From a8927b69c8e3b709c2e6e9d2c5fc22fd3eabe0c4 Mon Sep 17 00:00:00 2001 From: security tracker role Date: Tue, 25 Jan 2022 20:10:20 +0000 Subject: automatic update --- data/CVE/list.2021 | 129 +++++++++++++++++++++++++++++------------------------ data/CVE/list.2022 | 101 ++++++++++++++++++++++++++++------------- 2 files changed, 140 insertions(+), 90 deletions(-) diff --git a/data/CVE/list.2021 b/data/CVE/list.2021 index 52eae311a3..73105e6f4a 100644 --- a/data/CVE/list.2021 +++ b/data/CVE/list.2021 @@ -1,3 +1,9 @@ +CVE-2021-4215 + RESERVED +CVE-2021-4214 + RESERVED +CVE-2021-4213 + RESERVED CVE-2021-4212 RESERVED CVE-2021-4211 @@ -1020,8 +1026,8 @@ CVE-2021-46115 RESERVED CVE-2021-46114 RESERVED -CVE-2021-46113 - RESERVED +CVE-2021-46113 (In MartDevelopers KEA-Hotel-ERP open source as of 12-31-2021, a remote ...) + TODO: check CVE-2021-46112 RESERVED CVE-2021-46111 @@ -1068,20 +1074,20 @@ CVE-2021-46091 RESERVED CVE-2021-46090 RESERVED -CVE-2021-46089 - RESERVED +CVE-2021-46089 (In JeecgBoot 3.0, there is a SQL injection vulnerability that can oper ...) + TODO: check CVE-2021-46088 RESERVED -CVE-2021-46087 - RESERVED -CVE-2021-46086 - RESERVED -CVE-2021-46085 - RESERVED -CVE-2021-46084 - RESERVED -CVE-2021-46083 - RESERVED +CVE-2021-46087 (In jfinal_cms >= 5.1 0, there is a storage XSS vulnerability in the ...) + TODO: check +CVE-2021-46086 (xzs-mysql >= t3.4.0 is vulnerable to Insecure Permissions. The fron ...) + TODO: check +CVE-2021-46085 (OneBlog <= 2.2.8 is vulnerable to Insecure Permissions. Low level a ...) + TODO: check +CVE-2021-46084 (uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) v ...) + TODO: check +CVE-2021-46083 (uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) v ...) + TODO: check CVE-2021-46082 RESERVED CVE-2021-46081 @@ -1220,10 +1226,10 @@ CVE-2021-46036 RESERVED CVE-2021-46035 RESERVED -CVE-2021-46034 - RESERVED -CVE-2021-46033 - RESERVED +CVE-2021-46034 (A problem was found in ForestBlog, as of 2021-12-29, there is a XSS vu ...) + TODO: check +CVE-2021-46033 (In ForestBlog, as of 2021-12-28, File upload can bypass verification. ...) + TODO: check CVE-2021-46032 RESERVED CVE-2021-46031 @@ -1803,14 +1809,14 @@ CVE-2021-45849 RESERVED CVE-2021-45848 RESERVED -CVE-2021-45847 - RESERVED -CVE-2021-45846 - RESERVED -CVE-2021-45845 - RESERVED -CVE-2021-45844 - RESERVED +CVE-2021-45847 (Several missing input validations in the 3MF parser component of Slic3 ...) + TODO: check +CVE-2021-45846 (A flaw in the AMF parser of Slic3r libslic3r 1.3.0 allows an attacker ...) + TODO: check +CVE-2021-45845 (The Path Sanity Check script of FreeCAD 0.19 is vulnerable to OS comma ...) + TODO: check +CVE-2021-45844 (Improper sanitization in the invocation of ODA File Converter from Fre ...) + TODO: check CVE-2021-45843 (glFusion CMS v1.7.9 is affected by a reflected Cross Site Scripting (X ...) NOT-FOR-US: glFusion CMS CVE-2021-45842 @@ -1893,10 +1899,10 @@ CVE-2021-45805 RESERVED CVE-2021-45804 RESERVED -CVE-2021-45803 - RESERVED -CVE-2021-45802 - RESERVED +CVE-2021-45803 (MartDevelopers iResturant 1.0 is vulnerable to SQL Injection. SQL Inje ...) + TODO: check +CVE-2021-45802 (MartDevelopers iResturant 1.0 is vulnerable to SQL Injection. SQL Inje ...) + TODO: check CVE-2021-45801 RESERVED CVE-2021-45800 @@ -3022,14 +3028,14 @@ CVE-2021-45345 RESERVED CVE-2021-45344 RESERVED -CVE-2021-45343 - RESERVED -CVE-2021-45342 - RESERVED -CVE-2021-45341 - RESERVED -CVE-2021-45340 - RESERVED +CVE-2021-45343 (In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of ...) + TODO: check +CVE-2021-45342 (A buffer overflow vulnerability in CDataList of the jwwlib component o ...) + TODO: check +CVE-2021-45341 (A buffer overflow vulnerability in CDataMoji of the jwwlib component o ...) + TODO: check +CVE-2021-45340 (In Libsixel prior to and including v1.10.3, a NULL pointer dereference ...) + TODO: check CVE-2021-45339 (Privilege escalation vulnerability in Avast Antivirus prior to 20.4 al ...) NOT-FOR-US: Avast Antivirus CVE-2021-45338 (Multiple privilege escalation vulnerabilities in Avast Antivirus prior ...) @@ -3903,8 +3909,8 @@ CVE-2021-45031 RESERVED CVE-2021-45030 RESERVED -CVE-2021-45029 - RESERVED +CVE-2021-45029 (Groovy Code Injection & SpEL Injection which lead to Remote Code E ...) + TODO: check CVE-2021-45028 RESERVED CVE-2021-45027 @@ -5727,6 +5733,7 @@ CVE-2021-44354 RESERVED CVE-2021-4034 RESERVED + {DSA-5059-1 DLA-2899-1} - policykit-1 0.105-31.1 NOTE: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt NOTE: https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 @@ -7028,8 +7035,8 @@ CVE-2021-43865 RESERVED CVE-2021-43864 RESERVED -CVE-2021-43863 - RESERVED +CVE-2021-43863 (The Nextcloud Android app is the Android client for Nextcloud, a self- ...) + TODO: check CVE-2021-43862 (jQuery Terminal Emulator is a plugin for creating command line interpr ...) NOT-FOR-US: jQuery Terminal Emulator CVE-2021-43861 (Mermaid is a Javascript based diagramming and charting tool that uses ...) @@ -11879,8 +11886,8 @@ CVE-2021-41851 RESERVED CVE-2021-3851 (firefly-iii is vulnerable to URL Redirection to Untrusted Site ...) NOT-FOR-US: firefly-iii -CVE-2021-3850 - RESERVED +CVE-2021-3850 (Authentication Bypass by Primary Weakness in GitHub repository adodb/a ...) + TODO: check CVE-2021-3849 RESERVED CVE-2021-41850 @@ -18848,8 +18855,8 @@ CVE-2021-39033 RESERVED CVE-2021-39032 (IBM Sterling Gentran:Server for Microsoft Windows 5.3 stores potential ...) NOT-FOR-US: IBM -CVE-2021-39031 - RESERVED +CVE-2021-39031 (IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 c ...) + TODO: check CVE-2021-39030 RESERVED CVE-2021-39029 @@ -28682,23 +28689,22 @@ CVE-2021-34872 (This vulnerability allows remote attackers to execute arbitrary NOT-FOR-US: Bentley View CVE-2021-34871 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Bentley View -CVE-2021-34870 - RESERVED -CVE-2021-34869 - RESERVED -CVE-2021-34868 - RESERVED -CVE-2021-34867 - RESERVED -CVE-2021-34866 - RESERVED +CVE-2021-34870 (This vulnerability allows network-adjacent attackers to disclose sensi ...) + TODO: check +CVE-2021-34869 (This vulnerability allows local attackers to escalate privileges on af ...) + TODO: check +CVE-2021-34868 (This vulnerability allows local attackers to escalate privileges on af ...) + TODO: check +CVE-2021-34867 (This vulnerability allows local attackers to escalate privileges on af ...) + TODO: check +CVE-2021-34866 (This vulnerability allows local attackers to escalate privileges on af ...) - linux 5.14.6-1 [bullseye] - linux 5.10.70-1 [buster] - linux (Vulnerable code introduced later) [stretch] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/5b029a32cfe4600f5e10e36b41778506b90fd4de (5.14) -CVE-2021-34865 - RESERVED +CVE-2021-34865 (This vulnerability allows network-adjacent attackers to bypass authent ...) + TODO: check CVE-2021-34864 (This vulnerability allows local attackers to escalate privileges on af ...) NOT-FOR-US: Parallels Desktop CVE-2021-34863 (This vulnerability allows network-adjacent attackers to execute arbitr ...) @@ -38165,6 +38171,7 @@ CVE-2021-30986 (A device configuration issue was addressed with an updated confi CVE-2021-30985 (An out-of-bounds write issue was addressed with improved bounds checki ...) NOT-FOR-US: Apple CVE-2021-30984 (A race condition was addressed with improved state handling. This issu ...) + {DSA-5061-1 DSA-5060-1} - webkit2gtk 2.34.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) - wpewebkit 2.34.4-1 @@ -38228,21 +38235,25 @@ CVE-2021-30956 CVE-2021-30955 (A race condition was addressed with improved state handling. This issu ...) NOT-FOR-US: Apple CVE-2021-30954 (A type confusion issue was addressed with improved memory handling. Th ...) + {DSA-5061-1 DSA-5060-1} - webkit2gtk 2.34.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) - wpewebkit 2.34.4-1 NOTE: https://webkitgtk.org/security/WSA-2022-0001.html CVE-2021-30953 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) + {DSA-5061-1 DSA-5060-1} - webkit2gtk 2.34.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) - wpewebkit 2.34.4-1 NOTE: https://webkitgtk.org/security/WSA-2022-0001.html CVE-2021-30952 (An integer overflow was addressed with improved input validation. This ...) + {DSA-5061-1 DSA-5060-1} - webkit2gtk 2.34.