[Git][security-tracker-team/security-tracker][master] new node-static-eval, rails issues

Fri, 12 Feb 2021 05:32:44 -0800 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
285f2130 by Moritz Muehlenhoff at 2021-02-12T14:31:50+01:00
new node-static-eval, rails issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -19,7 +19,7 @@ CVE-2021-27193
 CVE-2021-27192
        RESERVED
 CVE-2021-27191 (The get-ip-range package before 4.0.0 for Node.js is 
vulnerable to den ...)
-       TODO: check
+       NOT-FOR-US: Node get-ip-range
 CVE-2021-3408
        RESERVED
 CVE-2021-27190 (PEEL Shopping cart 9.3.0 allows utilisateurs/change_params.php 
Address ...)
@@ -1054,7 +1054,7 @@ CVE-2021-26709
        RESERVED
 CVE-2021-26707
        RESERVED
-       TODO: possibly NFU, as looks different from src:node-deepmerge
+       NOT-FOR-US: Node deep-merge
 CVE-2020-36241 (autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as 
used by GNO ...)
        - gnome-autoar <unfixed>
        NOTE: 
https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429
@@ -8760,9 +8760,10 @@ CVE-2021-23337
 CVE-2021-23336
        RESERVED
 CVE-2021-23335 (All versions of package is-user-valid are vulnerable to LDAP 
Injection ...)
-       TODO: check
+       NOT-FOR-US: Node is-user-valid
 CVE-2021-23334 (All versions of package static-eval are vulnerable to 
Arbitrary Code E ...)
-       TODO: check
+       - node-static-eval <unfixed>
+       NOTE: https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765
 CVE-2021-23333
        RESERVED
 CVE-2021-23332
@@ -9644,9 +9645,11 @@ CVE-2021-22883
 CVE-2021-22882
        RESERVED
 CVE-2021-22881 (The Host Authorization middleware in Action Pack before 
6.1.2.1, 6.0.3 ...)
-       TODO: check
+       - rails <unfixed>
+       NOTE: 
https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
 CVE-2021-22880 (The PostgreSQL adapter in Active Record before 6.1.2.1, 
6.0.3.5, 5.2.4 ...)
-       TODO: check
+       - rails <unfixed>
+       NOTE: 
https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
 CVE-2021-22879
        RESERVED
 CVE-2021-22878
@@ -11636,7 +11639,7 @@ CVE-2021-21978
 CVE-2021-21977
        RESERVED
 CVE-2021-21976 (vSphere Replication 8.3.x prior to 8.3.1.2, 8.2.x prior to 
8.2.1.1, 8. ...)
-       TODO: check
+       NOT-FOR-US: vSphere Replication
 CVE-2021-21975
        RESERVED
 CVE-2021-21974
@@ -14236,13 +14239,13 @@ CVE-2021-21311 (Adminer is an open-source database 
management in a single PHP fi
        NOTE: 
https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6
        NOTE: 
https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351
 (v4.7.9)
 CVE-2021-21310 (NextAuth.js (next-auth) is am open source authentication 
solution for  ...)
-       TODO: check
+       NOT-FOR-US: NextAuth.js
 CVE-2021-21309
        RESERVED
 CVE-2021-21308
        RESERVED
 CVE-2021-21307 (Lucee Server is a dynamic, Java based (JSR-223), tag and 
scripting lan ...)
-       TODO: check
+       NOT-FOR-US: Lucee Server
 CVE-2021-21306 (Marked is an open-source markdown parser and compiler (npm 
package "ma ...)
        - node-marked <unfixed>
        NOTE: 
https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96
@@ -14259,7 +14262,7 @@ CVE-2021-21303 (Helm is open-source software which is 
essentially "The Kubernete
 CVE-2021-21302
        RESERVED
 CVE-2021-21301 (Wire is an open-source collaboration platform. In Wire for iOS 
(iPhone ...)
-       TODO: check
+       NOT-FOR-US: Wire
 CVE-2021-21300
        RESERVED
 CVE-2021-21298
@@ -14319,7 +14322,7 @@ CVE-2021-21279
 CVE-2021-21278 (RSSHub is an open source, easy to use, and extensible RSS feed 
generat ...)
        NOT-FOR-US: RSSHub
 CVE-2021-21277 (angular-expressions is "angular's nicest part extracted as a 
standalon ...)
-       TODO: check
+       NOT-FOR-US: angular-expressions
 CVE-2021-21276 (Polr is an open source URL shortener. in Polr before version 
2.3.0, a  ...)
