered in GitLab EE af ...) - gitlab <not-affected> (Specific to EE) -CVE-2023-38647 +CVE-2023-38647 (An attacker can use SnakeYAML to deserialize java.net.URLClassLoader a ...) NOT-FOR-US: Apache Helix CVE-2023-38646 (Metabase open source before 0.46.6.1 and Metabase Enterprise before 1. ...) NOT-FOR-US: Metabase @@ -799,7 +915,7 @@ CVE-2023-38405 (On Crestron 3-Series Control Systems before 1.8001.0187, craftin CVE-2023-38404 (The XPRTLD web application in Veritas InfoScale Operations Manager (VI ...) NOT-FOR-US: Veritas InfoScale CVE-2023-38403 (iperf3 before 3.14 allows peers to cause an integer overflow and heap ...) - {DSA-5455-1} + {DSA-5455-1 DLA-3506-1} - iperf3 3.14-1 (bug #1040830) NOTE: https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc NOTE: https://github.com/esnet/iperf/commit/0ef151550d96cc4460f98832df84b4a1e87c65e9 (3.14) @@ -2702,6 +2818,7 @@ CVE-2023-35939 (GLPI is a free asset and IT management software package. Startin NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-cjcx-pwcx-v34c NOTE: Only supported behind an authenticated HTTP zone CVE-2023-35936 (Pandoc is a Haskell library for converting from one markup format to a ...) + {DLA-3507-1} - pandoc 2.17.1.1-2 (bug #1041976) [bookworm] - pandoc <no-dsa> (Minor issue) [bullseye] - pandoc <no-dsa> (Minor issue) @@ -3309,7 +3426,7 @@ CVE-2023-33277 (The web interface of Gira Giersiepen Gira KNX/IP-Router 3.1.3683 CVE-2023-33190 (Sealos is an open source cloud operating system distribution based on ...) NOT-FOR-US: Sealos CVE-2023-37329 [Heap overwrite in PGS subtitle overlay decoder] - {DSA-5444-1} + {DSA-5444-1 DLA-3503-1} - gst-plugins-bad1.0 1.22.4-1 - gst-plugins-bad0.10 <removed> NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0003.html @@ -3317,7 +3434,7 @@ CVE-2023-37329 [Heap overwrite in PGS subtitle overlay decoder] NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5f3cf0a7d7ae7ab883d0611e85c06354f1e94907 NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/60226124ec367c2549e4bf1e6174dfb8eca5a63d CVE-2023-37327 [Integer overflow leading to heap overwrite in FLAC image tag handling] - {DSA-5445-1} + {DSA-5445-1 DLA-3505-1} - gst-plugins-good1.0 1.22.4-1 - gst-plugins-good0.10 <removed> NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0001.html @@ -3325,7 +3442,7 @@ CVE-2023-37327 [Integer overflow leading to heap overwrite in FLAC image tag han NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/bdc8021c73c16c49d594579c606a4f4771a2670e NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7bcd791fabe03b9ab1c72f494fc86cd0c06c3556 CVE-2023-37328 [Heap overwrite in subtitle parsing] - {DSA-5443-1} + {DSA-5443-1 DLA-3504-1} - gst-plugins-base1.0 1.22.4-1 - gst-plugins-base0.10 <removed> NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0002.html @@ -18229,8 +18346,8 @@ CVE-2023-1403 (The Weaver Xtreme Theme for WordPress is vulnerable to stored Cro NOT-FOR-US: WordPress plugin CVE-2023-1402 (The course participation report required additional checks to prevent ...) - moodle <removed> -CVE-2023-1401 - RESERVED +CVE-2023-1401 (An issue has been discovered in GitLab DAST scanner affecting all vers ...) + TODO: check CVE-2023-1400 (The Modern Events Calendar Lite WordPress plugin through 5.16.2 does n ...) NOT-FOR-US: WordPress plugin CVE-2023-1399 (N6854A Geolocation Server versions 2.4.2 are vulnerable to untrusted d ...) @@ -31494,8 +31611,8 @@ CVE-2023-23835 (A vulnerability has been identified in Mendix Applications using NOT-FOR-US: Siemens CVE-2023-23834 RESERVED -CVE-2023-23833 - RESERVED +CVE-2023-23833 (Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Steve ...) + TODO: check CVE-2023-23832 (Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in TC Ul ...) NOT-FOR-US: WordPress plugin CVE-2023-23831 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) @@ -38817,8 +38934,8 @@ CVE-2022-4610 (A vulnerability, which