From 669473916a9331d0cc1e96412bbc7829b7b794ef Mon Sep 17 00:00:00 2001 From: security tracker role Date: Fri, 5 Mar 2021 20:10:30 +0000 Subject: automatic update --- data/CVE/2016.list | 2 +- data/CVE/2017.list | 3 +- data/CVE/2018.list | 5 +- data/CVE/2019.list | 1 + data/CVE/2020.list | 24 +++--- data/CVE/2021.list | 242 +++++++++++++++++++++++++++++++++++++++++++---------- 6 files changed, 215 insertions(+), 62 deletions(-) diff --git a/data/CVE/2016.list b/data/CVE/2016.list index 6e1ea5d93b..0c3cf65a9e 100644 --- a/data/CVE/2016.list +++ b/data/CVE/2016.list @@ -2740,7 +2740,7 @@ CVE-2016-10094 (Off-by-one error in the t2p_readwrite_pdf_image_tile function in - tiff3 (vulnerable code introduced later) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2640 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76b0969235c -CVE-2016-10093 (Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7 3.9.3, 3.9.4, 3.9. ...) +CVE-2016-10093 (Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7, 3.9.3, 3.9.4, 3.9 ...) {DSA-3762-1 DLA-795-1} - tiff 4.0.7-2 - tiff3 diff --git a/data/CVE/2017.list b/data/CVE/2017.list index da1ed50642..863798e83c 100644 --- a/data/CVE/2017.list +++ b/data/CVE/2017.list @@ -9041,6 +9041,7 @@ CVE-2017-15710 (In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to - apache2 2.4.33-1 NOTE: https://www.openwall.com/lists/oss-security/2018/03/24/8 CVE-2017-15709 (When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 ...) + {DLA-2583-1} - activemq 5.15.3-1 (bug #890352) [jessie] - activemq (Issue introduced with OpenWire protocol support) [wheezy] - activemq (Issue introduced with OpenWire protocol support) @@ -11097,7 +11098,7 @@ CVE-2017-15046 (LAME 3.99.5, 3.99.4, 3.98.4, 3.98.2, 3.98 and 3.97 have a stack- NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations -CVE-2017-15045 (LAME 3.99.5, 3.98.4, 3.98.2 and 3.98 has a heap-based buffer over-read ...) +CVE-2017-15045 (LAME 3.99, 3.99.1, 3.99.2, 3.99.3, 3.99.4, 3.99.5, 3.98.4, 3.98.2 and ...) - lame 3.99.5+repack1-8 [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://sourceforge.net/p/lame/bugs/478/ diff --git a/data/CVE/2018.list b/data/CVE/2018.list index f81f5135a3..c1ff700501 100644 --- a/data/CVE/2018.list +++ b/data/CVE/2018.list @@ -7509,7 +7509,7 @@ CVE-2018-18559 (In the Linux kernel through 4.19, a use-after-free can occur due NOTE: Fixed by: https://git.kernel.org/linus/15fe076edea787807a7cdc168df832544b58eba6 CVE-2018-18558 (An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 ...) NOT-FOR-US: Espressif ESP-IDF -CVE-2018-18557 (LibTIFF 3.9.3, 3.9.4, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta ...) +CVE-2018-18557 (LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4 ...) {DSA-4349-1 DLA-1557-1} - tiff 4.0.9+git181026-1 (bug #911635) - tiff3 @@ -25197,6 +25197,7 @@ CVE-2018-11776 (Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer fr - libstruts1.2-java (Specific to 2.x) NOTE: https://cwiki.apache.org/confluence/display/WW/S2-057 CVE-2018-11775 (TLS hostname verification when using the Apache ActiveMQ Client before ...) + {DLA-2583-1} - activemq 5.15.6-1 (low; bug #908950) [jessie] - activemq (Minor issue) NOTE: http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt @@ -39542,7 +39543,7 @@ CVE-2018-6382 (** DISPUTED ** MantisBT 2.10.0 allows local users to conduct SQL - mantis [wheezy] - mantis (Not supported in Wheezy) NOTE: https://mantisbt.org/bugs/view.php?id=23908 -CVE-2018-6381 (In ZZIPlib 0.13.67, 0.13.66, 0.13.65, 0.13.64 and 0.13.63 there is a s ...) +CVE-2018-6381 (In ZZIPlib 0.13.67, 0.13.66, 0.13.65, 0.13.64, 0.13.63, 0.13.62, 0.13. ...) {DLA-2258-1} - zziplib 0.13.62-3.2 (bug #889096) [stretch] - zziplib 0.13.62-3.2~deb9u1 diff --git a/data/CVE/2019.list b/data/CVE/2019.list index 45fadc32af..49b7b97915 100644 --- a/data/CVE/2019.list +++ b/data/CVE/2019.list @@ -53014,6 +53014,7 @@ CVE-2019-0223 (While investigating bug PROTON-2014, we discovered that under som NOTE: not present in the jessie version. That part do not seem to be essential for NOTE: the package to be vulnerable. CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame ca ...) + {DLA-2583-1 DLA-2582-1} - activemq 5.15.9-1 (bug #925964; unimportant) [jessie] - activemq (MQTT support not enabled) - mqtt-client 1.16-1 diff --git a/data/CVE/2020.list b/data/CVE/2020.list index 2011724d01..61b45d906e 100644 --- a/data/CVE/2020.list +++ b/data/CVE/2020.list @@ -1564,8 +1564,8 @@ CVE-2020-35596 RESERVED CVE-2020-35595 RESERVED -CVE-2020-35594 - RESERVED +CVE-2020-35594 (Zoho ManageEngine ADManager Plus before 7066 allows XSS. ...) + TODO: check CVE-2020-35593 RESERVED CVE-2020-35592 (Pi-hole 5.0, 5.1, and 5.1.1 allows XSS via the Options header to the a ...) @@ -2795,8 +2795,8 @@ CVE-2020-29660 (A locking inconsistency issue was discovered in the tty subsyste NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2125 CVE-2020-29659 (A buffer overflow in the web server of Flexense DupScout Enterprise 10 ...) NOT-FOR-US: Flexense DupScout Enterprise -CVE-2020-29658 - RESERVED +CVE-2020-29658 (Zoho ManageEngine Application Control Plus before 100523 has an insecu ...) + TODO: check CVE-2020-29657 (In JerryScript 2.3.0, there is an out-of-bounds read in main_print_unh ...) - iotjs (bug #977736; unimportant) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4244 @@ -4040,8 +4040,8 @@ CVE-2020-29136 (In cPanel before 90.0.17, 2FA can be bypassed via a brute-force NOT-FOR-US: cPanel CVE-2020-29135 (cPanel before 90.0.17 has multiple instances of URL parameter injectio ...) NOT-FOR-US: cPanel -CVE-2020-29134 - RESERVED +CVE-2020-29134 (TOTVS Fluig Luke 1.7.0 allows directory traversal via a base64 encoded ...) + TODO: check CVE-2020-29133 (jsp/upload.jsp in Coremail XT 5.0 allows XSS via an uploaded personal ...) NOT-FOR-US: Coremail XT CVE-2020-29132 @@ -4261,8 +4261,8 @@ CVE-2020-29034 RESERVED CVE-2020-29033 RESERVED -CVE-2020-29032 - RESERVED +CVE-2020-29032 (Upload of Code Without Integrity Check vulnerability in firmware archi ...) + TODO: check CVE-2020-29031 (An Insecure Direct Object Reference vulnerability exists in the web UI ...) NOT-FOR-US: GateManager CVE-2020-29030 @@ -5445,8 +5445,8 @@ CVE-2020-28504 RESERVED CVE-2020-28503 RESERVED -CVE-2020-28502 - RESERVED +CVE-2020-28502 (This affects the package xmlhttprequest before 1.7.0; all versions of ...) + TODO: check CVE-2020-28501 RESERVED CVE-2020-28500 (All versions of package lodash; all versions of package org.fujion.web ...) @@ -6450,8 +6450,8 @@ CVE-2020-28052 (An issue was discovered