From fe0597738f68f8ef3f812be83835b2d065a2cc93 Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Mon, 21 Feb 2022 17:03:02 +0100 Subject: buster/bullseye triage --- data/CVE/2021.list | 15 +++++++++++++++ data/CVE/2022.list | 19 ++++++++++++++----- 2 files changed, 29 insertions(+), 5 deletions(-) diff --git a/data/CVE/2021.list b/data/CVE/2021.list index ed3eda65d7..64c0101ce3 100644 --- a/data/CVE/2021.list +++ b/data/CVE/2021.list @@ -2,6 +2,8 @@ CVE-2021-46701 (PreMiD 2.2.0 allows unintended access via the websocket transpor NOT-FOR-US: PreMiD CVE-2021-46700 (In libsixel 1.8.6, sixel_encoder_output_without_macro (called from six ...) - libsixel + [bullseye] - libsixel (Minor issue) + [buster] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/158 CVE-2021-4222 RESERVED @@ -353,8 +355,11 @@ CVE-2021-4214 CVE-2021-4213 RESERVED - jss + [bullseye] - jss (Minor issue) + [buster] - jss (Minor issue) [stretch] - jss (revisit when/if fix is complete) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2042900 + NOTE: https://github.com/dogtagpki/jss/commit/5922560a78d0dee61af8a33cc9cfbf4cfa291448 CVE-2021-4212 RESERVED CVE-2021-4211 @@ -1594,22 +1599,32 @@ CVE-2021-46043 (A Pointer Dereference Vulnerability exits in GPAC 1.0.1 in the g NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f CVE-2021-46042 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the _fsee ...) - gpac + [bullseye] - gpac (Minor issue) + [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2002 NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f CVE-2021-46041 (A Segmentation Fault Vulnerability exists in GPAC 1.0.1 via the co64_b ...) - gpac + [bullseye] - gpac (Minor issue) + [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2004 NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f CVE-2021-46040 (A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1 via the finpla ...) - gpac + [bullseye] - gpac (Minor issue) + [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2003 NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f CVE-2021-46039 (A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1 via the shift_ ...) - gpac + [bullseye] - gpac (Minor issue) + [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1999 NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f CVE-2021-46038 (A Pointer Dereference vulnerability exists in GPAC 1.0.1 in unlink_chu ...) - gpac + [bullseye] - gpac (Minor issue) + [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2000 NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f CVE-2021-46037 (MCMS v5.2.4 was discovered to contain an arbitrary file deletion vulne ...) diff --git a/data/CVE/2022.list b/data/CVE/2022.list index c09598d630..0570c2b0e5 100644 --- a/data/CVE/2022.list +++ b/data/CVE/2022.list @@ -855,6 +855,8 @@ CVE-2022-0640 RESERVED CVE-2022-0639 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...) - node-url-parse 1.5.7-1 + [bullseye] - node-url-parse (Minor issue) + [buster] - node-url-parse (Minor issue) NOTE: https://huntr.dev/bounties/83a6bc9a-b542-4a38-82cd-d995a1481155 NOTE: https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788 (1.5.7) CVE-2022-0638 (Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber p ...) @@ -2364,10 +2366,11 @@ CVE-2022-0536 (Exposure of Sensitive Information to an Unauthorized Actor in NPM CVE-2022-0535 RESERVED CVE-2022-0534 (A vulnerability was found in htmldoc version 1.9.15 where the stack ou ...) - - htmldoc 1.9.15-1 + - htmldoc 1.9.15-1 (unimportant) NOTE: https://github.com/michaelrsweet/htmldoc/issues/463 NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/776cf0fc4c760f1fb7b966ce28dc92dd7d44ed50 (v1.9.15) NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/312f0f9c12f26fbe015cd0e6cefa40e4b99017d9 (v1.9.15) + NOTE: Crash in CLI tool, no security impact CVE-2022-0533 RESERVED CVE-2022-0532 (An incorrect sysctls validation vulnerability was found in CRI-O 1.18 ...) @@ -2937,6 +2940,8 @@ CVE-2022-0513 (The WP Statistics WordPress plugin is vulnerable to SQL Injection NOT-FOR-US: WordPress plugin CVE-2022-0512 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...) - node-url-parse 1.5.7-1 + [bullseye] - node-url-parse (Minor issue) + [buster] - node-url-parse (Minor issue) NOTE: https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b NOTE: https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40 (1.5.6) CVE-2022-0511 @@ -6070,11 +6075,15 @@ CVE-2022-23321 (A persistent cross-site scripting (XSS) vulnerability exists on CVE-2022-23320 (XMPie uStore 12.3.7244.0 allows for administrators to generate reports ...) NOT-FOR-US: XMPie uStore CVE-2022-23319 (A segmentation fault during PCF file parsing in pcf2bdf versions >= ...) - - pcf2bdf - TODO: check, no additional references provided, double check + - pcf2bdf (unimportant) + NOTE: https://github.com/ganaware/pcf2bdf + NOTE: https://github.com/ganaware/pcf2bdf/issues/5 + NOTE: Crash in CLI tool, no security impact CVE-2022-23318 (A heap-buffer-overflow in pcf2bdf, versions >= 1.05 allows an attac ...) - - pcf2bdf - TODO: check, no additional references provided, double check + - pcf2bdf (unimportant) + NOTE: https://github.com/ganaware/pcf2bdf + NOTE: https://github.com/ganaware/pcf2bdf/issues/4 + NOTE: Crash in CLI tool, no security impact CVE-2022-23317 (CobaltStrike <=4.5 HTTP(S) listener does not determine whether the ...) NOT-FOR-US: CobaltStrike CVE-2022-23316 (An issue was discovered in taoCMS v3.0.2. There is an arbitrary file r ...) -- cgit v1.2.3