was classified as problematic, has been fo NOT-FOR-US: Click Studios Passwordstate and Passwordstate Browser Extension Chrome CVE-2022-4609 (Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memo ...) NOT-FOR-US: usememos -CVE-2022-4608 - RESERVED +CVE-2022-4608 (A vulnerability exists in HCI IEC 60870-5-104 function included in cer ...) + TODO: check CVE-2021-4262 (A vulnerability classified as critical was found in laravel-jqgrid. Af ...) NOT-FOR-US: laravel-jqgrid. CVE-2021-4261 (A vulnerability classified as critical has been found in pacman-canvas ...) @@ -39290,6 +39407,7 @@ CVE-2023-22051 (Vulnerability in the Oracle GraalVM Enterprise Edition, Oracle G CVE-2023-22050 (Vulnerability in the JD Edwards EnterpriseOne Orchestrator product of ...) NOT-FOR-US: Oracle CVE-2023-22049 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5458-1} - openjdk-8 8u382-ga-1 - openjdk-11 11.0.20+8-1 - openjdk-17 17.0.8+7-1 @@ -39300,10 +39418,12 @@ CVE-2023-22047 (Vulnerability in the PeopleSoft Enterprise PeopleTools product o CVE-2023-22046 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.34-1 (bug #1041819) CVE-2023-22045 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5458-1} - openjdk-8 8u382-ga-1 - openjdk-11 11.0.20+8-1 - openjdk-17 17.0.8+7-1 CVE-2023-22044 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5458-1} - openjdk-8 8u382-ga-1 - openjdk-17 17.0.8+7-1 CVE-2023-22043 (Vulnerability in Oracle Java SE (component: JavaFX). The supported v ...) @@ -39312,6 +39432,7 @@ CVE-2023-22043 (Vulnerability in Oracle Java SE (component: JavaFX). The suppo CVE-2023-22042 (Vulnerability in the Oracle Applications Framework product of Oracle E ...) NOT-FOR-US: Oracle CVE-2023-22041 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5458-1} - openjdk-8 8u382-ga-1 - openjdk-11 11.0.20+8-1 - openjdk-17 17.0.8+7-1 @@ -39324,6 +39445,7 @@ CVE-2023-22038 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2023-22037 (Vulnerability in the Oracle Web Applications Desktop Integrator produc ...) NOT-FOR-US: Oracle CVE-2023-22036 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5458-1} - openjdk-11 11.0.20+8-1 - openjdk-17 17.0.8+7-1 CVE-2023-22035 (Vulnerability in the Oracle Scripting product of Oracle E-Business Sui ...) @@ -39385,6 +39507,7 @@ CVE-2023-22008 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2023-22007 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.34-1 (bug #1041819) CVE-2023-22006 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5458-1} - openjdk-11 11.0.20+8-1 - openjdk-17 17.0.8+7-1 CVE-2023-22005 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -41952,16 +42075,16 @@ CVE-2022-46904 (Insufficient processing of user input in WebSoft HCM 2021.2.3.32 NOT-FOR-US: WebSoft HCM CVE-2022-46903 (Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allo ...) NOT-FOR-US: WebSoft HCM -CVE-2022-46902 - RESERVED -CVE-2022-46901 - RESERVED -CVE-2022-46900 - RESERVED -CVE-2022-46899 - RESERVED -CVE-2022-46898 - RESERVED +CVE-2022-46902 (An issue was discovered in Vocera Report Server and Voice Server 5.x t ...) + TODO: check +CVE-2022-46901 (An issue was discovered in Vocera Report Server and Voice Server 5.x t ...) + TODO: check +CVE-2022-46900 (An issue was discovered in Vocera Report Server and Voice Server 5.x t ...) + TODO: check +CVE-2022-46899 (An issue was discovered in Vocera Report Server and Voice Server 5.x t ...) + TODO: check +CVE-2022-46898 (An issue was discovered in Vocera Report Server and Voice Server 5.x t ...) + TODO: check CVE-2022-46897 RESERVED CVE-2022-46896 @@ -50024,8 +50147,8 @@ CVE-2023-20893 (The VMware vCenter Server contains a use-after-free vulnerabilit NOT-FOR-US: VMware CVE-2023-20892 (The vCenter Server contains a heap overflow vulnerability due to the u ...) NOT-FOR-US: VMware -CVE-2023-20891 - RESERVED +CVE-2023-20891 (The VMware Tanzu Application Service for VMs and