[Git][security-tracker-team/security-tracker][master] NFUS

Moritz Muehlenhoff (@jmm) Thu, 09 May 2024 04:29:04 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
41e49df1 by Moritz Muehlenhoff at 2024-05-09T13:26:56+02:00
NFUS
also track xpdf issues as NFU, poppler forked from xpdf almost 20 years ago
and is regularly fuzzed by oss-fuzz, no real point to assume that new xpdf
issues still affect it and if no PoC is available we can&#39;t reliably track
this down anyway and these end up causing spam

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -29,7 +29,7 @@ CVE-2024-2454 (An issue has been discovered in GitLab CE/EE 
affecting all versio
 CVE-2024-28759 (A crafted network packet may cause a buffer overrun in Wind 
River VxWo ...)
        NOT-FOR-US: Wind River
 CVE-2024-27793 (The issue was addressed with improved checks. This issue is 
fixed in i ...)
-       TODO: check
+       NOT-FOR-US: Apple
 CVE-2024-26517 (SQL Injection vulnerability in School Task Manager v.1.0 
allows a remo ...)
        NOT-FOR-US: School Task Manager
 CVE-2023-6688 (An issue has been discovered in GitLab CE/EE affecting all 
versions st ...)
@@ -37,7 +37,7 @@ CVE-2023-6688 (An issue has been discovered in GitLab CE/EE 
affecting all versio
 CVE-2023-6682 (An issue has been discovered in GitLab CE/EE affecting all 
versions st ...)
        - gitlab <unfixed>
 CVE-2023-5971 (The Save as PDF Plugin by Pdfcrowd WordPress plugin before 
3.2.0 does  ...)
-       TODO: check
+       NOT-FOR-US: WordPress plugin
 CVE-2024-29510
        - ghostscript <unfixed>
        NOTE: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html
@@ -529,7 +529,7 @@ CVE-2024-29150 (An issue was discovered in Alcatel-Lucent 
ALE NOE deskphones thr
 CVE-2024-29149 (An issue was discovered in Alcatel-Lucent ALE NOE deskphones 
through 8 ...)
        NOT-FOR-US: Alcatel-Lucent ALE NOE deskphones
 CVE-2024-28148 (An authenticated user could potentially access metadata for a 
datasour ...)
-       TODO: check
+       NOT-FOR-US: Apache Superset
 CVE-2024-25514 (RuvarOA v6.01 and v12.01 were discovered to contain a SQL 
injection vu ...)
        NOT-FOR-US: RuvarOA
 CVE-2024-25513 (RuvarOA v6.01 and v12.01 were discovered to contain a SQL 
injection vu ...)
@@ -547,13 +547,13 @@ CVE-2024-25508 (RuvarOA v6.01 and v12.01 were discovered 
to contain a SQL inject
 CVE-2024-25507 (RuvarOA v6.01 and v12.01 were discovered to contain a SQL 
injection vu ...)
        NOT-FOR-US: RuvarOA
 CVE-2023-7240 (An improper authorization level has been detected in the login 
panel.  ...)
-       TODO: check
+       NOT-FOR-US: NetIQ Identity Console
 CVE-2023-6810 (The ClickCease Click Fraud Protection plugin for WordPress is 
vulnerab ...)
-       TODO: check
+       NOT-FOR-US: WordPress plugin
 CVE-2023-46012 (Buffer Overflow vulnerability LINKSYS EA7500 3.0.1.207964 
allows a rem ...)
-       TODO: check
+       NOT-FOR-US: LINKSYS
 CVE-2023-42757 (Process Explorer before 17.04 allows attackers to make it 
functionally ...)
-       TODO: check
+       NOT-FOR-US: Buffer Overflow
 CVE-2024-4559 (Heap buffer overflow in WebAudio in Google Chrome prior to 
124.0.6367. ...)
        {DSA-5683-1}
        - chromium 124.0.6367.155-1
@@ -647,7 +647,7 @@ CVE-2024-1695 (A potential security vulnerability has been 
identified in the HP
 CVE-2023-33548 (Cross Site Scripting (XSS) vulnerability in ASUS RT-AC51U with 
firmwar ...)
        NOT-FOR-US: ASUS
 CVE-2024-4568 (In Xpdf 4.05 (and earlier), a PDF object loop in the PDF 
resources lea ...)
-       TODO: check
+       NOT-FOR-US: xpdf (Debian uses poppler, which forked a long time ago)
 CVE-2024-4549 (A denial of service vulnerability exists in Delta Electronics 
DIAEnerg ...)
