Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0daf541c by security tracker role at 2023-10-23T20:12:19+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,42 @@
-CVE-2023-46288
+CVE-2023-5718 (The Vue.js Devtools extension was found to leak screenshot data
back t ...)
+ TODO: check
+CVE-2023-5246 (Authentication Bypass by Capture-replay in SICK Flexi Soft
Gateways wi ...)
+ TODO: check
+CVE-2023-46603 (In International Color Consortium DemoIccMAX 79ecb74, there is
an out- ...)
+ TODO: check
+CVE-2023-46602 (In International Color Consortium DemoIccMAX 79ecb74, there is
a stack ...)
+ TODO: check
+CVE-2023-46332 (WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write
in DataS ...)
+ TODO: check
+CVE-2023-46331 (WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in
DataSegm ...)
+ TODO: check
+CVE-2023-46127 (Frappe is a full-stack web application framework that uses
Python and ...)
+ TODO: check
+CVE-2023-46122 (sbt is a build tool for Scala, Java, and others. Given a
specially cra ...)
+ TODO: check
+CVE-2023-43074 (Dell Unity 5.3 contain(s) an Arbitrary File Creation
vulnerability. A ...)
+ TODO: check
+CVE-2023-43067 (Dell Unity prior to 5.3 contains an XML External Entity
injection vuln ...)
+ TODO: check
+CVE-2023-43066 (Dell Unity prior to 5.3 contains a Restricted Shell Bypass
vulnerabili ...)
+ TODO: check
+CVE-2023-43065 (Dell Unity prior to 5.3 contains a Cross-site scripting
vulnerability. ...)
+ TODO: check
+CVE-2023-43045 (IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and
6.2.2 could ...)
+ TODO: check
+CVE-2023-42295 (An issue in OpenImageIO oiio v.2.4.12.0 allows a remote
attacker to ex ...)
+ TODO: check
+CVE-2023-38722 (IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and
6.2.2 is vul ...)
+ TODO: check
+CVE-2023-37532 (HCL Commerce Remote Store server could allow a remote
attacker, using ...)
+ TODO: check
+CVE-2023-33840 (IBM Security Verify Governance 10.0 is vulnerable to
cross-site script ...)
+ TODO: check
+CVE-2023-33839 (IBM Security Verify Governance 10.0 could allow a remote
authenticated ...)
+ TODO: check
+CVE-2023-33837 (IBM Security Verify Governance 10.0 does not encrypt sensitive
or crit ...)
+ TODO: check
+CVE-2023-46288 (Exposure of Sensitive Information to an Unauthorized Actor
vulnerabili ...)
- airflow <itp> (bug #819700)
CVE-2023-46316 [Fix command line parsing in wrappers]
- traceroute 1:2.1.3-1
@@ -356,13 +394,17 @@ CVE-2023-5090 [x86: KVM: SVM: always update the x2avic
msr interception]
NOTE:
https://git.kernel.org/linus/b65235f6e102354ccafda601eaa1c5bef5284d21
CVE-2023-5668 (The WhatsApp Share Button plugin for WordPress is vulnerable to
Stored ...)
NOT-FOR-US: WordPress plugin
-CVE-2023-5656 (The AI ChatBot plugin for WordPress is vulnerable to
unauthorized use ...)
+CVE-2023-5656
+ REJECTED
NOT-FOR-US: WordPress plugin
-CVE-2023-5655 (The AI ChatBot plugin for WordPress is vulnerable to Cross-Site
Reques ...)
+CVE-2023-5655
+ REJECTED
NOT-FOR-US: WordPress plugin
-CVE-2023-5647 (The AI ChatBot plugin for WordPress is vulnerable to Arbitrary
File De ...)
+CVE-2023-5647
+ REJECTED
NOT-FOR-US: WordPress plugin
-CVE-2023-5646 (The AI ChatBot for WordPress is vulnerable to Directory
Traversal in v ...)
+CVE-2023-5646
+ REJECTED
NOT-FOR-US: WordPress plugin
CVE-2023-5615 (The Skype Legacy Buttons plugin for WordPress is vulnerable to
Stored ...)
NOT-FOR-US: WordPress plugin
@@ -710,6 +752,7 @@ CVE-2023-45812 (The Apollo Router is a configurable,
high-performance graph rout
CVE-2023-45146 (XXL-RPC is a high performance, distributed RPC framework. With
it, a T ...)
NOT-FOR-US: XXL-RPC
CVE-2023-45145 (Redis is an in-memory database that persists on disk. On
startup, Redi ...)
