Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0bc2f7a9 by security tracker role at 2022-09-22T20:10:22+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,25 @@
+CVE-2022-3276
+ RESERVED
+CVE-2022-3275
+ RESERVED
+CVE-2022-3274 (Cross-Site Request Forgery (CSRF) in GitHub repository
ikus060/rdiffwe ...)
+ TODO: check
+CVE-2022-3273
+ RESERVED
+CVE-2022-3272
+ RESERVED
+CVE-2022-3271
+ RESERVED
+CVE-2022-3270
+ RESERVED
+CVE-2022-3269
+ RESERVED
+CVE-2022-3268 (Weak Password Requirements in GitHub repository ikus060/minarca
prior ...)
+ TODO: check
+CVE-2022-3267 (Cross-Site Request Forgery (CSRF) in GitHub repository
ikus060/rdiffwe ...)
+ TODO: check
+CVE-2022-3266
+ RESERVED
CVE-2022-41313
RESERVED
CVE-2022-41312
@@ -142,8 +164,8 @@ CVE-2022-3258
RESERVED
CVE-2022-3257
RESERVED
-CVE-2022-3256
- RESERVED
+CVE-2022-3256 (Use After Free in GitHub repository vim/vim prior to 9.0.0530.
...)
+ TODO: check
CVE-2022-3255 (If an attacker can control a script that is executed in the
victim's b ...)
NOT-FOR-US: pimcore
CVE-2022-3254
@@ -851,14 +873,14 @@ CVE-2022-40937
RESERVED
CVE-2022-40936
RESERVED
-CVE-2022-40935
- RESERVED
-CVE-2022-40934
- RESERVED
-CVE-2022-40933
- RESERVED
-CVE-2022-40932
- RESERVED
+CVE-2022-40935 (Online Pet Shop We App v1.0 is vulnerable to SQL Injection via
/pet_sh ...)
+ TODO: check
+CVE-2022-40934 (Online Pet Shop We App v1.0 is vulnerable to SQL injection via
/pet_sh ...)
+ TODO: check
+CVE-2022-40933 (Online Pet Shop We App v1.0 by oretnom23 is vulnerable to SQL
injectio ...)
+ TODO: check
+CVE-2022-40932 (In Zoo Management System v1.0, there is an arbitrary file
upload vulne ...)
+ TODO: check
CVE-2022-40931
RESERVED
CVE-2022-40930
@@ -1366,8 +1388,7 @@ CVE-2018-25047 (In Smarty before 3.1.47 and 4.x before
4.2.1, libs/plugins/funct
NOTE:
https://github.com/smarty-php/smarty/commit/55ea25d1f50f0406fb1ccedd212c527977793fc9
(v4.2.1)
CVE-2022-40706
RESERVED
-CVE-2022-40705
- RESERVED
+CVE-2022-40705 (** UNSUPPORTED WHEN ASSIGNED ** An Improper Restriction of XML
Externa ...)
NOT-FOR-US: Apache SOAP
CVE-2022-40696
RESERVED
@@ -1468,6 +1489,7 @@ CVE-2022-30545
CVE-2020-36603 (The HoYoVerse (formerly miHoYo) Genshin Impact mhyprot2.sys
1.0.0.0 an ...)
NOT-FOR-US: HoYoVerse (formerly miHoYo) Genshin Impact
CVE-2022-40674 (libexpat before 2.4.9 has a use-after-free in the doContent
function i ...)
+ {DSA-5236-1}
- expat 2.4.8-2 (bug #1019761)
NOTE: https://github.com/libexpat/libexpat/pull/629
NOTE: https://github.com/libexpat/libexpat/pull/640
@@ -2044,16 +2066,16 @@ CVE-2022-40449
RESERVED
CVE-2022-40448
RESERVED
-CVE-2022-40447
- RESERVED
-CVE-2022-40446
- RESERVED
+CVE-2022-40447 (ZZCMS 2022 was discovered to contain a SQL injection
vulnerability via ...)
+ TODO: check
+CVE-2022-40446 (ZZCMS 2022 was discovered to contain a SQL injection
vulnerability via ...)
+ TODO: check
CVE-2022-40445
RESERVED
-CVE-2022-40444
- RESERVED
-CVE-2022-40443
- RESERVED
+CVE-2022-40444 (ZZCMS 2022 was discovered to contain a full path disclosure
vulnerabil ...)
