From 257dade949b8793fc3bd1642c988bd5b8f4e7789 Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Mon, 22 Feb 2021 18:45:05 +0100 Subject: new gsoap, ruby-twitter-stream issues NFUs some rust issues no-dsa in buster --- data/CVE/2020.list | 59 +++++++++++++++++++++++++++++++++--------------------- 1 file changed, 36 insertions(+), 23 deletions(-) (limited to 'data/CVE/2020.list') diff --git a/data/CVE/2020.list b/data/CVE/2020.list index 652c397525..407022c592 100644 --- a/data/CVE/2020.list +++ b/data/CVE/2020.list @@ -1274,6 +1274,7 @@ CVE-2020-35709 (bloofoxCMS 0.5.2.1 allows admins to upload arbitrary .php files NOT-FOR-US: bloofoxCMS CVE-2020-35711 (An issue has been discovered in the arc-swap crate before 0.4.8 (and 1 ...) - rust-arc-swap + [buster] - rust-arc-swap (Minor issue) NOTE: https://github.com/vorner/arc-swap/issues/45 NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0091.html CVE-2020-35708 (phpList 3.5.9 allows SQL injection by admins who provide a crafted fou ...) @@ -4374,22 +4375,27 @@ CVE-2020-26235 (In Rust time crate from version 0.2.7 and before version 0.2.23, NOTE: Deprecated in: https://github.com/time-rs/time/commit/f153a1ca5fdfec979f16c49619e6034cc67e186d (v0.2.23) CVE-2020-35914 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - rust-lock-api (bug #975319) + [buster] - rust-lock-api (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-35913 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - rust-lock-api (bug #975319) + [buster] - rust-lock-api (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-35912 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - rust-lock-api (bug #975319) + [buster] - rust-lock-api (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-35911 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - rust-lock-api (bug #975319) + [buster] - rust-lock-api (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-35910 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - rust-lock-api (bug #975319) + [buster] - rust-lock-api (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-28971 (An issue was discovered on Western Digital My Cloud OS 5 devices befor ...) @@ -13885,7 +13891,7 @@ CVE-2020-24910 CVE-2020-24909 RESERVED CVE-2020-24908 (Checkmk before 1.6.0p17 allows local users to obtain SYSTEM privileges ...) - TODO: check + - check-mk CVE-2020-24907 RESERVED CVE-2020-24906 @@ -15016,7 +15022,8 @@ CVE-2020-24394 (In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS serv CVE-2020-24393 (TweetStream 2.6.1 uses the library eventmachine in an insecure way tha ...) NOT-FOR-US: TweetStream CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname validation allow ...) - TODO: check + - ruby-twitter-stream + NOTE: https://securitylab.github.com/advisories/GHSL-2020-097-voloko-twitter-stream CVE-2020-24391 RESERVED CVE-2020-24390 (eonweb in EyesOfNetwork before 5.3-7 does not properly escape the user ...) @@ -38586,15 +38593,20 @@ CVE-2020-13580 (An exploitable heap-based buffer overflow vulnerability exists i CVE-2020-13579 (An exploitable integer overflow vulnerability exists in the PlanMaker ...) NOT-FOR-US: SoftMaker CVE-2020-13578 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...) - TODO: check + - gsoap + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1189 CVE-2020-13577 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...) - TODO: check + - gsoap + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1188 CVE-2020-13576 (A code execution vulnerability exists in the WS-Addressing plugin func ...) - TODO: check + - gsoap + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1187 CVE-2020-13575 (A denial-of-service vulnerability exists in the WS-Addressing plugin f ...) - TODO: check + - gsoap + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1186 CVE-2020-13574 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...) - TODO: check + - gsoap + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1185 CVE-2020-13573 (A denial-of-service vulnerability exists in the Ethernet/IP server fun ...) NOT-FOR-US: Rockwell Automation RSLinx Classic CVE-2020-13572 (A heap overflow vulnerability exists in the way the GIF parser decodes ...) @@ -44406,7 +44418,7 @@ CVE-2020-11225 (Out of bound access in WLAN driver due to lack of validation of CVE-2020-11224 RESERVED CVE-2020-11223 (Out of bound in camera driver due to lack of check of validation of ar ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2020-11222 RESERVED CVE-2020-11221 @@ -44444,7 +44456,7 @@ CVE-2020-11206 (u'Possible buffer overflow in Fastrpc while handling received pa CVE-2020-11205 (u'Possible integer overflow to heap overflow while processing command ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-11204 (Possible memory corruption and information leakage in sub-system due t ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2020-11203 (Stack overflow may occur if GSM/WCDMA broadcast config size received f ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-11202 (u'Buffer overflow/underflow occurs when typecasting the buffer passed ...) @@ -44456,15 +44468,15 @@ CVE-2020-11200 (Buffer over-read while parsing RPS due to lack of check of input CVE-2020-11199 RESERVED CVE-2020-11198 (Key material used for TZ diag buffer encryption and other data related ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2020-11197 (Possible integer overflow can occur when