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) - wpewebkit 2.34.4-1 NOTE: https://webkitgtk.org/security/WSA-2022-0001.html CVE-2021-30951 (A use after free issue was addressed with improved memory management. ...) + {DSA-5061-1 DSA-5060-1} - webkit2gtk 2.34.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) - wpewebkit 2.34.4-1 @@ -38276,6 +38287,7 @@ CVE-2021-30938 (This issue was addressed with improved checks. This issue is fix CVE-2021-30937 (A memory corruption vulnerability was addressed with improved locking. ...) NOT-FOR-US: Apple CVE-2021-30936 (A use after free issue was addressed with improved memory management. ...) + {DSA-5061-1 DSA-5060-1} - webkit2gtk 2.34.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) - wpewebkit 2.34.4-1 @@ -38283,6 +38295,7 @@ CVE-2021-30936 (A use after free issue was addressed with improved memory manage CVE-2021-30935 (A logic issue was addressed with improved validation. This issue is fi ...) NOT-FOR-US: Apple CVE-2021-30934 (A buffer overflow issue was addressed with improved memory handling. T ...) + {DSA-5061-1 DSA-5060-1} - webkit2gtk 2.34.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) - wpewebkit 2.34.4-1 diff --git a/data/CVE/list.2022 b/data/CVE/list.2022 index f10924caaa..6093f19ce4 100644 --- a/data/CVE/list.2022 +++ b/data/CVE/list.2022 @@ -1,3 +1,43 @@ +CVE-2022-23947 + RESERVED +CVE-2022-23946 + RESERVED +CVE-2022-23945 (Missing authentication on ShenYu Admin when register by HTTP. This iss ...) + TODO: check +CVE-2022-23944 (User can access /plugin api without authentication. This issue affecte ...) + TODO: check +CVE-2022-23943 + RESERVED +CVE-2022-23942 + RESERVED +CVE-2022-21184 + RESERVED +CVE-2022-0368 + RESERVED +CVE-2022-0367 + RESERVED +CVE-2022-0366 + RESERVED +CVE-2022-0365 + RESERVED +CVE-2022-0364 + RESERVED +CVE-2022-0363 + RESERVED +CVE-2022-0362 + RESERVED +CVE-2022-0361 + RESERVED +CVE-2022-0360 + RESERVED +CVE-2022-0359 + RESERVED +CVE-2022-0358 + RESERVED +CVE-2022-0357 + RESERVED +CVE-2022-0356 + RESERVED CVE-2022-23941 RESERVED CVE-2022-23940 @@ -155,8 +195,8 @@ CVE-2022-23865 RESERVED CVE-2022-0352 RESERVED -CVE-2022-0351 - RESERVED +CVE-2022-0351 (Access of Memory Location Before Start of Buffer in Conda vim prior to ...) + TODO: check CVE-2022-0350 RESERVED CVE-2022-0349 @@ -214,8 +254,8 @@ CVE-2022-23849 RESERVED CVE-2022-0339 RESERVED -CVE-2022-0338 - RESERVED +CVE-2022-0338 (Improper Privilege Management in Conda loguru prior to 0.5.3. ...) + TODO: check CVE-2022-23848 RESERVED CVE-2022-23847 @@ -1547,8 +1587,8 @@ CVE-2022-0270 RESERVED CVE-2022-0269 (Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm ...) TODO: check -CVE-2022-0268 - RESERVED +CVE-2022-0268 (Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to ...) + TODO: check CVE-2022-0267 RESERVED CVE-2022-23312 @@ -1808,8 +1848,8 @@ CVE-2022-23225 RESERVED CVE-2022-23224 RESERVED -CVE-2022-23223 - RESERVED +CVE-2022-23223 (The HTTP response will disclose the user password. This issue affected ...) + TODO: check CVE-2022-23221 (H2 Console before 2.1.210 allows remote attackers to execute arbitrary ...) - h2database NOTE: https://github.com/h2database/h2database/releases/tag/version-2.1.210 @@ -2362,20 +2402,17 @@ CVE-2022-23037 RESERVED CVE-2022-23036 RESERVED -CVE-2022-23035 - RESERVED +CVE-2022-23035 (Insufficient cleanup of passed-through device IRQs The management of I ...) - xen [buster] - xen (DSA 4677-1) [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-395.html -CVE-2022-23034 - RESERVED +CVE-2022-23034 (A PV guest could DoS Xen while unmapping a grant To address XSA-380, r ...) - xen [buster] - xen (DSA 4677-1) [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-394.html -CVE-2022-23033 - RESERVED +CVE-2022-23033 (arm: guest_physmap_remove_page not removing the p2m mappings The funct ...) - xen [buster] - xen (DSA 4677-1) [stretch] - xen (DSA 4602-1) @@ -3090,7 +3127,7 @@ CVE-2022-22748 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22748 