Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
099d42b8 by Moritz Muehlenhoff at 2025-03-21T09:37:34+01:00
auto-nfu: Add product based rule for Microsoft
- - - - -
26cad0cf by Moritz Muehlenhoff at 2025-03-21T09:41:34+01:00
NFUs
- - - - -
2 changed files:
- data/CVE/list
- data/packages/nfu.yaml
Changes:
=====================================
data/CVE/list
=====================================
@@ -31,9 +31,9 @@ CVE-2025-2538 (A specific type of ArcGIS Enterprise
deployment, is vulnerable to
CVE-2025-2198
REJECTED
CVE-2025-29814 (Improper authorization in Microsoft Partner Center allows an
authorize ...)
- TODO: check
+ NOT-FOR-US: Microsoft
CVE-2025-29807 (Deserialization of untrusted data in Microsoft Dataverse
allows an aut ...)
- TODO: check
+ NOT-FOR-US: Microsoft
CVE-2025-26336 (Dell Chassis Management Controller Firmware for Dell PowerEdge
FX2, ve ...)
NOT-FOR-US: Dell / EMC
CVE-2025-25758 (An issue in KukuFM Android v1.12.7 (11207) allows attackers to
access ...)
@@ -686,7 +686,7 @@ CVE-2024-10950 (In binary-husky/gpt_academic version <=
3.83, the plugin `CodeIn
CVE-2024-10948 (A vulnerability in the upload function of
binary-husky/gpt_academic al ...)
NOT-FOR-US: binary-husky/gpt_academic
CVE-2024-10940 (A vulnerability in langchain-core versions >=0.1.17,<0.1.53,
>=0.2.0,< ...)
- TODO: check
+ NOT-FOR-US: langchain-core
CVE-2024-10935 (automatic1111/stable-diffusion-webui version 1.10.0 contains a
vulnera ...)
NOT-FOR-US: automatic1111/stable-diffusion-webui
CVE-2024-10912 (A Denial of Service (DoS) vulnerability exists in the file
upload feat ...)
@@ -742,7 +742,7 @@ CVE-2024-10718 (In phpipam/phpipam version 1.5.1, the
Secure attribute for sensi
CVE-2024-10714 (A vulnerability in binary-husky/gpt_academic version 3.83
allows an at ...)
NOT-FOR-US: binary-husky/gpt_academic
CVE-2024-10713 (A vulnerability in szad670401/hyperlpr v3.0 allows for a
Denial of Ser ...)
- TODO: check
+ NOT-FOR-US: szad670401/hyperlpr
CVE-2024-10707 (gaizhenbiao/chuanhuchatgpt version git d4ec6a3 is affected by
a local ...)
NOT-FOR-US: gaizhenbiao/chuanhuchatgpt
CVE-2024-10650 (An unauthenticated Denial of Service (DoS) vulnerability was
identifie ...)
@@ -752,67 +752,67 @@ CVE-2024-10648 (A path traversal vulnerability exists in
the Gradio Audio compon
CVE-2024-10624 (A Regular Expression Denial of Service (ReDoS) vulnerability
exists in ...)
NOT-FOR-US: Gradio
CVE-2024-10572 (In h2oai/h2o-3 version 3.46.0.1, the `run_tool` command
exposes classe ...)
- TODO: check
+ NOT-FOR-US: h2oai/h2o-3
CVE-2024-10569 (A vulnerability in the dataframe component of
gradio-app/gradio (versi ...)
NOT-FOR-US: Gradio
CVE-2024-10553 (A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4
allows u ...)
- TODO: check
+ NOT-FOR-US: h2oai/h2o-3
CVE-2024-10550 (A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3
version ...)
- TODO: check
+ NOT-FOR-US: h2oai/h2o-3
CVE-2024-10549 (A vulnerability in the `/3/Parse` endpoint of h2oai/h2o-3
version 3.46 ...)
- TODO: check
+ NOT-FOR-US: h2oai/h2o-3
CVE-2024-10513 (A path traversal vulnerability exists in the 'document uploads
manager ...)
- TODO: check
+ NOT-FOR-US: anything-llm
CVE-2024-10481 (A CSRF vulnerability exists in comfyanonymous/comfyui versions
up to v ...)
- TODO: check
+ NOT-FOR-US: comfyanonymous/comfyui
CVE-2024-10457 (Multiple Server-Side Request Forgery (SSRF) vulnerabilities
were ident ...)
- TODO: check
+ NOT-FOR-US: significant-gravitas/autogpt
CVE-2024-10366 (An improper access control vulnerability (IDOR) exists in the
delete a ...)
- TODO: check
+ NOT-FOR-US: danny-avila/librechat
CVE-2024-10363 (In version 0.7.5 of danny-avila/LibreChat, there is an
improper access ...)