stream info update is called ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-11196 (u'Integer overflow to buffer overflow occurs while playback of ASF cli ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-11195 (Out of bound write and read in TA while processing command from NS sid ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2020-11194 (Possible out of bound access in TA while processing a command from NS ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2020-11193 (u'Buffer over read can happen while parsing mkv clip due to improper t ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-11192 @@ -44562,7 +44574,7 @@ CVE-2020-11149 (Out of bound access due to usage of an out-of-range pointer offs CVE-2020-11148 (Use after free issue in HIDL while using callback to post event in Rx ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-11147 (Use after free issue in audio modules while removing and freeing objec ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2020-11146 (Out of bound write while copying data using IOCTL due to lack of check ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-11145 (Divide by zero issue can happen while updating delta extension header ...) @@ -51012,9 +51024,9 @@ CVE-2020-8569 (Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 cou NOT-FOR-US: Kubernetes CSI Snapshotter NOTE: https://github.com/kubernetes-csi/external-snapshotter/issues/421 CVE-2020-8568 (Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow ...) - TODO: check + NOT-FOR-US: Kubernetes Secrets Store CSI Driver CVE-2020-8567 (Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azur ...) - TODO: check + NOT-FOR-US: Kubernetes Secrets Store CSI Driver CVE-2020-8566 (In Kubernetes clusters using Ceph RBD as a storage provisioner, with l ...) - kubernetes 1.19.3-1 (bug #972341) NOTE: https://github.com/kubernetes/kubernetes/pull/95245 @@ -52333,7 +52345,8 @@ CVE-2020-8033 (Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Devic CVE-2020-8032 RESERVED CVE-2020-8031 (A Improper Neutralization of Input During Web Page Generation ('Cross- ...) - TODO: check + - open-build-service + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1178880 CVE-2020-8030 (A Insecure Temporary File vulnerability in skuba of SUSE CaaS Platform ...) NOT-FOR-US: SuSE CaaS CVE-2020-8029 (A Incorrect Permission Assignment for Critical Resource vulnerability ...) @@ -52875,7 +52888,7 @@ CVE-2020-7796 (Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSR CVE-2020-7795 RESERVED CVE-2020-7794 (This affects all versions of package buns. The injection point is loca ...) - TODO: check + NOT-FOR-US: Node buns CVE-2020-7793 (The package ua-parser-js before 0.7.23 are vulnerable to Regular Expre ...) - node-ua-parser-js 0.7.23+ds-1 [buster] - node-ua-parser-js (Minor issue) @@ -52898,7 +52911,7 @@ CVE-2020-7788 (This affects the package ini before 1.3.6. If an attacker submits CVE-2020-7787 (This affects all versions of package react-adal. It is possible for a ...) NOT-FOR-US: Node react-adal CVE-2020-7786 (This affects all versions of package macfromip. The injection point is ...) - TODO: check + NOT-FOR-US: Node macfromip CVE-2020-7785 (This affects all versions of package node-ps. The injection point is l ...) TODO: check CVE-2020-7784 (This affects all versions of package ts-process-promises. The injectio ...) @@ -58631,9 +58644,9 @@ CVE-2020-5430 CVE-2020-5429 REJECTED CVE-2020-5428 (In applications using Spring Cloud Task 2.2.4.RELEASE and below, may b ...) - TODO: check + NOT-FOR-US: Vmware CVE-2020-5427 (In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5 ...) - TODO: check + NOT-FOR-US: Vmware CVE-2020-5426 (Scheduler for TAS prior to version 1.4.0 was permitting plaintext tran ...) NOT-FOR-US: Vmware CVE-2020-5425 (Single Sign-On for Vmware Tanzu all versions prior to 1.11.3 ,1.12.x v ...) @@ -62443,7 +62456,7 @@ CVE-2020-3666 (u'Out of bounds memory access during memory copy while processing CVE-2020-3665 (A possible buffer overflow would occur while processing command from f ...) NOT-FOR-US: Snapdragon CVE-2020-3664 (Out of bound read access in hypervisor due to an invalid read access a ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2020-3663 (Buffer over-write may occur during fetching track decoder specific inf ...) NOT-FOR-US: Snapdragon CVE-2020-3662 (Buffer overflow can occur while parsing eac3 header while playing the ...) @@ -66832,7 +66845,7 @@ CVE-2020-1725 (A flaw was found in keycloak before version 13.0.0. In some scena CVE-2020-1724 (A flaw was found in Keycloak in versions before 9.0.2. This flaw allow ...) NOT-FOR-US: Keycloak CVE-2020-1723 (The logout endpoint /oauth/logout?redirect=url can be abused to redire ...) - TODO: check + NOT-FOR-US: Keycloak CVE-2020-1722 (A flaw was found in all ipa versions 4.x.x through 4.8.0. When sending ...) - freeipa 4.8.8-2 (bug #966200) [buster] - freeipa (Minor issue) @@ -69446,7 +69459,7 @@ CVE-2020-0473 (In updateIncomingFileConfirmNotification of BluetoothOppNotificat CVE-2020-0472 RESERVED CVE-2020-0471 (In reassemble_and_dispatch of packet_fragmenter.cc, there is a possibl ...) - TODO: check + NOT-FOR-US: Android CVE-2020-0470 (In extend_frame_highbd of restoration.c, there is a possible out of bo ...) NOT-FOR-US: Android Media Framework CVE-2020-0469 (In addEscrowToken of LockSettingsService.java, there is a possible los ...) -- cgit v1.2.3