in Legion of the Bouncy Castle BC Java 1 NOTE: Fixed by: https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219 (r1rv67) CVE-2020-28051 RESERVED -CVE-2020-28050 - RESERVED +CVE-2020-28050 (Zoho ManageEngine Desktop Central before build 10.0.647 allows a singl ...) + TODO: check CVE-2020-28049 (An issue was discovered in SDDM before 0.19.0. It incorrectly starts t ...) {DSA-4783-1 DLA-2436-1} - sddm 0.19.0-1 (bug #973748) diff --git a/data/CVE/2021.list b/data/CVE/2021.list index 93fa159654..c151d2f4dd 100644 --- a/data/CVE/2021.list +++ b/data/CVE/2021.list @@ -1,3 +1,153 @@ +CVE-2021-3423 + RESERVED +CVE-2021-28041 (ssh-agent in OpenSSH before 8.5 has a double free that may be relevant ...) + TODO: check +CVE-2021-28040 (An issue was discovered in OSSEC 3.6.0. An uncontrolled recursion vuln ...) + TODO: check +CVE-2021-28037 (An issue was discovered in the internment crate before 0.4.2 for Rust. ...) + TODO: check +CVE-2021-28036 (An issue was discovered in the quinn crate before 0.7.0 for Rust. It m ...) + TODO: check +CVE-2021-28035 (An issue was discovered in the stack_dst crate before 0.6.1 for Rust. ...) + TODO: check +CVE-2021-28034 (An issue was discovered in the stack_dst crate before 0.6.1 for Rust. ...) + TODO: check +CVE-2021-28033 (An issue was discovered in the byte_struct crate before 0.6.1 for Rust ...) + TODO: check +CVE-2021-28032 (An issue was discovered in the nano_arena crate before 0.5.2 for Rust. ...) + TODO: check +CVE-2021-28031 (An issue was discovered in the scratchpad crate before 1.3.1 for Rust. ...) + TODO: check +CVE-2021-28030 (An issue was discovered in the truetype crate before 0.30.1 for Rust. ...) + TODO: check +CVE-2021-28029 (An issue was discovered in the toodee crate before 0.3.0 for Rust. The ...) + TODO: check +CVE-2021-28028 (An issue was discovered in the toodee crate before 0.3.0 for Rust. Row ...) + TODO: check +CVE-2021-28027 (An issue was discovered in the bam crate before 0.1.3 for Rust. There ...) + TODO: check +CVE-2021-28026 (jpeg-xl v0.3.2 is affected by a heap buffer overflow in /lib/jxl/coeff ...) + TODO: check +CVE-2021-28025 + RESERVED +CVE-2021-28024 + RESERVED +CVE-2021-28023 + RESERVED +CVE-2021-28022 + RESERVED +CVE-2021-28021 + RESERVED +CVE-2021-28020 + RESERVED +CVE-2021-28019 + RESERVED +CVE-2021-28018 + RESERVED +CVE-2021-28017 + RESERVED +CVE-2021-28016 + RESERVED +CVE-2021-28015 + RESERVED +CVE-2021-28014 + RESERVED +CVE-2021-28013 + RESERVED +CVE-2021-28012 + RESERVED +CVE-2021-28011 + RESERVED +CVE-2021-28010 + RESERVED +CVE-2021-28009 + RESERVED +CVE-2021-28008 + RESERVED +CVE-2021-28007 + RESERVED +CVE-2021-28006 + RESERVED +CVE-2021-28005 + RESERVED +CVE-2021-28004 + RESERVED +CVE-2021-28003 + RESERVED +CVE-2021-28002 + RESERVED +CVE-2021-28001 + RESERVED +CVE-2021-28000 + RESERVED +CVE-2021-27999 + RESERVED +CVE-2021-27998 + RESERVED +CVE-2021-27997 + RESERVED +CVE-2021-27996 + RESERVED +CVE-2021-27995 + RESERVED +CVE-2021-27994 + RESERVED +CVE-2021-27993 + RESERVED +CVE-2021-27992 + RESERVED +CVE-2021-27991 + RESERVED +CVE-2021-27990 + RESERVED +CVE-2021-27989 + RESERVED +CVE-2021-27988 + RESERVED +CVE-2021-27987 + RESERVED +CVE-2021-27986 + RESERVED +CVE-2021-27985 + RESERVED +CVE-2021-27984 + RESERVED +CVE-2021-27983 + RESERVED +CVE-2021-27982 + RESERVED +CVE-2021-27981 + RESERVED +CVE-2021-27980 + RESERVED +CVE-2021-27979 + RESERVED +CVE-2021-27978 + RESERVED +CVE-2021-27977 + RESERVED +CVE-2021-27976 + RESERVED +CVE-2021-27975 + RESERVED +CVE-2021-27974 + RESERVED +CVE-2021-27973 + RESERVED +CVE-2021-27972 + RESERVED +CVE-2021-27971 + RESERVED +CVE-2021-27970 + RESERVED +CVE-2021-27969 + RESERVED +CVE-2021-27968 + RESERVED +CVE-2021-27967 + RESERVED +CVE-2021-27966 + RESERVED CVE-2021-27965 (The MsIo64.sys driver before 1.1.19.1016 in MSI Dragon Center before 2 ...) NOT-FOR-US: MSI Dragon Center CVE-2021-27964 (SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File U ...) @@ -40,12 +190,12 @@ CVE-2021-27946 RESERVED CVE-2021-27945 RESERVED -CVE-2021-28039 [XSA 369] +CVE-2021-28039 (An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as u ...) - linux (unimportant) [buster] - linux (Vulnerable code introduced later) [stretch] - linux (Vulnerable code introduced later) NOTE: https://xenbits.xen.org/xsa/advisory-369.html -CVE-2021-28038 [XSA 367] +CVE-2021-28038 (An issue was discovered in the Linux kernel through 5.11.3, as used wi ...) - linux NOTE: https://xenbits.xen.org/xsa/advisory-367.html CVE-2021-3422 @@ -139,8 +289,7 @@ CVE-2021-27909 RESERVED CVE-2021-27908 RESERVED -CVE-2021-27907 - RESERVED +CVE-2021-27907 (Apache Superset up to and including 0.38.0 allowed the creation of a M ...) NOT-FOR-US: Apache Superset CVE-2021-27906 RESERVED @@ -1841,10 +1990,10 @@ CVE-2021-27101 (Accellion FTA 9_12_370 and earlier is affected by SQL injection NOT-FOR-US: Accellion FTA CVE-2021-27100 RESERVED -CVE-2021-27099 - RESERVED -CVE-2021-27098 - RESERVED +CVE-2021-27099 (In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1, the ...) + TODO: check +CVE-2021-27098 (In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 ...) + TODO: check CVE-2021-27097 (The boot loader in Das U-Boot before 2021.04-rc2 mishandles a modified ...) - u-boot (bug #983270) [buster] - u-boot (Minor issue) @@ -2104,30 +2253,30 @@ CVE-2021-26973 RESERVED CVE-2021-26972 RESERVED -CVE-2021-26971 - RESERVED -CVE-2021-26970 - RESERVED -CVE-2021-26969 - RESERVED -CVE-2021-26968 - RESERVED -CVE-2021-26967 - RESERVED -CVE-2021-26966 - RESERVED -CVE-2021-26965 - RESERVED -CVE-2021-26964 - RESERVED -CVE-2021-26963 - RESERVED -CVE-2021-26962 - RESERVED -CVE-2021-26961 - RESERVED -CVE-2021-26960 - RESERVED +CVE-2021-26971 (A remote authenticated arbitrary command execution vulnerability was d ...) + TODO: check +CVE-2021-26970 (A remote authenticated arbitrary command execution vulnerability was d ...) + TODO: check +CVE-2021-26969 (A remote authenticated authenticated xml external entity (xxe) vulnera ...) + TODO: check +CVE-2021-26968 (A remote authenticated stored cross-site scripting (xss) vulnerability ...) + TODO: check +CVE-2021-26967 (A remote reflected cross-site scripting (xss) vulnerability was discov ...) + TODO: check +CVE-2021-26966 (A remote authenticated sql injection vulnerability was discovered in A ...) + TODO: check +CVE-2021-26965 (A remote authenticated sql injection vulnerability was discovered in A ...) + TODO: check +CVE-2021-26964 (A remote authentication restriction bypass vulnerability was discovere ...) + TODO: check +CVE-2021-26963 (A remote authenticated arbitrary