Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2f4ed6a1 by Moritz Muehlenhoff at 2022-11-28T11:05:45+01:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -454,7 +454,7 @@ CVE-2022-45916
CVE-2022-45915
RESERVED
CVE-2022-45914 (The ESL (Electronic Shelf Label) protocol, as implemented by
(for exam ...)
- TODO: check
+ NOT-FOR-US: ESL (Electronic Shelf Label) protocol
CVE-2022-45913
RESERVED
CVE-2022-45912
@@ -467,9 +467,9 @@ CVE-2022-4145
CVE-2022-45910
RESERVED
CVE-2022-45909 (drachtio-server 0.8.18 has a heap-based buffer over-read via a
long Re ...)
- TODO: check
+ NOT-FOR-US: drachtio-server
CVE-2022-45908 (In PaddlePaddle before 2.4, paddle.audio.functional.get_window
is vuln ...)
- TODO: check
+ NOT-FOR-US: PaddlePaddle
CVE-2022-45907 (In PyTorch before trunk/89695,
torch.jit.annotations.parse_type_line c ...)
- pytorch <unfixed> (bug #1024903)
[bullseye] - pytorch <no-dsa> (Minor issue)
@@ -13845,7 +13845,7 @@ CVE-2022-41956
CVE-2022-41955
RESERVED
CVE-2022-41954 (MPXJ is an open source library to read and write project plans
from a ...)
- TODO: check
+ NOT-FOR-US: MPXJ
CVE-2022-41953
RESERVED
CVE-2022-41952 (Synapse before 1.52.0 with URL preview functionality enabled
will atte ...)
@@ -13880,7 +13880,7 @@ CVE-2022-41942 (Sourcegraph is a code intelligence
platform. In versions prior t
CVE-2022-41941
RESERVED
CVE-2022-41940 (Engine.IO is the implementation of transport-based
cross-browser/cross ...)
- TODO: check
+ NOT-FOR-US: Engine.io
CVE-2022-41939 (knative.dev/func is is a client library and CLI enabling the
developme ...)
NOT-FOR-US: knative.dev/func
CVE-2022-41938 (Flarum is an open source discussion platform. Flarum's page
title syst ...)
@@ -13908,13 +13908,13 @@ CVE-2022-41928 (XWiki Platform vulnerable to Improper
Neutralization of Directiv
CVE-2022-41927 (XWiki Platform is vulnerable to Cross-Site Request Forgery
(CSRF) that ...)
NOT-FOR-US: XWiki
CVE-2022-41926 (Nextcould talk android is the android OS implementation of the
nextclo ...)
- TODO: check
+ NOT-FOR-US: Nextcould
CVE-2022-41925 (A vulnerability identified in the Tailscale client allows a
malicious ...)
- TODO: check
+ NOT-FOR-US: Tailscale
CVE-2022-41924 (A vulnerability identified in the Tailscale Windows client
allows a ma ...)
- TODO: check
+ NOT-FOR-US: Tailscale
CVE-2022-41923 (Grails Spring Security Core plugin is vulnerable to privilege
escalati ...)
- TODO: check
+ NOT-FOR-US: Grails Spring Security Core plugin
CVE-2022-41922 (`yiisoft/yii` before version 1.1.27 are vulnerable to Remote
Code Exec ...)
- yii <itp> (bug #597899)
CVE-2022-41921
@@ -13922,7 +13922,7 @@ CVE-2022-41921
CVE-2022-41920 (Lancet is a general utility library for the go programming
language. A ...)
NOT-FOR-US: Lancet
CVE-2022-41919 (Fastify is a web framework with minimal overhead and plugin
architectu ...)
- TODO: check
+ NOT-FOR-US: Fastify
CVE-2022-41918 (OpenSearch is a community-driven, open source fork of
Elasticsearch an ...)
NOT-FOR-US: OpenSearch
CVE-2022-41917 (OpenSearch is a community-driven, open source fork of
Elasticsearch an ...)
@@ -14022,7 +14022,7 @@ CVE-2022-41877 (FreeRDP is a free remote desktop
protocol library and clients. A
CVE-2022-41876 (ezplatform-graphql is a GraphQL server implementation for
Ibexa DXP an ...)
NOT-FOR-US: ezplatform-graphql
CVE-2022-41875 (A remote code execution (RCE) vulnerability in Optica allows
unauthent ...)
- TODO: check
+ NOT-FOR-US: Optica
CVE-2022-41874 (Tauri is a framework for building binaries for all major
desktop platf ...)
NOT-FOR-US: Tauri
CVE-2022-41873 (Contiki-NG is an open-source, cross-platform operating system
for Next ...)
@@ -15943,11 +15943,11 @@ CVE-2022-41160
CVE-2022-41159
RESERVED
CVE-2022-41158 (Remote code execution vulnerability can be achieved by using
cookie va ...)
