[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) Thu, 27 Mar 2025 18:06:31 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
342291ff by Moritz Muehlenhoff at 2025-03-21T08:28:50+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -39,9 +39,9 @@ CVE-2025-29923 (go-redis is the official Redis client library 
for the Go program
        NOTE: Fixed by: 
https://github.com/redis/go-redis/commit/d236865b0cfa1b752ea4b7da666b1fdcd0acebb6
        TODO: research introducing commit, might be post 9.5.1
 CVE-2025-29922 (kcp is a Kubernetes-like control plane for form-factors and 
use-cases  ...)
-       TODO: check
+       NOT-FOR-US: kcp Kubernetes control plane
 CVE-2025-29914 (OWASP Coraza WAF is a golang modsecurity compatible web 
application fi ...)
-       TODO: check
+       NOT-FOR-US: OWASP Coraza WAF
 CVE-2025-29412 (A cross-site scripting (XSS) vulnerability in the Client 
Profile Updat ...)
        NOT-FOR-US: Mart Developers iBanking
 CVE-2025-29411 (An arbitrary file upload vulnerability in the Client Profile 
Update se ...)
@@ -144,7 +144,7 @@ CVE-2024-9847 (FlatPress CMS version latest is vulnerable 
to Cross-Site Request
 CVE-2024-9840 (A Denial of Service (DoS) vulnerability exists in 
open-webui/open-webu ...)
        NOT-FOR-US: open-webui/open-webui
 CVE-2024-9701 (A Remote Code Execution (RCE) vulnerability has been identified 
in the ...)
-       TODO: check
+       NOT-FOR-US: Kedro
 CVE-2024-9699 (A vulnerability in the file upload functionality of the 
FlatPress CMS  ...)
        - flatpress <itp> (bug #466297)
 CVE-2024-9617 (An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an 
attacker ...)
@@ -246,7 +246,7 @@ CVE-2024-8763 (A Regular Expression Denial of Service 
(ReDoS) vulnerability exis
 CVE-2024-8736 (A Denial of Service (DoS) vulnerability exists in multiple file 
upload ...)
        NOT-FOR-US: parisneo/lollms-webui
 CVE-2024-8616 (In h2oai/h2o-3 version 3.46.0, the `/99/Models/{name}/json` 
endpoint a ...)
-       TODO: check
+       NOT-FOR-US: h2oai/h2o-3
 CVE-2024-8613 (A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240802 
allows  ...)
        NOT-FOR-US: gaizhenbiao/chuanhuchatgpt
 CVE-2024-8581 (A vulnerability in the `upload_app` function of 
parisneo/lollms-webui  ...)
@@ -282,7 +282,7 @@ CVE-2024-8238 (In version 3.22.0 of aimhubio/aim, the AimQL 
query language uses
 CVE-2024-8196 (In mintplex-labs/anything-llm v1.5.11 desktop version for 
Windows, the ...)
        NOT-FOR-US: mintplex-labs/anything-llm
 CVE-2024-8183 (A CORS (Cross-Origin Resource Sharing) misconfiguration in 
prefecthq/p ...)
-       TODO: check
+       NOT-FOR-US: Prefect
 CVE-2024-8156 (A command injection vulnerability exists in the 
workflow-checker.yml w ...)
        NOT-FOR-US: significant-gravitas/autogpt
 CVE-2024-8101 (A stored cross-site scripting (XSS) vulnerability exists in the 
Text E ...)
@@ -348,13 +348,13 @@ CVE-2024-7776 (A vulnerability in the `download_model` 
function of the onnx/onnx
 CVE-2024-7773 (A vulnerability in ollama/ollama version 0.1.37 allows for 
remote code ...)
        - ollama <itp> (bug #1094806)
 CVE-2024-7771 (A vulnerability in the Dockerized version of 
mintplex-labs/anything-ll ...)
-       TODO: check
+       NOT-FOR-US: anything-llm
 CVE-2024-7768 (A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 
versio ...)
-       TODO: check
+       NOT-FOR-US: h2oai/h2o-3
 CVE-2024-7767 (An improper access control vulnerability exists in 
danswer-ai/danswer  ...)
        NOT-FOR-US: danswer-ai/danswer
 CVE-2024-7765 (In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where 
uploadin ...)
-       TODO: check
+       NOT-FOR-US: h2oai/h2o-3
 CVE-2024-7764 (Vanna-ai v0.6.2 is vulnerable to SQL Injection due to 
insufficient pro ...)
        NOT-FOR-US: Vanna-ai
 CVE-2024-7760 (aimhubio/aim version 3.22.0 contains a Cross-Site Request 
Forgery (CSR ...)
@@ -394,9 +394,9 @@ CVE-2024-6982 (A remote code execution vulnerability exists 
in the Calculate fun
 CVE-2024-6866 (corydolphin/flask-cors version 4.01 contains a vulnerability 
where the ...)
        TODO: check
 CVE-2024-6863 (In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom 
Encryptio ...)
-       TODO: check
+       NOT-FOR-US: h2oai/h2o-3
 CVE-2024-6854 (In h2oai/h2o-3 version 3.46.0, the endpoint for exporting 
models does  ...)
-       TODO: check
+       NOT-FOR-US: h2oai/h2o-3
 CVE-2024-6851 (In version 3.22.0 of aimhubio/aim, the 
LocalFileManager._cleanup funct ...)
        NOT-FOR-US: aimhubio/aim
 CVE-2024-6844 (A vulnerability in corydolphin/flask-cors version 4.0.1 allows 
for inc ...)
@@ -434,7 +434,7 @@ CVE-2024-48591 (Inflectra SpiraTeam 7.2.00 is vulnerable to 
Cross Site Scripting
 CVE-2024-48590 (Inflectra SpiraTeam 7.2.00 is vulnerable to Server-Side 
Request Forger ...)
        NOT-FOR-US: Inflectra SpiraTeam
 CVE-2024-2292 (Due to a lack of access control, unauthorized users are able to 
view a ...)
-       TODO: check
+       NOT-FOR-US: changeweb/unifiedtransform
 CVE-2024-13923 (The Order Export & Order Import for WooCommerce plugin for 
WordPress i ...)
        NOT-FOR-US: WordPress plugin
 CVE-2024-13922 (The Order Export & Order Import for WooCommerce plugin for 
WordPress i ...)
@@ -446,7 +446,7 @@ CVE-2024-13920 (The Order Export & Order Import for 
WooCommerce plugin for WordP
 CVE-2024-13558 (The NP Quote Request for WooCommerce plugin for WordPress is 
vulnerabl ...)
        NOT-FOR-US: WordPress plugin
 CVE-2024-13060 (A vulnerability in AnythingLLM Docker version 1.3.1 allows 
users with  ...)
-       TODO: check
+       NOT-FOR-US: anything-llm
 CVE-2024-12911 (A vulnerability in the `default_jsonalyzer` function of the 
`JSONalyze ...)
        NOT-FOR-US: run-llama/llama_index
 CVE-2024-12910 (A vulnerability in the `KnowledgeBaseWebReader` class of the 
run-llama ...)
@@ -468,9 +468,9 @@ CVE-2024-12869 (In infiniflow/ragflow version v0.12.0, 
there is an improper auth
 CVE-2024-12868 (In version 0.3.32 of open-webui, the application uses a 
vulnerable ver ...)
        NOT-FOR-US: open-webui/open-webui
 CVE-2024-12866 (A local file inclusion vulnerability exists in 
netease-youdao/qanythin ...)
-       TODO: check
+       NOT-FOR-US: netease-youdao/qanything
 CVE-2024-12864 (A Denial of Service (DoS) vulnerability was discovered in the 
file upl ...)
-       TODO: check
+       NOT-FOR-US: netease-youdao/qanything
 CVE-2024-12779 (A Server-Side Request Forgery (SSRF) vulnerability exists in 
infiniflo ...)
        NOT-FOR-US: infiniflow/ragflow
 CVE-2024-12778 (A vulnerability in aimhubio/aim version 3.25.0 allows for a 
denial of  ...)
@@ -490,7 +490,7 @@ CVE-2024-12760 (An open redirect vulnerability in 
bentoml/bentoml v1.3.9 allows
 CVE-2024-12759 (In bentoml/bentoml version 1.3.9, the `/login` endpoint of the 
newly i ...)
        NOT-FOR-US: bentoml/bentoml
 CVE-2024-12720 (A Regular Expression Denial of Service (ReDoS) vulnerability 
was ident ...)
-       TODO: check
+       NOT-FOR-US: huggingface/transformers
 CVE-2024-12704 (A vulnerability in the LangChainLLM class of the 
run-llama/llama_index ...)
        NOT-FOR-US: run-llama/llama_index
 CVE-2024-12580 (A vulnerability in danny-avila/librechat prior to version 
0.7.6 allows ...)
@@ -524,9 +524,9 @@ CVE-2024-12374 (A stored cross-site scripting (XSS) 
vulnerability exists in auto
 CVE-2024-12217 (A vulnerability in the gradio-app/gradio repository, version 
git 67e40 ...)
        NOT-FOR-US: Gradio
 CVE-2024-12216 (A vulnerability in the `ImageClassificationDataset.from_csv()` 
API of  ...)
-       TODO: check
+       NOT-FOR-US: gluon_cv
 CVE-2024-12215 (In kedro-org/kedro version 0.19.8, the `pull_package()` API 
function a ...)
-       TODO: check
+       NOT-FOR-US: Kedro
 CVE-2024-12074 (A Denial of Service (DoS) vulnerability was discovered in the 
file upl ...)
        NOT-FOR-US: automatic1111/stable-diffusion-webui
 CVE-2024-12070 (A Denial of Service (DoS) vulnerability exists in the file 
upload feat ...)
@@ -566,7 +566,7 @@ CVE-2024-11449 (A vulnerability in haotian-liu/llava 
version 1.2.0 (LLaVA-1.6) a
 CVE-2024-11441 (A stored cross-site scripting (XSS) vulnerability exists in 
Serge vers ...)
        NOT-FOR-US: Serge
 CVE-2024-11302 (A missing check_access() function in the lollms_binding_infos 
module o ...)
-       TODO: check
+       NOT-FOR-US: parisneo/lollms
 CVE-2024-11301 (In lunary-ai/lunary before version 1.6.3, the application 
allows the c ...)
        NOT-FOR-US: lunary-ai/lunary
 CVE-2024-11300 (In lunary-ai/lunary before version 1.6.3, an improper access 
control v ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/342291ff2fc2d42da5ec50ac960898a9feefeabe

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/342291ff2fc2d42da5ec50ac960898a9feefeabe
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

Reply via email to