Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6a06fff4 by security tracker role at 2023-07-03T20:12:46+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,10 +1,56 @@
-CVE-2023-36053 [Potential regular expression denial of service vulnerability
in EmailValidator/URLValidator]
+CVE-2023-3497 (Out of bounds read in Google Security Processor firmware in
Google Chr ...)
+ TODO: check
+CVE-2023-3395 (All versions of the TWinSoft Configuration Tool store encrypted
passwo ...)
+ TODO: check
+CVE-2023-37378 (Nullsoft Scriptable Install System (NSIS) before 3.09
mishandles acces ...)
+ TODO: check
+CVE-2023-36819 (Knowage is the professional open source suite for modern
business anal ...)
+ TODO: check
+CVE-2023-36817 (`tktchurch/website` contains the codebase for The King's
Temple Church ...)
+ TODO: check
+CVE-2023-36816 (2FA is a Web app to manage Two-Factor Authentication (2FA)
accounts an ...)
+ TODO: check
+CVE-2023-36815 (Sealos is a Cloud Operating System designed for managing
cloud-native ...)
+ TODO: check
+CVE-2023-36814 (Products.CMFCore are the key framework services for the Zope
Content M ...)
+ TODO: check
+CVE-2023-36611 (The affected TBox RTUs allow low privilege users to access
software se ...)
+ TODO: check
+CVE-2023-36610 (The affected TBox RTUs generate software security tokens using
insuffi ...)
+ TODO: check
+CVE-2023-36609 (The affected TBox RTUs run OpenVPN with root privileges and
can run us ...)
+ TODO: check
+CVE-2023-36608 (The affected TBox RTUs store hashed passwords using MD5
encryption, wh ...)
+ TODO: check
+CVE-2023-36377 (Buffer Overflow vulnerability in mtrojnar osslsigncode v.2.3
and befor ...)
+ TODO: check
+CVE-2023-36291 (Cross Site Scripting vulnerability in Maxsite CMS v.108.7
allows a rem ...)
+ TODO: check
+CVE-2023-36262 (An issue in OBS Studio OBS-Studio v.29.1.2 allows a local
attack to ob ...)
+ TODO: check
+CVE-2023-36258 (An issue in langchain v.0.0.199 allows an attacker to execute
arbitrar ...)
+ TODO: check
+CVE-2023-36223 (Cross Site Scripting vulnerability in mlogclub bbs-go v.
3.5.5. and be ...)
+ TODO: check
+CVE-2023-36222 (Cross Site Scripting vulnerability in mlogclub bbs-go v.
3.5.5. and be ...)
+ TODO: check
+CVE-2023-36183 (Buffer Overflow vulnerability in OpenImageIO v.2.4.12.0 and
before all ...)
+ TODO: check
+CVE-2023-36162 (Cross Site Request Forgery vulnerability in ZZCMS v.2023 alows
a remot ...)
+ TODO: check
+CVE-2023-35935 (@fastify/oauth2, a wrapper around the `simple-oauth2` library,
is vuln ...)
+ TODO: check
+CVE-2023-34451 (CometBFT is a Byzantine Fault Tolerant (BFT) middleware that
takes a s ...)
+ TODO: check
+CVE-2023-34450 (CometBFT is a Byzantine Fault Tolerant (BFT) middleware that
takes a s ...)
+ TODO: check
+CVE-2023-36053 (In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before
4.2.3, Em ...)
- python-django <unfixed> (bug #1040225)
NOTE: https://www.openwall.com/lists/oss-security/2023/07/03/1
NOTE:
https://www.djangoproject.com/weblog/2023/jul/03/security-releases/
NOTE:
https://github.com/django/django/commit/ad0410ec4f458aa39803e5f6b9a3736527062dcd
(main)
NOTE:
https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582
(3.2.20)
-CVE-2023-35797
+CVE-2023-35797 (Improper Input Validation vulnerability in Apache Software
Foundation ...)
NOT-FOR-US: Hive provider for Apache Airflow
CVE-2023-3438 (An unquoted Windows search path vulnerability existed in the
install t ...)
TODO: check
@@ -710,6 +756,7 @@ CVE-2023-36675 (An issue was discovered in MediaWiki before
1.35.11, 1.36.x thro
CVE-2023-36666 (INEX IXP-Manager before 6.3.1 allows XSS.
list-preamble.foil.php, page ...)
NOT-FOR-US: INEX IXP-Manager
CVE-2023-36664 (Artifex Ghostscript through 10.01.2 mishandles permission
validation f ...)
+ {DSA-5446-1}
- ghostscript 10.01.2~dfsg-1
[buster] - ghostscript <not-affected> (Vulnerable code not present; no
path validaton at all)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706761
@@ -1644,13 +1691,13 @@ CVE-2023-2431 (A security issue was discovered in
Kubelet that allows pods to by
NOTE: The source package itself it still vulnerable, but custom
rebuilds are not really a usecase here
NOTE:
https://groups.google.com/g/kubernetes-security-announce/c/QHmx0HOQa10
NOTE: https://github.com/kubernetes/kubernetes/issues/118690
-CVE-2023-2728
+CVE-2023-2728 (Users may be able to launch containers that bypass the
mountable secre ...)
- kubernetes 1.20.5+really1.20.2-1
NOTE: Server components no longer built since 1.20.5+really1.20.2-1,
marking that as fixed version
NOTE: The source package itself it still vulnerable, but custom
rebuilds are not really a usecase here
NOTE:
https://groups.google.com/g/kubernetes-security-announce/c/9oU_lW2cU_g
NOTE: https://github.com/kubernetes/kubernetes/issues/118640
-CVE-2023-2727
+CVE-2023-2727 (Users may be able to launch containers using images that are
restricte ...)
- kubernetes 1.20.5+really1.20.2-1
NOTE: Server components no longer built since 1.20.5+really1.20.2-1,
marking that as fixed version
NOTE: The source package itself it still vulnerable, but custom
rebuilds are not really a usecase here
@@ -20364,8 +20411,8 @@ CVE-2023-26511 (A Hard Coded Admin Credentials issue in
the Web-UI Admin Panel i
NOT-FOR-US: Propius MachineSelector
CVE-2023-26510 (Ghost 5.35.0 allows authorization bypass: contributors can
view draft ...)
NOT-FOR-US: Ghost CMS
-CVE-2023-26509
- RESERVED
+CVE-2023-26509 (AnyDesk 7.0.8 allows remote Denial of Service.)
+ TODO: check
CVE-2023-26508
RESERVED
CVE-2023-26507
@@ -21073,8 +21120,8 @@ CVE-2023-26260 (OXID eShop 6.2.x before 6.4.4 and 6.5.x
before 6.5.2 allows sess
NOT-FOR-US: OXID eShop
CVE-2023-26259
RESERVED
-CVE-2023-26258
- RESERVED
+CVE-2023-26258 (Arcserve UDP through 9.0.6034 allows authentication bypass.
The method ...)
+ TODO: check
CVE-2023-26257 (An issue was discovered in the Connected Vehicle Systems
Alliance (COV ...)
NOT-FOR-US: Connected Vehicle Systems Alliance
CVE-2023-26256 (An unauthenticated path traversal vulnerability affects the
"STAGIL Na ...)
@@ -210582,8 +210629,8 @@ CVE-2020-22599
RESERVED
CVE-2020-22598
RESERVED
-CVE-2020-22597
- RESERVED
+CVE-2020-22597 (An issue in Jerrscript- project Jerryscrip v. 2.3.0 allows a
remote at ...)
+ TODO: check
CVE-2020-22596
RESERVED
CVE-2020-22595
@@ -211498,12 +211545,12 @@ CVE-2020-22155
RESERVED
CVE-2020-22154
RESERVED
-CVE-2020-22153
- RESERVED
-CVE-2020-22152
- RESERVED
-CVE-2020-22151
- RESERVED
+CVE-2020-22153 (File Upload vulnerability in FUEL-CMS v.1.4.6 allows a remote
attacker ...)
+ TODO: check
+CVE-2020-22152 (Cross Site Scripting vulnerability in daylight studio FUEL-
CMS v.1.4. ...)
+ TODO: check
+CVE-2020-22151 (Permissions vulnerability in Fuel-CMS v.1.4.6 allows a remote
attacker ...)
+ TODO: check
CVE-2020-22150 (A cross site scripting (XSS) vulnerability in
/admin.php?page=permalin ...)
- piwigo <removed>
CVE-2020-22149
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a06fff4172517845c541775c7a09208565e78c7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a06fff4172517845c541775c7a09208565e78c7
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