- TODO: check
+ NOT-FOR-US: eyoom
CVE-2022-41157 (A specific file on the sERP server if Kyungrinara(ERP
solution) has a ...)
- TODO: check
+ NOT-FOR-US: Kyungrinara
CVE-2022-41156 (Remote code execution vulnerability due to insufficient
verification o ...)
- TODO: check
+ NOT-FOR-US: OndiskPlayerAgent
CVE-2022-41153
RESERVED
CVE-2022-41152
@@ -19108,7 +19108,7 @@ CVE-2022-39835 (An issue was discovered in Gajim
through 1.4.7. The vulnerabilit
CVE-2022-39834 (A stored XSS vulnerability was discovered in
adminweb/ra/viewendentity ...)
NOT-FOR-US: PrimeKey EJBCA
CVE-2022-39833 (FileCloud Versions 20.2 and later allows remote attackers to
potential ...)
- TODO: check
+ NOT-FOR-US: FileCloud
CVE-2022-39832 (An issue was discovered in PSPP 1.6.2. There is a heap-based
buffer ov ...)
- pspp <unfixed> (bug #1019598)
[bullseye] - pspp <no-dsa> (Minor issue)
@@ -20055,7 +20055,7 @@ CVE-2022-39399 (Vulnerability in the Oracle Java SE,
Oracle GraalVM Enterprise E
CVE-2022-39398 (tasklists is a tasklists plugin for GLPI (Kanban). Versions
prior to 2 ...)
NOT-FOR-US: GLPI plugin
CVE-2022-39397 (aliyun-oss-client is a rust client for Alibaba Cloud OSS.
Users of thi ...)
- TODO: check
+ NOT-FOR-US: aliyun-oss-client
CVE-2022-39396 (Parse Server is an open source backend that can be deployed to
any inf ...)
NOT-FOR-US: Node parse-server
CVE-2022-39395 (Vela is a Pipeline Automation (CI/CD) framework built on Linux
contain ...)
@@ -20186,7 +20186,7 @@ CVE-2022-39347 (FreeRDP is a free remote desktop
protocol library and clients. A
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/027424c2c6c0991cb9c22f9511478229c9b17e5d
CVE-2022-39346 (Nextcloud server is an open source personal cloud server.
Affected ver ...)
- TODO: check
+ - nextcloud-server <itp> (bug #941708)
CVE-2022-39345 (Gin-vue-admin is a backstage management system based on vue
and gin, w ...)
NOT-FOR-US: Gin-vue-admin
CVE-2022-39344 (Azure RTOS USBX is a USB host, device, and on-the-go (OTG)
embedded st ...)
@@ -20200,9 +20200,9 @@ CVE-2022-39341 (OpenFGA is an authorization/permission
engine. Versions prior to
CVE-2022-39340 (OpenFGA is an authorization/permission engine. Prior to
version 0.2.4, ...)
NOT-FOR-US: OpenFGA
CVE-2022-39339 (user_oidc is an OpenID Connect user backend for Nextcloud. In
versions ...)
- TODO: check
+ NOT-FOR-US: Nextcloud addon
CVE-2022-39338 (user_oidc is an OpenID Connect user backend for Nextcloud.
Versions pr ...)
- TODO: check
+ NOT-FOR-US: Nextcloud addon
CVE-2022-39337
RESERVED
CVE-2022-39336
@@ -20231,7 +20231,7 @@ CVE-2022-39327 (Azure CLI is the command-line interface
for Microsoft Azure. In
CVE-2022-39326 (kartverket/github-workflows are shared reusable workflows for
GitHub A ...)
NOT-FOR-US: kartverket/github-workflows
CVE-2022-39325 (BaserCMS is a content management system with a japanese
language focus ...)
- TODO: check
+ NOT-FOR-US: BaserCMS
CVE-2022-39324
RESERVED
CVE-2022-39323 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI
is a Fre ...)
@@ -20604,7 +20604,7 @@ CVE-2022-39201 (Grafana is an open source observability
and data visualization p
CVE-2022-39200 (Dendrite is a Matrix homeserver written in Go. In affected
versions ev ...)
NOT-FOR-US: Dendrite
CVE-2022-39199 (immudb is a database with built-in cryptographic proof and
verificatio ...)
- TODO: check
+ NOT-FOR-US: immudb
CVE-2022-39198 (A deserialization vulnerability existed in dubbo hessian-lite
3.2.12 a ...)
NOT-FOR-US: Apache Dubbo
CVE-2022-3099 (Use After Free in GitHub repository vim/vim prior to 9.0.0360.
...)