+ TODO: check
+CVE-2022-40443 (An absolute path traversal vulnerability in ZZCMS 2022 allows
attacker ...)
+ TODO: check
CVE-2022-40442
RESERVED
CVE-2022-40441
@@ -2703,8 +2725,7 @@ CVE-2022-40148
RESERVED
CVE-2022-40147
RESERVED
-CVE-2022-40146
- RESERVED
+CVE-2022-40146 (Server-Side Request Forgery (SSRF) vulnerability in Batik of
Apache XM ...)
- batik <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/3
NOTE: https://issues.apache.org/jira/browse/BATIK-1335
@@ -5080,6 +5101,7 @@ CVE-2022-3082
CVE-2022-3081
RESERVED
CVE-2022-3080 (By sending specific queries to the resolver, an attacker can
cause nam ...)
+ {DSA-5235-1}
- bind9 1:9.18.7-1
NOTE: https://kb.isc.org/docs/cve-2022-3080
NOTE: Fixed by:
https://gitlab.isc.org/isc-projects/bind9/-/commit/b9e2f3333d0d29deb3ef932aa7aeb28086f153bd
(v9_18_7)
@@ -6444,8 +6466,7 @@ CVE-2022-38650
RESERVED
CVE-2022-38649
RESERVED
-CVE-2022-38648
- RESERVED
+CVE-2022-38648 (Server-Side Request Forgery (SSRF) vulnerability in Batik of
Apache XM ...)
- batik <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/4
NOTE: https://issues.apache.org/jira/browse/BATIK-1333
@@ -7171,8 +7192,7 @@ CVE-2020-36593
RESERVED
CVE-2020-36592
RESERVED
-CVE-2022-38398
- RESERVED
+CVE-2022-38398 (Server-Side Request Forgery (SSRF) vulnerability in Batik of
Apache XM ...)
- batik <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2022/09/22/2
NOTE: https://issues.apache.org/jira/browse/BATIK-1331
@@ -7890,11 +7910,13 @@ CVE-2022-38180 (In JetBrains Ktor before 2.1.0 the
wrong authentication provider
CVE-2022-38179 (JetBrains Ktor before 2.1.0 was vulnerable to the Reflect File
Downloa ...)
NOT-FOR-US: JetBrains Ktor
CVE-2022-38178 (By spoofing the target resolver with responses that have a
malformed E ...)
+ {DSA-5235-1}
- bind9 1:9.18.7-1
NOTE: https://kb.isc.org/docs/cve-2022-38178
NOTE: Fixed by:
https://gitlab.isc.org/isc-projects/bind9/-/commit/7c0028cfad2ae5fdf82c4d02d3b8b3a1e96dc6ec
(v9_18_7)
NOTE: Fixed by:
https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6c4165fbd3d
(v9_16_33)
CVE-2022-38177 (By spoofing the target resolver with responses that have a
malformed E ...)
+ {DSA-5235-1}
- bind9 1:9.17.20-1
NOTE: https://kb.isc.org/docs/cve-2022-38177
NOTE: Fixed by (while refactoring):
https://gitlab.isc.org/isc-projects/bind9/-/commit/d4eb6e0a57a7eeb42328ff66865fa66688603c17
(v9_17_20)
@@ -7926,6 +7948,7 @@ CVE-2022-2797 (A vulnerability classified as critical was
found in SourceCodeste
CVE-2022-2796 (Cross-site Scripting (XSS) - Stored in GitHub repository
pimcore/pimco ...)
NOT-FOR-US: pimcore
CVE-2022-2795 (By flooding the target resolver with queries exploiting this
flaw an a ...)
+ {DSA-5235-1}
- bind9 1:9.18.7-1
NOTE: https://kb.isc.org/docs/cve-2022-2795
NOTE: Fixed by:
https://gitlab.isc.org/isc-projects/bind9/-/commit/e2014ba9e3b4236b0384ba17abfb2c9a155412f6
(v9_18_7)
@@ -10395,8 +10418,8 @@ CVE-2022-37236
RESERVED
CVE-2022-37235
RESERVED
-CVE-2022-37234
- RESERVED
+CVE-2022-37234 (Netgear Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router
R7000-V1. ...)