        NOT-FOR-US: Delta Electronics
 CVE-2024-4548 (An SQLi vulnerability exists inDelta Electronics DIAEnergie 
v1.10.1.86 ...)
@@ -731,7 +731,7 @@ CVE-2024-34524 (In XLANG OpenAgents through fe73ac4, the 
allowed_file protection
 CVE-2024-34519 (Avantra Server 24.x before 24.0.7 and 24.1.x before 24.1.1 
mishandles  ...)
        NOT-FOR-US: Avantra Server
 CVE-2024-34515 (image-optimizer before 1.7.3 allows PHAR deserialization, 
e.g., the ph ...)
-       TODO: check
+       NOT-FOR-US: PHP image-optimizer
 CVE-2024-34472 (An issue was discovered in HSC Mailinspector 5.2.17-3 through 
v.5.2.18 ...)
        NOT-FOR-US: HSC Mailinspector
 CVE-2024-34471 (An issue was discovered in HSC Mailinspector 5.2.17-3. A Path 
Traversa ...)
@@ -868,7 +868,7 @@ CVE-2024-33121 (Roothub v2.6 was discovered to contain a 
SQL injection vulnerabi
 CVE-2024-33118 (LuckyFrameWeb v3.5.2 was discovered to contain an arbitrary 
read vulne ...)
        NOT-FOR-US: LuckyFrameWeb
 CVE-2024-33117 (crmeb_java v1.3.4 was discovered to contain a Server-Side 
Request Forg ...)
-       TODO: check
+       NOT-FOR-US: crmeb_java
 CVE-2024-33113 (D-LINK DIR-845L <=v1.01KRb03 is vulnerable to Information 
disclosurey  ...)
        NOT-FOR-US: D-LINK
 CVE-2024-33112 (D-Link DIR-845L router v1.01KRb03 and before is vulnerable to 
Command  ...)
@@ -878,7 +878,7 @@ CVE-2024-33111 (D-Link DIR-845L router <=v1.01KRb03 is 
vulnerable to Cross Site
 CVE-2024-33110 (D-Link DIR-845L router v1.01KRb03 and before is vulnerable to 
Permissi ...)
        NOT-FOR-US: D-LINK
 CVE-2024-32982 (Litestar and Starlite is an Asynchronous Server Gateway 
Interface (ASG ...)
-       TODO: check
+       NOT-FOR-US: litestar
 CVE-2024-32972 (go-ethereum (geth) is a golang execution layer implementation 
of the E ...)
        - golang-github-go-ethereum <itp> (bug #890541)
 CVE-2024-32807 (Improper Limitation of a Pathname to a Restricted Directory 
('Path Tra ...)
@@ -888,51 +888,51 @@ CVE-2024-2041
 CVE-2024-26312 (Archer Platform 6 before 2024.03 contains a sensitive 
information disc ...)
        NOT-FOR-US: Archer Platform
 CVE-2024-23354 (Memory corruption when the IOCTL call is interrupted by a 
signal.)
-       TODO: check
+       NOT-FOR-US: Qualcomm
 CVE-2024-23351 (Memory corruption as GPU registers beyond the last protected 
range can ...)
-       TODO: check
+       NOT-FOR-US: Qualcomm
 CVE-2024-23193 (E-Mails exported as PDF were stored in a cache that did not 
consider s ...)
-       TODO: check
+       NOT-FOR-US: Open-Xchange
 CVE-2024-23188 (Maliciously crafted E-Mail attachment names could be used to 
temporari ...)
-       TODO: check
+       NOT-FOR-US: Open-Xchange
 CVE-2024-23187 (Content-ID based embedding of resources in E-Mails could be 
abused to  ...)
-       TODO: check
+       NOT-FOR-US: Open-Xchange
 CVE-2024-23186 (E-Mail containing malicious display-name information could 
trigger cli ...)
-       TODO: check
+       NOT-FOR-US: Open-Xchange
 CVE-2024-21480 (Memory corruption while playing audio file having large-sized 
input bu ...)
-       TODO: check
+       NOT-FOR-US: Qualcomm
 CVE-2024-21477 (Transient DOS while parsing a protected 802.11az Fine Time 
Measurement ...)
-       TODO: check
+       NOT-FOR-US: Qualcomm
 CVE-2024-21476 (Memory corruption when the channel ID passed by user is not 
validated  ...)