Isolation Segment con ...) + TODO: check CVE-2023-20890 RESERVED CVE-2023-20889 (Aria Operations for Networks contains an information disclosure vulner ...) @@ -52154,6 +52277,7 @@ CVE-2023-20595 CVE-2023-20594 RESERVED CVE-2023-20593 (An issue in \u201cZen 2\u201d CPUs, under specific microarchitectural ...) + {DSA-5459-1} - linux <unfixed> - amd64-microcode 3.20230719.1 (bug #1041863) NOTE: https://www.openwall.com/lists/oss-security/2023/07/24/1 @@ -60917,7 +61041,7 @@ CVE-2022-3278 (NULL Pointer Dereference in GitHub repository vim/vim prior to 9. NOTE: https://huntr.dev/bounties/a9fad77e-f245-4ce9-ba15-c7d4c86c4612/ NOTE: https://github.com/vim/vim/commit/69082916c8b5d321545d60b9f5facad0a2dd5a4e (v9.0.0552) NOTE: Crash in CLI toool, no security impact -CVE-2023-3637 [unrestricted creation of security groups (fix for CVE-2022-3277)] +CVE-2023-3637 (An uncontrolled resource consumption flaw was found in openstack-neutr ...) - neutron <not-affected> (Fix for CVE-2022-3277 not applied) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2222270 CVE-2022-3277 (An uncontrolled resource consumption flaw was found in openstack-neutr ...) @@ -62494,7 +62618,7 @@ CVE-2022-36424 (Cross-Site Request Forgery (CSRF) vulnerability in Nikola Loncar NOT-FOR-US: WordPress plugin CVE-2022-36417 (Multiple Stored Cross-Site Scripting (XSS) via Cross-Site Request Forg ...) NOT-FOR-US: WordPress plugin -CVE-2022-36404 (Auth. (subscriber+) Broken Access Control vulnerability in David Cole ...) +CVE-2022-36404 (Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability ...) NOT-FOR-US: WordPress plugin CVE-2022-35238 (Unauthenticated Plugin Settings Change vulnerability in Awesome Filter ...) NOT-FOR-US: WordPress plugin @@ -74162,8 +74286,8 @@ CVE-2022-2503 (Dm-verity is used for extending root-of-trust to root filesystems [buster] - linux 4.19.249-1 NOTE: https://git.kernel.org/linus/4caae58406f8ceb741603eee460d79bacca9b1b5 (5.19-rc1) NOTE: https://github.com/google/security-research/security/advisories/GHSA-6vq3-w69p-w63m -CVE-2022-2502 - RESERVED +CVE-2022-2502 (A vulnerability exists in the HCI IEC 60870-5-104 function included in ...) + TODO: check CVE-2022-36359 (An issue was discovered in the HTTP FileResponse class in Django 3.2 b ...) {DSA-5254-1} - python-django 3:3.2.15-1 @@ -87886,10 +88010,10 @@ CVE-2022-31460 (Owl Labs Meeting Owl 5.2.0.15 allows attackers to activate Tethe NOT-FOR-US: Owl Labs Meeting Owl CVE-2022-31459 (Owl Labs Meeting Owl 5.2.0.15 allows attackers to retrieve the passcod ...) NOT-FOR-US: Owl Labs Meeting Owl -CVE-2022-31458 - RESERVED -CVE-2022-31457 - RESERVED +CVE-2022-31458 (RTX TRAP v1.0 was discovered to be vulnerable to host header poisoning ...) + TODO: check +CVE-2022-31457 (RTX TRAP v1.0 allows attackers to perform a directory traversal via a ...) + TODO: check CVE-2022-31456 RESERVED CVE-2022-31455 @@ -104278,6 +104402,7 @@ CVE-2022-24441 (The package snyk before 1.1064.0 are vulnerable to Code Injectio CVE-2022-24440 (The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1 ...) NOT-FOR-US: cocoapods-downloader CVE-2022-24439 (All versions of package gitpython are vulnerable to Remote Code Execut ...) + {DLA-3502-1} - python-git 3.1.30-1 (bug #1027163) [bullseye] - python-git <no-dsa> (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858 @@ -186296,8 +186421,8 @@ CVE-2020-35700 (A second-order SQL injection issue in Widgets/TopDevicesControll NOT-FOR-US: LibreNMS CVE-2020-35699 RESERVED -CVE-2020-35698 - RESERVED +CVE-2020-35698 (Thinkific Thinkific Online Course Creation Platform 1.0 is affected by ...) + TODO: check CVE-2020-35697 RESERVED CVE-2020-35696 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5240849799b544b9ad9fcc32abb1a50176c1ffeb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5240849799b544b9ad9fcc32abb1a50176c1ffeb You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits