From 7077067e2144001550bd0fef1aeec4e114898ebc Mon Sep 17 00:00:00 2001 From: security tracker role Date: Wed, 8 Jul 2020 20:10:20 +0000 Subject: automatic update --- data/CVE/list.2019 | 14 ++++++------ data/CVE/list.2020 | 62 ++++++++++++++++++++++++++++-------------------------- 2 files changed, 39 insertions(+), 37 deletions(-) diff --git a/data/CVE/list.2019 b/data/CVE/list.2019 index 8a05ef58fa..99e8cf59dd 100644 --- a/data/CVE/list.2019 +++ b/data/CVE/list.2019 @@ -3868,17 +3868,17 @@ CVE-2019-19419 RESERVED CVE-2019-19418 RESERVED -CVE-2019-19417 - RESERVED -CVE-2019-19416 - RESERVED -CVE-2019-19415 - RESERVED +CVE-2019-19417 (The SIP module of some Huawei products have a denial of service (DoS) ...) + TODO: check +CVE-2019-19416 (The SIP module of some Huawei products have a denial of service (DoS) ...) + TODO: check +CVE-2019-19415 (The SIP module of some Huawei products have a denial of service (DoS) ...) + TODO: check CVE-2019-19414 (There is an integer overflow vulnerability in LDAP server of some Huaw ...) NOT-FOR-US: Huawei CVE-2019-19413 (There is an integer overflow vulnerability in LDAP client of some Huaw ...) NOT-FOR-US: Huawei -CVE-2019-19412 (Some Huawei smart phones have a Factory Reset Protection (FRP) bypass ...) +CVE-2019-19412 (Huawei smart phones have a Factory Reset Protection (FRP) bypass secur ...) NOT-FOR-US: Huawei CVE-2019-19411 (USG9500 with versions of V500R001C30SPC100, V500R001C30SPC200, V500R00 ...) NOT-FOR-US: Huawei diff --git a/data/CVE/list.2020 b/data/CVE/list.2020 index 9e2a4b3a8d..1744ba89fc 100644 --- a/data/CVE/list.2020 +++ b/data/CVE/list.2020 @@ -2455,7 +2455,7 @@ CVE-2020-14478 CVE-2020-14477 (In Philips Ultrasound ClearVue Versions 3.2 and prior, Ultrasound CX V ...) NOT-FOR-US: Philips CVE-2020-14476 - RESERVED + REJECTED CVE-2020-14475 (A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0. ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/commit/22ca5e067189bffe8066df26df923a386f044c08 @@ -8328,8 +8328,8 @@ CVE-2020-11996 (A specially crafted sequence of HTTP/2 requests sent to Apache T NOTE: https://github.com/apache/tomcat/commit/c8acd2ab7371e39aeca7c306f3b5380f00afe552 (8.5.56) CVE-2020-11995 RESERVED -CVE-2020-11994 - RESERVED +CVE-2020-11994 (Server-Side Template Injection and arbitrary file disclosure on Camel ...) + TODO: check CVE-2020-11993 RESERVED CVE-2020-11992 @@ -8339,6 +8339,7 @@ CVE-2020-11991 CVE-2020-11990 RESERVED CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...) + {DLA-2273-1} - shiro NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1 NOTE: https://github.com/apache/shiro/pull/211 @@ -8692,8 +8693,8 @@ CVE-2020-11851 RESERVED CVE-2020-11850 RESERVED -CVE-2020-11849 - RESERVED +CVE-2020-11849 (Elevation of privilege and/or unauthorized access vulnerability in Mic ...) + TODO: check CVE-2020-11848 RESERVED CVE-2020-11847 @@ -10541,7 +10542,7 @@ CVE-2020-11076 (In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smu NOTE: https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd CVE-2020-11075 (In Anchore Engine version 0.7.0, a specially crafted container image m ...) NOT-FOR-US: Anchore Engine -CVE-2020-11074 (In PrestaShop from version 1.5.3.0 and before version 1.7.7.6, there i ...) +CVE-2020-11074 (In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there i ...) NOT-FOR-US: PrestaShop CVE-2020-11073 (In Autoswitch Python Virtualenv before version 0.16.0, a user who ente ...) NOT-FOR-US: zsh-autoswitch-virtualenv @@ -11066,6 +11067,7 @@ CVE-2020-10935 (Zulip Server before 2.1.3 allows XSS via a Markdown link, with r CVE-2020-10934 (Acyba AcyMailing before 6.9.2 mishandles file uploads by admins. ...) NOT-FOR-US: Acyba AcyMailing CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6 ...) + {DSA-4721-1} - ruby2.7 2.7.1-1 - ruby2.5 - ruby2.3 (Vulnerable code introduced in 2.5.0) @@ -11873,7 +11875,7 @@ CVE-2020-10665 (Docker Desktop allows local privilege escalation to NT AUTHORITY CVE-2020-10664 (The IGMP component in VxWorks 6.8.3 IPNET CVE patches created in 2019 ...) NOT-FOR-US: VxWorks CVE-2020-10663 (The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9 ...) - {DLA-2192-1 DLA-2190-1} + {DSA-4721-1 DLA-2192-1 DLA-2190-1} - ruby-json 2.3.0+dfsg-1 [buster] - ruby-json (Minor issue) [stretch] - ruby-json (Minor issue) @@ -12499,7 +12501,7 @@ CVE-2020-10379 (In Pillow before 7.1.0, there are two Buffer Overflows in libIma [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4538 NOTE: Fixed in 6.2.3 and 7.1.0 -CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, ...) +CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before before 7.0.1, an out-of-bou ...) - pillow [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4538 @@ -12936,7 +12938,7 @@ CVE-2020-10179 RESERVED CVE-2020-10178 REJECTED -CVE-2020-10177 (Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds re ...) +CVE-2020-10177 (Pillow before 7.0.1 has multiple out-of-bounds reads in libImaging/Fli ...) - pillow [jessie] - pillow (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4503 @@ -19644,8 +19646,8 @@ CVE-2020-7142 RESERVED CVE-2020-7141 RESERVED -CVE-2020-7140 - RESERVED +CVE-2020-7140 (A security vulnerability in HPE IceWall SSO Dfw and Dgfw (Domain Gatew ...) + TODO: check CVE-2020-7139 (Potential remote access security vulnerabilities have been identified ...) NOT-FOR-US: HPE CVE-2020-7138 (Potential remote code execution security vulnerabilities have been ide ...) @@ -20166,8 +20168,8 @@ CVE-2020-6940 RESERVED CVE-2020-6939 RESERVED -CVE-2020-6938 - RESERVED +CVE-2020-6938 (A sensitive information disclosure vulnerability in Tableau Server 10. ...) + TODO: check CVE-2020-6937 (A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, ...) NOT-FOR-US: MuleSoft CVE-2020-6936 @@ -22900,8 +22902,8 @@ CVE-2020-5841 (An issue was discovered in OpServices OpMon 9.3.1-1. Using passwo NOT-FOR-US: OpServices OpMon CVE-2020-5840 (An issue was discovered in HashBrown CMS before 1.3.2. Server/Entity/R ...) NOT-FOR-US: HashBrown CMS -CVE-2020-5839 - RESERVED +CVE-2020-5839 (Symantec Endpoint Detection And Response, prior to 4.4, may be suscept ...) + TODO: check CVE-2020-5838 (Symantec IT Analytics, prior to 2.9.1, may be susceptible to a cross-s ...) NOT-FOR-US: Symantec CVE-2020-5837 (Symantec Endpoint Protection, prior to 14.3, may not respect file perm ...) @@ -23050,8 +23052,8 @@ CVE-2020-5766 RESERVED CVE-2020-5765 RESERVED -CVE-2020-5764 - RESERVED +CVE-2020-5764 (MX Player Android App versions prior to v1.24.5, are vulnerable to a d ...) + TODO: check CVE-2020-5763 RESERVED CVE-2020-5762 @@ -26815,8 +26817,8 @@ CVE-2020-3975 RESERVED CVE-2020-3974 RESERVED -CVE-2020-3973 - RESERVED +CVE-2020-3973 (The VeloCloud Orchestrator does not apply correct input validation whi ...) + TODO: check CVE-2020-3972 (VMware Tools for macOS (11.x.x and prior before 11.1.1) contains a den ...) NOT-FOR-US: VMware CVE-2020-3971 (VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-20 ...) @@ -26899,8 +26901,8 @@ CVE-2020-3933 (Secom Co. Dr.ID, a Door Access Control and Personnel Attendance M NOT-FOR-US: Secom Co. Dr.ID CVE-2020-3932 (A vulnerable SNMP in Draytek VigorAP910C cannot be disabled, which may ...) NOT-FOR-US: Draytek VigorAP910C -CVE-2020-3931 - RESERVED +CVE-2020-3931 (Buffer overflow exists in Geovision Door Access Control device family, ...) + TODO: check CVE-2020-3930 (GeoVision Door Access Control device family improperly stores and cont ...) NOT-FOR-US: GeoVision Door Access Control CVE-2020-3929 (GeoVision Door Access Control device family employs shared cryptograph ...) @@ -30984,16 +30986,16 @@ CVE-2020-2036 RESERVED CVE-2020-2035 RESERVED -CVE-2020-2034 - RESERVED +CVE-2020-2034 (An OS Command Injection vulnerability in the PAN-OS GlobalProtect port ...) + TODO: check CVE-2020-2033 (When the pre-logon feature is enabled, a missing certification validat ...) NOT-FOR-US: Palo Alto Networks CVE-2020-2032 (A race condition vulnerability Palo Alto Networks GlobalProtect app on ...) NOT-FOR-US: Palo Alto Networks -CVE-2020-2031 - RESERVED -CVE-2020-2030 - RESERVED +CVE-2020-2031 (An integer underflow vulnerability in the dnsproxyd component of the P ...) + TODO: check +CVE-2020-2030 (An OS Command Injection vulnerability in the PAN-OS management interfa ...) + TODO: check CVE-2020-2029 (An OS Command Injection vulnerability in the PAN-OS web management int ...) NOT-FOR-US: Palo Alto Networks CVE-2020-2028 (An OS Command Injection vulnerability in PAN-OS management server allo ...) @@ -31096,8 +31098,8 @@ CVE-2020-1983 (A use after free vulnerability in ip_reass() in ip_input.c of lib NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/9bd6c5913271eabcb7768a58197ed3301fe19f2d NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed NOTE: slirp4netns 1.0.1-1 switched to system libslirp, marking that version as fixed. -CVE-2020-1982 - RESERVED +CVE-2020-1982 (Certain communication between PAN-OS and cloud-delivered services inad ...) + TODO: check CVE-2020-1981 (A predictable temporary filename vulnerability in PAN-OS allows local ...) NOT-FOR-US: PAN-OS CVE-2020-1980 (A shell command injection vulnerability in the PAN-OS CLI allows a loc ...) @@ -31152,7 +31154,7 @@ CVE-2020-1959 (A Server-Side Template Injection was identified in Apache Syncope CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, callers of ...) - druid (bug #825797) CVE-2020-1957 (Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic ...) - {DLA-2181-1} + {DLA-2273-1 DLA-2181-1} - shiro (bug #955018) NOTE: https://www.openwall.com/lists/oss-security/2020/03/23/2 NOTE: Fixed by: https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139 -- cgit v1.2.3