-       TODO: check
+       NOT-FOR-US: Qualcomm
 CVE-2024-21475 (Memory corruption when the payload received from firmware is 
not as pe ...)
-       TODO: check
+       NOT-FOR-US: Qualcomm
 CVE-2024-21474 (Memory corruption when size of buffer from previous call is 
used witho ...)
-       TODO: check
+       NOT-FOR-US: Qualcomm
 CVE-2024-21471 (Memory corruption when IOMMU unmap of a GPU buffer fails in 
Linux.)
-       TODO: check
+       NOT-FOR-US: Qualcomm
 CVE-2024-20064 (In wlan service, there is a possible out of bounds write due 
to improp ...)
-       TODO: check
+       NOT-FOR-US: MediaTek
 CVE-2024-20060 (In da, there is a possible escalation of privilege due to an 
incorrect ...)
-       TODO: check
+       NOT-FOR-US: MediaTek
 CVE-2024-20059 (In da, there is a possible escalation of privilege due to an 
incorrect ...)
-       TODO: check
+       NOT-FOR-US: MediaTek
 CVE-2024-20058 (In keyInstall, there is a possible out of bounds read due to a 
missing ...)
-       TODO: check
+       NOT-FOR-US: MediaTek
 CVE-2024-20057 (In keyInstall, there is a possible out of bounds write due to 
a missin ...)
-       TODO: check
+       NOT-FOR-US: MediaTek
 CVE-2024-20056 (In preloader, there is a possible escalation of privilege due 
to an in ...)
-       TODO: check
+       NOT-FOR-US: MediaTek
 CVE-2024-20021 (In atf spm, there is a possible way to remap physical memory 
to virtua ...)
-       TODO: check
+       NOT-FOR-US: MediaTek
 CVE-2024-0904 (The Fancy Product Designer WordPress plugin before 6.1.81 does 
not san ...)
-       TODO: check
+       NOT-FOR-US: WordPress plugin
 CVE-2023-6854 (The Breakdance plugin for WordPress is vulnerable to Stored 
Cross-Site ...)
-       TODO: check
+       NOT-FOR-US: WordPress plugin
 CVE-2023-49676 (An unauthenticated local attacker may trick a user to open 
corrupted p ...)
-       TODO: check
+       NOT-FOR-US: CODESYS
 CVE-2023-49675 (An unauthenticated local attacker may trick a user to open 
corrupted p ...)
-       TODO: check
+       NOT-FOR-US: CODESYS
 CVE-2023-43531 (Memory corruption while verifying the serialized header when 
the key p ...)
        TODO: check
 CVE-2023-43530 (Memory corruption in HLOS while checking for the storage type.)
@@ -5506,8 +5506,7 @@ CVE-2024-4058 (Type confusion in ANGLE in Google Chrome 
prior to 124.0.6367.78 a
        [bullseye] - chromium <end-of-life> (see #1061268)
        [buster] - chromium <end-of-life> (see DSA 5046)
 CVE-2024-4141 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered 
by an in ...)
-       - poppler <undetermined>
-       NOTE: Might possibly affect poppler, xpdf in Debian uses it
+       NOT-FOR-US: xpdf (Debian uses poppler, which forked a long time ago)
 CVE-2024-4127 (A vulnerability was found in Tenda W15E 15.11.0.14. It has been 
classi ...)
        NOT-FOR-US: Tenda
 CVE-2024-4126 (A vulnerability was found in Tenda W15E 15.11.0.14 and 
classified as c ...)
@@ -6806,8 +6805,7 @@ CVE-2024-3906 (A vulnerability was found in Tenda AC500 
2.0.1.9(1307). It has be
 CVE-2024-3905 (A vulnerability was found in Tenda AC500 2.0.1.9(1307). It has 
been cl ...)
        NOT-FOR-US: Tenda
 CVE-2024-3900 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered 
by long  ...)
-       - poppler <undetermined>
-       NOTE: Might possibly affect poppler, pdf in Debian uses it
+       NOT-FOR-US: xpdf (Debian uses poppler, which forked a long time ago)
 CVE-2024-3825 (Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain 
a flaw ...)
        NOT-FOR-US: Jenkins plugin
 CVE-2024-3817 (HashiCorp\u2019s go-getter library is vulnerable to argument 
injection ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e49df1c704238ba743f7d0d7e5063b67b20c01

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e49df1c704238ba743f7d0d7e5063b67b20c01
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUS

Reply via email to