CVE-2022-22747 RESERVED - {DSA-5045-1 DSA-5044-1 DLA-2881-1 DLA-2880-1} + {DSA-5045-1 DSA-5044-1 DLA-2898-1 DLA-2881-1 DLA-2880-1} - nss 2:3.73-1 - firefox 96.0-1 - firefox-esr 91.5.0esr-1 @@ -5690,8 +5727,8 @@ CVE-2022-21699 (IPython (Interactive Python) is a command shell for interactive NOTE: https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699 CVE-2022-21698 RESERVED -CVE-2022-21697 - RESERVED +CVE-2022-21697 (Jupyter Server Proxy is a Jupyter notebook server extension to proxy w ...) + TODO: check CVE-2022-21696 (OnionShare is an open source tool that lets you securely and anonymous ...) - onionshare NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-68vr-8f46-vc9f @@ -6395,11 +6432,11 @@ CVE-2022-21367 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-5.7 - mysql-8.0 CVE-2022-21366 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21365 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-8 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 @@ -6412,7 +6449,7 @@ CVE-2022-21362 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2022-21361 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2022-21360 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-8 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 @@ -6454,12 +6491,12 @@ CVE-2022-21343 CVE-2022-21342 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2022-21341 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-8 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21340 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-8 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 @@ -6532,7 +6569,7 @@ CVE-2022-21307 (Vulnerability in the MySQL Cluster product of Oracle MySQL (comp CVE-2022-21306 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2022-21305 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-8 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 @@ -6549,7 +6586,7 @@ CVE-2022-21301 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2022-21300 (Vulnerability in the PeopleSoft Enterprise CS SA Integration Pack prod ...) NOT-FOR-US: Oracle CVE-2022-21299 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-8 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 @@ -6558,26 +6595,26 @@ CVE-2022-21298 (Vulnerability in the Oracle Solaris product of Oracle Systems (c CVE-2022-21297 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2022-21296 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-8 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21295 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox (Windows-specific) CVE-2022-21294 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-8 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21293 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-8 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21292 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) NOT-FOR-US: Oracle CVE-2022-21291 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-8 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 @@ -6596,11 +6633,11 @@ CVE-2022-21285 (Vulnerability in the MySQL Cluster product of Oracle MySQL (comp CVE-2022-21284 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) NOT-FOR-US: MySQL Cluster CVE-2022-21283 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21282 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-8 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 @@ -6613,7 +6650,7 @@ CVE-2022-21279 (Vulnerability in the MySQL Cluster product of Oracle MySQL (comp CVE-2022-21278 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2022-21277 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21276 (Vulnerability in the Oracle Communications Billing and Revenue Managem ...) @@ -6675,7 +6712,7 @@ CVE-2022-21250 (Vulnerability in the Oracle Trade Management product of Oracle E CVE-2022-21249 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2022-21248 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - {DSA-5057-1} + {DSA-5058-1 DSA-5057-1} - openjdk-8 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 -- cgit v1.2.3