@@ -25816,7 +25816,7 @@ CVE-2022-2652 (Depending on the way the format strings
in the card label are cra
CVE-2022-2651 (Authentication Bypass by Primary Weakness in GitHub repository
bookwyr ...)
NOT-FOR-US: BookWyrm
CVE-2022-2650 (Improper Restriction of Excessive Authentication Attempts in
GitHub re ...)
- TODO: check
+ NOT-FOR-US: wger
CVE-2022-2649
RESERVED
CVE-2022-2648 (A vulnerability was found in SourceCodester Multi Language
Hotel Manag ...)
@@ -28424,7 +28424,7 @@ CVE-2022-2514 (The time and filter parameters in Fava
prior to v1.22 are vulnera
NOTE: https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429
NOTE:
https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711
(v1.22)
CVE-2022-2513 (A vulnerability exists in the Intelligent Electronic Device
(IED) Conn ...)
- TODO: check
+ NOT-FOR-US: Hitachi
CVE-2022-2512 (An issue has been discovered in GitLab CE/EE affecting all
versions st ...)
- gitlab <unfixed>
CVE-2022-2511 (Cross-site Scripting (XSS) vulnerability in the
"commonuserinterface" ...)
@@ -29026,9 +29026,9 @@ CVE-2022-36182 (Hashicorp Boundary v0.8.0 is vulnerable
to Clickjacking which al
CVE-2022-36181
RESERVED
CVE-2022-36180 (Fusiondirectory 1.3 is vulnerable to Cross Site Scripting
(XSS) via /f ...)
- TODO: check
+ NOT-FOR-US: Fusiondirectory
CVE-2022-36179 (Fusiondirectory 1.3 suffers from Improper Session Handling.
...)
- TODO: check
+ NOT-FOR-US: Fusiondirectory
CVE-2022-36178
RESERVED
CVE-2022-36177
@@ -29250,7 +29250,7 @@ CVE-2022-36112 (GLPI stands for Gestionnaire Libre de
Parc Informatique and is a
- glpi <removed> (unimportant)
NOTE: Only supported behind an authenticated HTTP zone
CVE-2022-36111 (immudb is a database with built-in cryptographic proof and
verificatio ...)
- TODO: check
+ NOT-FOR-US: immudb
CVE-2022-36110 (Netmaker makes networks with WireGuard. Prior to version
0.15.1, Impro ...)
NOT-FOR-US: Netmaker
CVE-2022-36109 (Moby is an open-source project created by Docker to enable
software co ...)
@@ -32739,7 +32739,7 @@ CVE-2022-34832
CVE-2022-34831 (An issue was discovered in Keyfactor PrimeKey EJBCA before
7.9.0, rela ...)
NOT-FOR-US: Keyfactor
CVE-2022-34830 (An Arm product family through 2022-06-29 has a TOCTOU Race
Condition t ...)
- TODO: check
+ NOT-FOR-US: ARM
CVE-2022-34829 (Zoho ManageEngine ADSelfService Plus before 6203 allows a
denial of se ...)
NOT-FOR-US: Zoho ManageEngine
CVE-2022-34828
@@ -41208,11 +41208,11 @@ CVE-2022-31694 (InstallBuilder Qt installers built
with versions previous to 22.
CVE-2022-31693
RESERVED
CVE-2022-31692 (Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to
5.6.9 co ...)
- TODO: check
+ - libspring-security-2.0-java <removed>
CVE-2022-31691 (Spring Tools 4 for Eclipse version 4.16.0 and below as well as
VSCode ...)
- TODO: check
+ NOT-FOR-US: Spring Tools 4 for Eclipse
CVE-2022-31690 (Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to
5.6.9, ...)
- TODO: check
+ - libspring-security-2.0-java <removed>
CVE-2022-31689 (VMware Workspace ONE Assist prior to 22.10 contains a Session
fixation ...)
NOT-FOR-US: VMware
CVE-2022-31688 (VMware Workspace ONE Assist prior to 22.10 contains a
Reflected cross- ...)
@@ -45656,7 +45656,7 @@ CVE-2022-1581 (The WP-Polls WordPress plugin before
2.76.0 prioritizes getting a
CVE-2022-1580 (The Site Offline Or Coming Soon Or Maintenance Mode WordPress
plugin b ...)
NOT-FOR-US: WordPress plugin
CVE-2022-1579 (The function check_is_login_page() uses headers for the IP
check, whic ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2022-1578 (The My wpdb WordPress plugin before 2.5 is missing CSRF check
when run ...)
NOT-FOR-US: WordPress plugin
CVE-2022-1577 (The Database Backup for WordPress plugin before 2.5.2 does not
have CS ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f4ed6a1d763d7467ea47cdd7648ca6325661e6f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f4ed6a1d763d7467ea47cdd7648ca6325661e6f
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