+ TODO: check
CVE-2022-37233
RESERVED
CVE-2022-37232
@@ -13397,8 +13420,7 @@ CVE-2022-36064 (Shescape is a shell escape package for
JavaScript. An Inefficien
NOT-FOR-US: Shescape
CVE-2022-36063
RESERVED
-CVE-2022-36062
- RESERVED
+CVE-2022-36062 (Grafana is an open-source platform for monitoring and
observability. I ...)
- grafana <removed>
CVE-2022-36061 (Elrond go is the go implementation for the Elrond Network
protocol. In ...)
NOT-FOR-US: Elrond go
@@ -13762,8 +13784,8 @@ CVE-2022-35896 (An issue SMM memory leak vulnerability
in SMM driver (SMRAM was
TODO: check
CVE-2022-35895 (An issue was discovered in Insyde InsydeH2O with kernel 5.0
through 5. ...)
TODO: check
-CVE-2022-35894
- RESERVED
+CVE-2022-35894 (An issue was discovered in Insyde InsydeH2O with kernel 5.0
through 5. ...)
+ TODO: check
CVE-2022-35893
RESERVED
CVE-2022-35892
@@ -15085,8 +15107,8 @@ CVE-2022-35409 (An issue was discovered in Mbed TLS
before 2.28.1 and 3.x before
NOTE:
https://github.com/Mbed-TLS/mbedtls/commit/3c036f54cc3a25e4d6b8003202b7e640522f4621
(v2.28.1)
NOTE:
https://github.com/Mbed-TLS/mbedtls/commit/6b4f062cde84b9df57275676c428508ec6e41211
(v2.28.1)
NOTE:
https://github.com/Mbed-TLS/mbedtls/commit/719c723afc63930d3472a12c0edb654a7d08d6b9
(v2.28.1)
-CVE-2022-35408
- RESERVED
+CVE-2022-35408 (An issue was discovered in Insyde InsydeH2O with kernel 5.0
through 5. ...)
+ TODO: check
CVE-2022-35407
RESERVED
CVE-2022-35406 (A URL disclosure issue was discovered in Burp Suite before
2022.6. If ...)
@@ -16005,44 +16027,44 @@ CVE-2022-35041
RESERVED
CVE-2022-35040
RESERVED
-CVE-2022-35039
- RESERVED
-CVE-2022-35038
- RESERVED
-CVE-2022-35037
- RESERVED
-CVE-2022-35036
- RESERVED
-CVE-2022-35035
- RESERVED
-CVE-2022-35034
- RESERVED
+CVE-2022-35039 (OTFCC commit 617837b was discovered to contain a heap buffer
overflow ...)
+ TODO: check
+CVE-2022-35038 (OTFCC commit 617837b was discovered to contain a heap buffer
overflow ...)
+ TODO: check
+CVE-2022-35037 (OTFCC commit 617837b was discovered to contain a heap buffer
overflow ...)
+ TODO: check
+CVE-2022-35036 (OTFCC commit 617837b was discovered to contain a heap buffer
overflow ...)
+ TODO: check
+CVE-2022-35035 (OTFCC commit 617837b was discovered to contain a heap buffer
overflow ...)
+ TODO: check
+CVE-2022-35034 (OTFCC commit 617837b was discovered to contain a heap buffer
overflow ...)
+ TODO: check
CVE-2022-35033
RESERVED
-CVE-2022-35032
- RESERVED
-CVE-2022-35031
- RESERVED
-CVE-2022-35030
- RESERVED
-CVE-2022-35029
- RESERVED
-CVE-2022-35028
- RESERVED
-CVE-2022-35027
- RESERVED
-CVE-2022-35026
- RESERVED
-CVE-2022-35025
- RESERVED
-CVE-2022-35024
- RESERVED
-CVE-2022-35023
- RESERVED
-CVE-2022-35022
- RESERVED
-CVE-2022-35021
- RESERVED
+CVE-2022-35032 (OTFCC commit 617837b was discovered to contain a segmentation
violatio ...)
+ TODO: check
+CVE-2022-35031 (OTFCC commit 617837b was discovered to contain a segmentation
violatio ...)
+ TODO: check
+CVE-2022-35030 (OTFCC commit 617837b was discovered to contain a segmentation
violatio ...)