+ {DLA-3627-1}
- redis 5:7.0.14-1 (bug #1054225)
[bookworm] - redis <no-dsa> (Minor issue)
[bullseye] - redis <no-dsa> (Minor issue)
@@ -4743,6 +4786,7 @@ CVE-2023-2358 (Hitachi Vantara Pentaho Business Analytics
Server prior to versio
CVE-2023-29497 (A privacy issue was addressed with improved handling of
temporary file ...)
NOT-FOR-US: Apple
CVE-2023-43040 [Improperly verified POST keys]
+ {DLA-3629-1}
- ceph 16.2.11+ds-5 (bug #1053690)
[bookworm] - ceph <no-dsa> (Minor issue)
[bullseye] - ceph <no-dsa> (Minor issue)
@@ -5608,7 +5652,7 @@ CVE-2023-32182 (A Improper Link Resolution Before File
Access ('Link Following')
NOT-FOR-US: config_postfix (SUSE specific script)
CVE-2023-31808 (Technicolor TG670 10.5.N.9 devices contain multiple accounts
with hard ...)
NOT-FOR-US: Technicolor
-CVE-2023-2995 (The Leyka WordPress plugin through 3.30.3 does not sanitise and
escape ...)
+CVE-2023-2995 (The Leyka WordPress plugin before 3.30.4 does not sanitise and
escape ...)
NOT-FOR-US: WordPress plugin
CVE-2023-2567 (A SQL Injection vulnerability in Nozomi Networks Guardian and
CMC, due ...)
NOT-FOR-US: Nozomi Networks Guardian and CMC
@@ -11799,7 +11843,7 @@ CVE-2023-4159 (Unrestricted Upload of File with
Dangerous Type in GitHub reposit
NOT-FOR-US: omeka-s
CVE-2023-4158 (Cross-site Scripting (XSS) - Stored in GitHub repository
omeka/omeka-s ...)
NOT-FOR-US: omeka-s
-CVE-2023-4157 (Improper Input Validation in GitHub repository omeka/omeka-s
prior to ...)
+CVE-2023-4157 (CWE-74 Improper Neutralization of Special Elements in Output
Used by a ...)
NOT-FOR-US: omeka-s
CVE-2023-4156 (A heap out-of-bounds read flaw was found in builtin.c in the
gawk pack ...)
- gawk 1:5.2.1-1
@@ -18860,6 +18904,7 @@ CVE-2023-32750 (Pydio Cells through 4.1.2 allows SSRF.
For longer running proces
CVE-2023-32749 (Pydio Cells allows users by default to create so-called
external users ...)
NOT-FOR-US: Pydio Cells
CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to
crash dbus- ...)
+ {DLA-3628-1}
[experimental] - dbus 1.15.6-1
- dbus 1.14.8-1 (bug #1037151)
[bookworm] - dbus 1.14.8-1~deb12u1
@@ -30031,12 +30076,12 @@ CVE-2023-28807
RESERVED
CVE-2023-28806
RESERVED
-CVE-2023-28805
- RESERVED
-CVE-2023-28804
- RESERVED
-CVE-2023-28803
- RESERVED
+CVE-2023-28805 (An Improper Input Validation vulnerability in Zscaler Client
Connector ...)
+ TODO: check
+CVE-2023-28804 (An Improper Verification of Cryptographic Signature
vulnerability in Z ...)
+ TODO: check
+CVE-2023-28803 (An authentication bypass by spoofing of a device with a
synthetic IP a ...)
+ TODO: check
CVE-2023-28802
RESERVED
CVE-2023-28801 (An Improper Verification of Cryptographic Signature in the
SAML authen ...)
@@ -30047,16 +30092,16 @@ CVE-2023-28799 (A URL parameter during login flow was
vulnerable to injection. A
NOT-FOR-US: Zscaler
CVE-2023-28798
RESERVED
-CVE-2023-28797
- RESERVED
-CVE-2023-28796
- RESERVED
-CVE-2023-28795
- RESERVED
+CVE-2023-28797 (Zscaler Client Connector for Windows before 4.1 writes/deletes
a confi ...)
+ TODO: check
+CVE-2023-28796 (Improper Verification of Cryptographic Signature vulnerability
in Zsca ...)
+ TODO: check
+CVE-2023-28795 (Origin Validation Error vulnerability in Zscaler Client
Connector on L ...)
+ TODO: check
CVE-2023-28794
RESERVED
-CVE-2023-28793
- RESERVED
+CVE-2023-28793 (Buffer overflow vulnerability in the signelf library used by
Zscaler C ...)
+ TODO: check
CVE-2023-28792 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in
I Thirte ...)
NOT-FOR-US: WordPress plugin
CVE-2023-28791 (Cross-Site Request Forgery (CSRF) vulnerability in Gangesh
Matta Simpl ...)
@@ -35528,16 +35573,16 @@ CVE-2023-27154
RESERVED
CVE-2023-27153
RESERVED
-CVE-2023-27152
- RESERVED
+CVE-2023-27152 (DECISO OPNsense 23.1 does not impose rate limits for
authentication, a ...)
+ TODO: check
CVE-2023-27151
RESERVED
CVE-2023-27150
RESERVED
-CVE-2023-27149
- RESERVED
-CVE-2023-27148
- RESERVED
+CVE-2023-27149 (A stored cross-site scripting (XSS) vulnerability in
Enhancesoft osTic ...)
+ TODO: check
+CVE-2023-27148 (A stored cross-site scripting (XSS) vulnerability in the Admin
panel i ...)
+ TODO: check
CVE-2023-27147
RESERVED
CVE-2023-27146
@@ -130425,8 +130470,8 @@ CVE-2022-22468
RESERVED
CVE-2022-22467
RESERVED
-CVE-2022-22466
- RESERVED
+CVE-2022-22466 (IBM Security Verify Governance 10.0 contains hard-coded
credentials, s ...)
+ TODO: check
CVE-2022-22465 (IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0,
10.0.2.0, an ...)
NOT-FOR-US: IBM
CVE-2022-22464 (IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0,
10.0.2.0, an ...)
@@ -138343,6 +138388,7 @@ CVE-2021-3981 (A flaw in grub2 was found where its
configuration file, known as
CVE-2021-3980 (elgg is vulnerable to Exposure of Private Personal Information
to an U ...)
- elgg <itp> (bug #526197)
CVE-2021-3979 (A key length flaw was found in Red Hat Ceph Storage. An
attacker can e ...)
+ {DLA-3629-1}
- ceph 16.2.9+ds-1
[bullseye] - ceph <no-dsa> (Minor issue)
[stretch] - ceph <no-dsa> (Minor issue)
@@ -172814,6 +172860,7 @@ CVE-2021-3532 (A flaw was found in Ansible where the
secret information present
- ansible-base <removed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956464
CVE-2021-3531 (A flaw was found in the Red Hat Ceph Storage RGW in versions
before 14 ...)
+ {DLA-3629-1}
- ceph 14.2.21-1 (bug #988890)
[stretch] - ceph <not-affected> (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2021/05/14/5
@@ -173029,7 +173076,7 @@ CVE-2021-3526
CVE-2021-3525
REJECTED
CVE-2021-3524 (A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph
Object Gate ...)
- {DLA-2735-1}
+ {DLA-3629-1 DLA-2735-1}
- ceph 14.2.21-1 (bug #988889)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1951674
NOTE: Fixed by:
https://github.com/ceph/ceph/commit/763aebb94678018f89427137ffbc0c5205b1edc1
@@ -186495,16 +186542,16 @@ CVE-2021-26740 (Arbitrary file upload vulnerability
sysupload.php in millken doy
NOT-FOR-US: doyocms
CVE-2021-26739 (SQL Injection vulnerability in pay.php in millken doyocms 2.3,
allows ...)
NOT-FOR-US: doyocms
-CVE-2021-26738
- RESERVED
-CVE-2021-26737
- RESERVED
-CVE-2021-26736
- RESERVED
-CVE-2021-26735
- RESERVED
-CVE-2021-26734
- RESERVED
+CVE-2021-26738 (Zscaler Client Connector for macOS prior to 3.7 had an
unquoted search ...)
+ TODO: check
+CVE-2021-26737 (The Zscaler Client Connector for macOS prior to 3.6 did not
sufficient ...)
+ TODO: check
+CVE-2021-26736 (Multiple vulnerabilities in the Zscaler Client Connector
Installer and ...)
+ TODO: check
+CVE-2021-26735 (The Zscaler Client Connector Installer and Unsintallers for
Windows pr ...)
+ TODO: check
+CVE-2021-26734 (Zscaler Client Connector Installer on Windows before version
3.4.0.124 ...)
+ TODO: check
CVE-2021-26733 (A broken access control vulnerability in the
FirstReset_handler_func f ...)
NOT-FOR-US: Lanner Inc IAC-AST2500A standard firmware
CVE-2021-26732 (A broken access control vulnerability in the
First_network_func functi ...)
@@ -203780,6 +203827,7 @@ CVE-2021-20290 (An improper authorization handling
flaw was found in Foreman. Th
CVE-2021-20289 (A flaw was found in RESTEasy in all versions of RESTEasy up to
4.6.0.F ...)