        NOT-FOR-US: Polr
 CVE-2021-21275 (The MediaWiki "Report" extension has a Cross-Site Request 
Forgery (CSR ...)
@@ -15838,45 +15841,45 @@ CVE-2021-20656
 CVE-2021-20655
        RESERVED
 CVE-2021-20654 (Wekan, open source kanban board system, between version 3.12 
and 4.11, ...)
-       TODO: check
+       NOT-FOR-US: Wekan
 CVE-2021-20653
        RESERVED
 CVE-2021-20652 (Cross-site request forgery (CSRF) vulnerability in Name 
Directory 1.17 ...)
        NOT-FOR-US: Name Directory
 CVE-2021-20651 (Directory traversal vulnerability in ELECOM File Manager all 
versions  ...)
-       TODO: check
+       NOT-FOR-US: ELECOM
 CVE-2021-20650 (Cross-site request forgery (CSRF) vulnerability in ELECOM 
NCC-EWF100RM ...)
-       TODO: check
+       NOT-FOR-US: ELECOM
 CVE-2021-20649 (ELECOM WRC-300FEBK-S contains an improper certificate 
validation vulne ...)
-       TODO: check
+       NOT-FOR-US: ELECOM
 CVE-2021-20648 (ELECOM WRC-300FEBK-S allows an attacker with administrator 
rights to e ...)
-       TODO: check
+       NOT-FOR-US: ELECOM
 CVE-2021-20647 (Cross-site request forgery (CSRF) vulnerability in ELECOM 
WRC-300FEBK- ...)
-       TODO: check
+       NOT-FOR-US: ELECOM
 CVE-2021-20646 (Cross-site request forgery (CSRF) vulnerability in ELECOM 
WRC-300FEBK- ...)
-       TODO: check
+       NOT-FOR-US: ELECOM
 CVE-2021-20645 (Cross-site scripting vulnerability in ELECOM WRC-300FEBK-A 
allows remo ...)
-       TODO: check
+       NOT-FOR-US: ELECOM
 CVE-2021-20644 (ELECOM WRC-1467GHBK-A allows arbitrary scripts to be executed 
on the u ...)
-       TODO: check
+       NOT-FOR-US: ELECOM
 CVE-2021-20643 (Improper access control vulnerability in ELECOM LD-PS/U1 
allows remote ...)
-       TODO: check
+       NOT-FOR-US: ELECOM
 CVE-2021-20642 (Improper check or handling of exceptional conditions in 
LOGITEC LAN-W3 ...)
-       TODO: check
+       NOT-FOR-US: LOGITEC
 CVE-2021-20641 (Cross-site request forgery (CSRF) vulnerability in LOGITEC 
LAN-W300N/R ...)
-       TODO: check
+       NOT-FOR-US: LOGITEC
 CVE-2021-20640 (Buffer overflow vulnerability in LOGITEC LAN-W300N/PGRB allows 
an atta ...)
-       TODO: check
+       NOT-FOR-US: LOGITEC
 CVE-2021-20639 (LOGITEC LAN-W300N/PGRB allows an attacker with administrative 
privileg ...)
-       TODO: check
+       NOT-FOR-US: LOGITEC
 CVE-2021-20638 (LOGITEC LAN-W300N/PGRB allows an attacker with administrative 
privileg ...)
-       TODO: check
+       NOT-FOR-US: LOGITEC
 CVE-2021-20637 (Improper check or handling of exceptional conditions in 
LOGITEC LAN-W3 ...)
-       TODO: check
+       NOT-FOR-US: LOGITEC
 CVE-2021-20636 (Cross-site request forgery (CSRF) vulnerability in LOGITEC 
LAN-W300N/P ...)
-       TODO: check
+       NOT-FOR-US: LOGITEC
 CVE-2021-20635 (Improper restriction of excessive authentication attempts in 
LOGITEC L ...)
-       TODO: check
+       NOT-FOR-US: LOGITEC
 CVE-2021-20634
        RESERVED
 CVE-2021-20633
@@ -16476,7 +16479,7 @@ CVE-2021-20337
 CVE-2021-20336
        RESERVED
 CVE-2021-20335 (For MongoDB Ops Manager 4.2.X with multiple OM application 
servers, th ...)
-       TODO: check
+       NOT-FOR-US: MongoDB Ops Manager
 CVE-2021-20334
        RESERVED
 CVE-2021-20333



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/285f213020a9f2ca761e29cdf8095993964e35b9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/285f213020a9f2ca761e29cdf8095993964e35b9
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to