+ TODO: check
+CVE-2022-35029 (OTFCC commit 617837b was discovered to contain a segmentation
violatio ...)
+ TODO: check
+CVE-2022-35028 (OTFCC commit 617837b was discovered to contain a segmentation
violatio ...)
+ TODO: check
+CVE-2022-35027 (OTFCC commit 617837b was discovered to contain a segmentation
violatio ...)
+ TODO: check
+CVE-2022-35026 (OTFCC commit 617837b was discovered to contain a segmentation
violatio ...)
+ TODO: check
+CVE-2022-35025 (OTFCC commit 617837b was discovered to contain a segmentation
violatio ...)
+ TODO: check
+CVE-2022-35024 (OTFCC commit 617837b was discovered to contain a segmentation
violatio ...)
+ TODO: check
+CVE-2022-35023 (OTFCC commit 617837b was discovered to contain a segmentation
violatio ...)
+ TODO: check
+CVE-2022-35022 (OTFCC commit 617837b was discovered to contain a segmentation
violatio ...)
+ TODO: check
+CVE-2022-35021 (OTFCC commit 617837b was discovered to contain a global buffer
overflo ...)
+ TODO: check
CVE-2022-35020 (Advancecomp v2.3 was discovered to contain a heap buffer
overflow via ...)
- advancecomp <unfixed> (unimportant; bug #1019592)
NOTE:
https://github.com/Cvjark/Poc/blob/main/advancecomp/CVE-2022-35020.md
@@ -16340,12 +16362,14 @@ CVE-2022-34914 (Webswing before 22.1.3 allows
X-Forwarded-For header injection.
CVE-2022-34913 (** DISPUTED ** md2roff 1.7 has a stack-based buffer overflow
via a Mar ...)
NOT-FOR-US: md2roff
CVE-2022-34912 (An issue was discovered in MediaWiki before 1.37.3 and 1.38.x
before 1 ...)
+ {DLA-3117-1}
- mediawiki 1:1.35.7-1
[bullseye] - mediawiki <postponed> (Minor issue, fix along with next
security release)
NOTE: https://phabricator.wikimedia.org/T308473
NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/807225/
NOTE:
https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/PIPYDRSHXOYW5DB7X755QDNUV5EZWPWB/
CVE-2022-34911 (An issue was discovered in MediaWiki before 1.35.7, 1.36.x and
1.37.x ...)
+ {DLA-3117-1}
- mediawiki 1:1.35.7-1
[bullseye] - mediawiki <postponed> (Minor issue, fix along with next
security release)
NOTE: https://phabricator.wikimedia.org/T308471
@@ -16597,8 +16621,8 @@ CVE-2022-2268 (The Import any XML or CSV File to
WordPress plugin before 3.6.8 a
NOT-FOR-US: WordPress plugin
CVE-2022-2267 (The Mailchimp for WooCommerce WordPress plugin before 2.7.1 has
an AJA ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-2266
- RESERVED
+CVE-2022-2266 (University Library Automation System developed by Yordam Bilgi
Teknolo ...)
+ TODO: check
CVE-2022-2265 (The Identity and Directory Management System developed by
Çekino ...)
TODO: check
CVE-2022-2264 (Heap-based Buffer Overflow in GitHub repository vim/vim prior
to 9.0. ...)
@@ -18826,8 +18850,8 @@ CVE-2022-34028 (Nginx NJS v0.7.5 was discovered to
contain a segmentation violat
NOT-FOR-US: njs
CVE-2022-34027 (Nginx NJS v0.7.4 was discovered to contain a segmentation
violation vi ...)
NOT-FOR-US: njs
-CVE-2022-34026
- RESERVED
+CVE-2022-34026 (ICEcoder v8.1 allows attackers to execute a directory
traversal. ...)
+ TODO: check
CVE-2022-34025 (Vesta v1.0.0-5 was discovered to contain a cross-site
scripting (XSS) ...)
NOT-FOR-US: Vesta
CVE-2022-34024 (Barangay Management System v1.0 was discovered to contain an
arbitrary ...)