NOT-FOR-US: Keycloak
CVE-2021-20288 (An authentication flaw was found in ceph in versions before
14.2.20. W ...)
+ {DLA-3629-1}
- ceph 14.2.20-1 (bug #986974)
[stretch] - ceph <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/04/14/2
@@ -215418,6 +215466,7 @@ CVE-2020-27782 (A flaw was found in the Undertow AJP
connector. Malicious reques
NOTE: https://issues.redhat.com/browse/UNDERTOW-1824
NOTE:
https://github.com/undertow-io/undertow/commit/fdac349cbcd1da41fe8b9d4e7ebbab6879990c2a
(2.2.4.Final)
CVE-2020-27781 (User credentials can be manipulated and stolen by Native
CephFS consum ...)
+ {DLA-3629-1}
- ceph 14.2.16-1 (bug #985670)
[stretch] - ceph <postponed> (Minor issue)
NOTE: https://bugs.launchpad.net/manila/+bug/1904015
@@ -221082,6 +221131,7 @@ CVE-2020-25680 (A flaw was found in JBCS httpd in
version 2.4.37 SP3, where it u
CVE-2020-25679
REJECTED
CVE-2020-25678 (A flaw was found in ceph in versions prior to 16.y.z where
ceph stores ...)
+ {DLA-3629-1}
- ceph 14.2.18-1
[stretch] - ceph <no-dsa> (Minor issue)
NOTE: https://tracker.ceph.com/issues/37503
@@ -253367,6 +253417,7 @@ CVE-2020-12061 (An issue was discovered in Nitrokey
FIDO U2F firmware through 1.
CVE-2020-12060
RESERVED
CVE-2020-12059 (An issue was discovered in Ceph through 13.2.9. A POST request
with an ...)
+ {DLA-3629-1}
- ceph 14.2.4-1
[stretch] - ceph <not-affected> (Vulnerable code introduced later)
[jessie] - ceph <not-affected> (Vulnerable code introduced later)
@@ -258294,7 +258345,7 @@ CVE-2020-10754 (It was found that nmcli, a command
line interface to NetworkMana
NOTE: affected but not the Debian binary builds (and is RedHat/Fedora
specific
NOTE: plugin).
CVE-2020-10753 (A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph
Object Gate ...)
- {DLA-2735-1}
+ {DLA-3629-1 DLA-2735-1}
- ceph 14.2.15-1 (bug #975300)
[jessie] - ceph <no-dsa> (Minor issue)
NOTE: https://github.com/ceph/ceph/pull/35773
@@ -282545,7 +282596,7 @@ CVE-2020-1762 (An insufficient JWT validation
vulnerability was found in Kiali v
CVE-2020-1761 (A flaw was found in the OpenShift web console, where the access
token ...)
NOT-FOR-US: OpenShift
CVE-2020-1760 (A flaw was found in the Ceph Object Gateway, where it supports
request ...)
- {DLA-2735-1 DLA-2171-1}
+ {DLA-3629-1 DLA-2735-1 DLA-2171-1}
- ceph 14.2.9-1 (bug #956142)
NOTE: Introduced with:
https://github.com/ceph/ceph-ci/commit/f4a0b2d9260a4523745875e3977a8a1ef9dc5e2e
NOTE: Fixed by:
https://github.com/ceph/ceph-ci/commit/8aa1f77363ec32bdc57744a143035033291ab5e1
@@ -282809,6 +282860,7 @@ CVE-2020-1702 (A malicious container image can
consume an unbounded amount of me
CVE-2020-1701 (A flaw was found in the KubeVirt main virt-handler versions
before 0.2 ...)
NOT-FOR-US: KubeVirt
CVE-2020-1700 (A flaw was found in the way the Ceph RGW Beast front-end
handles unexp ...)
+ {DLA-3629-1}
- ceph 14.2.7-1
[stretch] - ceph <not-affected> (Vulnerable code introduced later)
[jessie] - ceph <not-affected> (Vulnerable code introduced later)
@@ -313755,6 +313807,7 @@ CVE-2019-10224 (A flaw has been found in 389-ds-base
versions 1.4.x.x before 1.4
CVE-2019-10223 (A security issue was discovered in the kube-state-metrics
versions v1. ...)
NOT-FOR-US: kube-state-metrics
CVE-2019-10222 (A flaw was found in the Ceph RGW configuration with Beast as
the front ...)
+ {DLA-3629-1}
- ceph 14.2.4-1 (bug #936015)
[stretch] - ceph <not-affected> (Vulnerable code not present)
[jessie] - ceph <not-affected> (Vulnerable code not present)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0daf541c573211f20d055dc095767583501dfb5b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0daf541c573211f20d055dc095767583501dfb5b
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
