[Git][security-tracker-team/security-tracker][master] 3 commits: Update tracking for CVE-2018-16472/node-cached-path-relative

Tue, 25 Jan 2022 13:01:47 -0800 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cb94ba29 by Salvatore Bonaccorso at 2022-01-25T21:57:31+01:00
Update tracking for CVE-2018-16472/node-cached-path-relative

This old CVE entry was tracked as NFU, but is actually in
node-cached-path-relative and fixed in 1.0.2 upstream. Update tracking.
Versions having fixed CVE-2018-16472 are then prone to CVE-2021-23518.

- - - - -
15ebee4e by Salvatore Bonaccorso at 2022-01-25T21:59:22+01:00
CVE-2021-23518: Remove reference for fix for CVE-2018-16472

- - - - -
4b869692 by Salvatore Bonaccorso at 2022-01-25T22:00:55+01:00
CVE-2021-23518: Add reference back as incomplete fix for CVE-2018-16472

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -66661,8 +66661,8 @@ CVE-2021-23519
 CVE-2021-23518 (The package cached-path-relative before 1.1.0 are vulnerable 
to Protot ...)
        - node-cached-path-relative <unfixed> (bug #1004338)
        NOTE: 
https://github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760
-       NOTE: 
https://github.com/ashaffer/cached-path-relative/commit/a43cffec84ed0e9eceecb43b534b6937a8028fc0
        NOTE: results from incomplete fix for 
https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
+       NOTE: which was CVE-2018-16472.
 CVE-2021-23517
        RESERVED
 CVE-2021-23516
@@ -222915,7 +222915,10 @@ CVE-2018-16474 (A stored xss in tianma-static module 
versions &lt;=1.0.4 allows
 CVE-2018-16473 (A path traversal in takeapeek module versions &lt;=0.2.2 
allows an att ...)
        NOT-FOR-US: takeapeek
 CVE-2018-16472 (A prototype pollution attack in cached-path-relative versions 
&lt;=1.0 ...)
-       NOT-FOR-US: cached-path-relative
+       - node-cached-path-relative 1.0.2-1
+       NOTE: https://hackerone.com/reports/390847
+       NOTE: https://github.com/ashaffer/cached-path-relative/issues/3
+       NOTE: Fixed by: 
https://github.com/ashaffer/cached-path-relative/commit/a43cffec84ed0e9eceecb43b534b6937a8028fc0
 CVE-2018-16471 (There is a possible XSS vulnerability in Rack before 2.0.6 and 
1.6.11. ...)
        {DLA-1585-1}
        - ruby-rack 1.6.4-6 (bug #913005)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b40de7dfd59f6cc14b52c7d4aa0fc6c884cc6223...4b869692313ed417ba575a395e5c9bbf30146f3e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b40de7dfd59f6cc14b52c7d4aa0fc6c884cc6223...4b869692313ed417ba575a395e5c9bbf30146f3e
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to