command execution vulnerability was d ...) + TODO: check +CVE-2021-26962 (A remote authenticated arbitrary command execution vulnerability was d ...) + TODO: check +CVE-2021-26961 (A remote unauthenticated cross-site request forgery (csrf) vulnerabili ...) + TODO: check +CVE-2021-26960 (A remote unauthenticated cross-site request forgery (csrf) vulnerabili ...) + TODO: check CVE-2021-26959 REJECTED CVE-2021-26958 (An issue was discovered in the xcb crate through 2021-02-04 for Rust. ...) @@ -2726,8 +2875,8 @@ CVE-2021-26707 NOT-FOR-US: Node deep-merge CVE-2021-26706 RESERVED -CVE-2021-26705 - RESERVED +CVE-2021-26705 (An issue was discovered in SquareBox CatDV Server through 9.2. An atta ...) + TODO: check CVE-2021-26704 (EPrints 3.4.2 allows remote attackers to execute arbitrary commands vi ...) NOT-FOR-US: EPrints CVE-2021-26703 (EPrints 3.4.2 allows remote attackers to read arbitrary files and poss ...) @@ -3133,8 +3282,8 @@ CVE-2021-3379 RESERVED CVE-2021-3378 (FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a ...) NOT-FOR-US: FortiLogger -CVE-2021-3377 - RESERVED +CVE-2021-3377 (The npm package ansi_up converts ANSI escape codes into HTML. In ansi_ ...) + TODO: check CVE-2021-3376 RESERVED CVE-2021-3375 (ActivePresenter 6.1.6 is affected by a memory corruption vulnerability ...) @@ -4184,6 +4333,7 @@ CVE-2021-26119 (Smarty before 3.1.39 allows a Sandbox Escape because $smarty.tem CVE-2021-26118 (While investigating ARTEMIS-2964 it was found that the creation of adv ...) NOT-FOR-US: Apache ActiveMQ Artemis CVE-2021-26117 (The optional ActiveMQ LDAP login module can be configured to use anony ...) + {DLA-2583-1} - activemq 5.16.1-1 (bug #982590) NOTE: https://issues.apache.org/jira/browse/AMQ-8035 NOTE: https://www.openwall.com/lists/oss-security/2021/01/27/6 @@ -6038,8 +6188,8 @@ CVE-2021-25315 (A Incorrect Implementation of Authentication Algorithm vulnerabi TODO: check CVE-2021-25314 RESERVED -CVE-2021-25313 - RESERVED +CVE-2021-25313 (A Improper Neutralization of Input During Web Page Generation ('Cross- ...) + TODO: check CVE-2021-3179 RESERVED CVE-2021-3178 (** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, w ...) @@ -13619,8 +13769,8 @@ CVE-2021-21727 RESERVED CVE-2021-21726 RESERVED -CVE-2021-21725 - RESERVED +CVE-2021-21725 (A ZTE product has an information leak vulnerability. An attacker with ...) + TODO: check CVE-2021-21724 (A ZTE product has a memory leak vulnerability. Due to the product's im ...) NOT-FOR-US: ZTE CVE-2021-21723 (Some ZTE products have a DoS vulnerability. Due to the improper handli ...) @@ -16004,12 +16154,12 @@ CVE-2021-20667 RESERVED CVE-2021-20666 RESERVED -CVE-2021-20665 - RESERVED -CVE-2021-20664 - RESERVED -CVE-2021-20663 - RESERVED +CVE-2021-20665 (Cross-site scripting vulnerability in in Add asset screen of Contents ...) + TODO: check +CVE-2021-20664 (Cross-site scripting vulnerability in in Asset registration screen of ...) + TODO: check +CVE-2021-20663 (Cross-site scripting vulnerability in in Role authority setting screen ...) + TODO: check CVE-2021-20662 (Missing authentication for critical function in SolarView Compact SV-C ...) NOT-FOR-US: SolarView Compact CVE-2021-20661 (Directory traversal vulnerability in SolarView Compact SV-CPT-MC310 pr ...) -- cgit v1.2.3