- TODO: check
+ NOT-FOR-US: danny-avila/librechat
CVE-2024-10361 (An arbitrary file deletion vulnerability exists in
danny-avila/librech ...)
- TODO: check
+ NOT-FOR-US: danny-avila/librechat
CVE-2024-10359 (In danny-avila/librechat version v0.7.5-rc2, a vulnerability
exists in ...)
- TODO: check
+ NOT-FOR-US: danny-avila/librechat
CVE-2024-10330 (In lunary-ai/lunary version 1.5.6, the `/v1/evaluators/`
endpoint lack ...)
- TODO: check
+ NOT-FOR-US: lunary-ai/lunary
CVE-2024-10275 (In version 1.5.5 of lunary-ai/lunary, a vulnerability exists
where adm ...)
- TODO: check
+ NOT-FOR-US: lunary-ai/lunary
CVE-2024-10274 (An improper authorization vulnerability exists in
lunary-ai/lunary ver ...)
- TODO: check
+ NOT-FOR-US: lunary-ai/lunary
CVE-2024-10273 (In lunary-ai/lunary v1.5.0, improper privilege management in
the model ...)
- TODO: check
+ NOT-FOR-US: lunary-ai/lunary
CVE-2024-10272 (lunary-ai/lunary is vulnerable to broken access control in the
latest ...)
- TODO: check
+ NOT-FOR-US: lunary-ai/lunary
CVE-2024-10267 (An information disclosure vulnerability exists in the latest
version o ...)
- TODO: check
+ NOT-FOR-US: transformeroptimus/superagi
CVE-2024-10264 (HTTP Request Smuggling vulnerability in
netease-youdao/qanything versi ...)
- TODO: check
+ NOT-FOR-US: netease-youdao/qanything
CVE-2024-10252 (A vulnerability in langgenius/dify versions <=v0.9.1 allows
for code i ...)
- TODO: check
+ NOT-FOR-US: langgenius/dify
CVE-2024-10225 (A vulnerability in haotian-liu/llava v1.2.0 allows an attacker
to caus ...)
- TODO: check
+ NOT-FOR-US: haotian-liu/llava
CVE-2024-10190 (Horovod versions up to and including v0.28.1 are vulnerable to
unauthe ...)
- TODO: check
+ NOT-FOR-US: Horovod
CVE-2024-10188 (A vulnerability in BerriAI/litellm, as of commit 26c03c9,
allows unaut ...)
- TODO: check
+ NOT-FOR-US: BerriAI/litellm
CVE-2024-10110 (In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter
object ...)
- TODO: check
+ NOT-FOR-US: aimhubio/aim
CVE-2024-10109 (A vulnerability in the mintplex-labs/anything-llm repository,
as of co ...)
- TODO: check
+ NOT-FOR-US: anything-llm
CVE-2024-10096 (Dask versions <=2024.8.2 contain a vulnerability in the Dask
Distribut ...)
TODO: check
CVE-2024-10051 (Realchar version v0.0.4 is vulnerable to an unauthenticated
denial of ...)
- TODO: check
+ NOT-FOR-US: Realchar
CVE-2024-10047 (parisneo/lollms-webui versions v9.9 to the latest are
vulnerable to a ...)
- TODO: check
+ NOT-FOR-US: parisneo/lollms-webui
CVE-2024-10019 (A vulnerability in the `start_app_server` function of
parisneo/lollms- ...)
- TODO: check
+ NOT-FOR-US: parisneo/lollms-webui
CVE-2024-0640 (A stored cross-site scripting (XSS) vulnerability exists in
chatwoot/c ...)
- TODO: check
+ NOT-FOR-US: chatwoot/chatwoot
CVE-2024-0245 (A misconfiguration in the AndroidManifest.xml file in
hamza417/inure b ...)
- TODO: check
+ NOT-FOR-US: hamza417/inure
CVE-2025-30259 (The WhatsApp cloud service before late 2024 did not block
certain craf ...)
NOT-FOR-US: WhatsApp
CVE-2025-30092 (Intrexx Portal Server 12.x <= 12.0.2 and 11.x <= 11.9.2 allows
XSS in ...)
=====================================
data/packages/nfu.yaml
=====================================
@@ -144,6 +144,12 @@
- cna: JetBrains
- not:
product: IntelliJ IDEA
+- reason: Microsoft
+ allOf:
+ - cna: microsoft
+ - anyOf:
+ - product: Microsoft Partner Center
+ - product: Microsoft Dataverse
# Description based rules
- reason: code-projects
description: '.*\b(?i:code-projects)\s.*\s(?i:system)\b.*'
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9c05f2c6fa5add9f47c83f6099eeb9c76d180068...26cad0cfbdb6223cfcd6693dffe81109b8f200d4
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9c05f2c6fa5add9f47c83f6099eeb9c76d180068...26cad0cfbdb6223cfcd6693dffe81109b8f200d4
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