@@ -24514,8 +24538,8 @@ CVE-2022-1942 (Heap-based Buffer Overflow in GitHub
repository vim/vim prior to
[stretch] - vim <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/67ca4d3b-9175-43c1-925c-72a7091bc071
NOTE:
https://github.com/vim/vim/commit/71223e2db87c2bf3b09aecb46266b56cda26191d
(v8.2.5043)
-CVE-2022-1941
- RESERVED
+CVE-2022-1941 (A parsing vulnerability for the MessageSet type in the
ProtocolBuffers ...)
+ TODO: check
CVE-2022-1940 (A Stored Cross-Site Scripting vulnerability in Jira integration
in Git ...)
- gitlab <not-affected> (Vulnerable code introduced later)
NOTE:
https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/
@@ -35404,18 +35428,21 @@ CVE-2022-28204 (A denial-of-service issue was
discovered in MediaWiki 1.37.x bef
NOTE: https://phabricator.wikimedia.org/T297754
NOTE:
https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/
CVE-2022-28203 (A denial-of-service issue was discovered in MediaWiki before
1.35.6, 1 ...)
+ {DLA-3117-1}
- mediawiki 1:1.35.6-1
[bullseye] - mediawiki <postponed> (Fix along in next security release)
[stretch] - mediawiki <postponed> (Fix along in next security release)
NOTE: https://phabricator.wikimedia.org/T297731
NOTE:
https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/
CVE-2022-28202 (An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x
before ...)
+ {DLA-3117-1}
- mediawiki 1:1.35.6-1
[bullseye] - mediawiki <postponed> (Fix along in next security release)
[stretch] - mediawiki <postponed> (Fix along in next security release)
NOTE: https://phabricator.wikimedia.org/T297543
NOTE:
https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/
CVE-2022-28201 (An issue was discovered in MediaWiki before 1.35.6, 1.36.x
before 1.36 ...)
+ {DLA-3117-1}
- mediawiki 1:1.35.6-1
[bullseye] - mediawiki <postponed> (Fix along in next security release)
[stretch] - mediawiki <postponed> (Fix along in next security release)
@@ -45846,13 +45873,13 @@ CVE-2022-0532 (An incorrect sysctls validation
vulnerability was found in CRI-O
CVE-2022-0531 (The Migration, Backup, Staging WordPress plugin before 0.9.70
does not ...)
NOT-FOR-US: WordPress plugin
CVE-2022-0530 (A flaw was found in Unzip. The vulnerability occurs during the
convers ...)
- {DSA-5202-1}
+ {DSA-5202-1 DLA-3118-1}
- unzip 6.0-27 (bug #1010355)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2051395
NOTE: https://github.com/ByteHackr/unzip_poc
NOTE: Unclear status, checking with upstream
CVE-2022-0529 (A flaw was found in Unzip. The vulnerability occurs during the
convers ...)
- {DSA-5202-1}
+ {DSA-5202-1 DLA-3118-1}
- unzip 6.0-27 (bug #1010355)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2051402
NOTE: https://github.com/ByteHackr/unzip_poc
@@ -58995,6 +59022,7 @@ CVE-2021-44857 (An issue was discovered in MediaWiki
before 1.35.5, 1.36.x befor
NOTE:
https://lists.wikimedia.org/hyperkitty/list/[email protected]/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/
CVE-2021-44856 [Title blocked in AbuseFilter can be created via
Special:ChangeContentModel]
RESERVED
+ {DLA-3117-1}
- mediawiki 1:1.35.5-1
[bullseye] - mediawiki <postponed> (Minor issue)
[stretch] - mediawiki <postponed> (Minor issue)
@@ -77883,8 +77911,8 @@ CVE-2021-39191 (mod_auth_openidc is an
authentication/authorization module for t
NOTE:
https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf-8h6h-gqg2
NOTE:
https://github.com/zmartzone/mod_auth_openidc/commit/03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d
NOTE: https://github.com/zmartzone/mod_auth_openidc/issues/672
-CVE-2021-39190
- RESERVED
+CVE-2021-39190 (The SCCM plugin for GLPI is a plugin to synchronize computers
from SCC ...)
+ TODO: check
CVE-2021-39189 (Pimcore is an open source data & experience management
platform. I ...)
NOT-FOR-US: Pimcore
CVE-2021-39188
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bc2f7a9e50bc6a780ce1b067ebce7e6dfc57733
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bc2f7a9e50bc6a780ce1b067ebce7e6dfc57733
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
