diff options
36 files changed, 28215 insertions, 7684 deletions
diff --git a/bin/gen-DSA b/bin/gen-DSA index f909ca504d..346214c2ff 100755 --- a/bin/gen-DSA +++ b/bin/gen-DSA @@ -195,7 +195,7 @@ while [ $# -gt 0 ]; do [cC][vV][eE]-*) CVE="$CVE $(toupper "$1")" ;; - [0-9][0-9][0-9][0-9][0-9][0-9]|[#][0-9]*) + [0-9][0-9][0-9][0-9][0-9][0-9][0-9]|[#][0-9]*) BUGNUM="$BUGNUM ${1#\#}" ;; *) @@ -372,8 +372,10 @@ for dist in $CODENAMES; do [ -z "$version" ] || DISTS="${DISTS},${dist}" done +DISTS="${DISTS#,}" + if [ -n "${DISTS}" ]; then - bin/remove-cve-dist-tags "${DISTS#,}" "${PACKAGE}" ${CVE} + bin/remove-cve-dist-tags "${DISTS}" "${PACKAGE}" ${CVE} fi if ! $save; then @@ -412,9 +414,12 @@ EOF echo "$IDMODE text written to ./$IDMODE-$DAID" if [ "$IDMODE" = "DLA" ] || [ "$IDMODE" = "ELA" ]; then idmode=$(echo "$IDMODE" | tr A-Z a-z) + if [ -n "${DISTS}" ]; then + extracvefile=`jq -r ".distributions.${DISTS}.maincvefile // empty" data/config.json` + fi if [ -d .git ]; then echo "Made the following changes:" - git diff -- data/$IDMODE/list data/CVE/list $needed_file + git diff -- data/$IDMODE/list data/CVE/list $extracvefile $needed_file if ! git diff-index --name-only HEAD -- $needed_file | grep -qs . && [ $TYPE = security ]; then warn "did not make any changes to $needed_file - this may indicate duplicate work or misspelled package name" fi @@ -424,7 +429,7 @@ EOF echo -n "Do you want to commit and push them now ? [Yn] " read reply if [ "$reply" = "Y" ] || [ "$reply" = "" ] || [ "$reply" = "y" ]; then - git add data/$IDMODE/list data/CVE/list $needed_file + git add data/$IDMODE/list data/CVE/list $extracvefile $needed_file git commit -m "Reserve $IDMODE-$DAID for $PACKAGE" git push origin master fi diff --git a/bin/grab-cve-in-fix b/bin/grab-cve-in-fix new file mode 100755 index 0000000000..98ea9cd476 --- /dev/null +++ b/bin/grab-cve-in-fix @@ -0,0 +1,414 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +""" +grab-cve-in-fix - #1001451 + +- queries the latest version of source:<package_name> in unstable +- extracts all mentioned CVE IDs from the change +- creates a correctly formatted CVE snippet with the recorded fixes that + can be reviewed and merged into the main data/CVE/list +""" + +# +# Copyright 2021-2022 Neil Williams <codehelp@debian.org> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +# MA 02110-1301, USA. +# + +# pylint: disable=too-few-public-methods,line-too-long,too-many-instance-attributes,too-many-branches + +# Examples: +# --archive https://lists.debian.org/debian-devel-changes/2021/12/msg01280.html +# --tracker https://tracker.debian.org/news/1285227/accepted-freerdp2-241dfsg1-1-source-into-unstable/ + +import argparse +import os +import glob +import logging +import re +import sys +import requests + +# depends on python3-apt +import apt_pkg + +# depends on python3-debian +from debian.deb822 import Changes + +import setup_paths # noqa # pylint: disable=unused-import +from sectracker.parsers import ( + sourcepackages, + FlagAnnotation, + StringAnnotation, + PackageAnnotation, + Bug, + cvelist, + writecvelist, +) + + +class ParseChanges: + """Base for parsing DEB822 content into a CVE list""" + + def __init__(self, url): + self.url = url + self.source_package = None + self.cves = [] + self.bugs = {} + self.parsed = [] + self.unstable_version = None + self.tracker_base = "https://security-tracker.debian.org/tracker/source-package/" + self.logger = logging.getLogger("grab-cve-in-fix") + self.logger.setLevel(logging.DEBUG) + # console logging + ch_log = logging.StreamHandler() + ch_log.setLevel(logging.DEBUG) + formatter = logging.Formatter("%(name)s - %(levelname)s - %(message)s") + ch_log.setFormatter(formatter) + self.logger.addHandler(ch_log) + apt_pkg.init_system() # pylint: disable=c-extension-no-member + + def _read_cvelist(self): + os.chdir(os.path.dirname(os.path.dirname(os.path.realpath(__file__)))) + data, _ = cvelist("data/CVE/list") # pylint: disable=no-value-for-parameter + for cve in self.cves: + for bug in data: + if bug.header.name == cve: + self.bugs[cve] = bug + package_checks = {} + cve_notes = {} + for cve, bug in self.bugs.items(): + self.logger.info("%s: %s", bug.header.name, bug.header.description) + for line in bug.annotations: + if isinstance(line, PackageAnnotation): + package_checks.setdefault(cve, []) + package_checks[cve].append(line.package) + if isinstance(line, StringAnnotation) or isinstance(line, FlagAnnotation): + cve_notes.setdefault(cve, []) + cve_notes[cve].append(line.type) + if cve not in package_checks: + self.logger.error("CVE %s is not attributed to a Debian package: %s", cve, cve_notes.get(cve, "")) + elif self.source_package not in package_checks[cve]: + self.logger.warning( + "%s is listed against %s, not %s", cve, list(set(package_checks[cve])), self.source_package + ) + if not self.cves: + self.logger.warning( + "no CVEs found in the changes output " "for %s %s", + self.source_package, + self.unstable_version, + ) + + def parse(self): + """Parser-specific code to pick out the DEB822 content""" + raise NotImplementedError + + def _read_changes(self): + if not self.parsed: + return + rel = Changes(self.parsed) + changes = rel.get("Changes") + if not changes: + self.logger.error("%s %s\n", rel, self.parsed) + return + self.source_package = rel.get("Source") + self.unstable_version = rel.get("Version") + match = None + for log in changes.splitlines(): + match = re.findall(r"(CVE-[0-9]{4}-[0-9]+)", log) + if match: + self.cves += match + + def add_unstable_version(self): + """ + Writes out a CVE file snippet with the filename: + ./<src_package>.list + Fails if the file already exists. + + Prints error if any of the listed CVEs are not found + for the specified source_package. + + If a new version is set, the fixed version for the CVE will + be updated to that version. Uses python3-apt to only update + if the version is declared, by apt, to be newer. + + A typo in the CVE ID *may* cause a CVE to be declared as + fixed in the wrong source package. This is complicated by + the need to allow for embedded copies and removed packages. + """ + modified = [] + cve_file = f"{self.source_package}.list" + cves = sorted(set(self.cves)) + cves.reverse() + for cve in cves: + if cve not in self.bugs: + self.logger.error( + "%s was not found in the Security Tracker CVE list! Check %s%s - " + "possible typo in the package changelog? Check the list of CVEs " + "in the security tracker and use this script again, in offline mode." + " ./bin grab-cve-in-fix --src %s --cves corrected-cve", + cve, + self.tracker_base, + self.source_package, + self.source_package, + ) + continue + for line in self.bugs[cve].annotations: + if not isinstance(line, PackageAnnotation): + continue # skip notes etc. + if line.release: # only update unstable + continue + if line.package != self.source_package: + self.logger.info( + "Ignoring %s annotation for %s", + cve, + line.package, + ) + continue # allow for removed, old or alternate pkg names + if line.version: + vcompare = apt_pkg.version_compare( # pylint: disable=c-extension-no-member + line.version, self.unstable_version + ) + if vcompare < 0: + self.logger.info("Updating %s to %s", line.version, self.unstable_version) + mod_line = line._replace(version=self.unstable_version) + index = self.bugs[cve].annotations.index(line) + bug_list = list(self.bugs[cve].annotations) + bug_list[index] = mod_line + mod_bug = Bug(self.bugs[cve].file, self.bugs[cve].header, tuple(bug_list)) + modified.append(mod_bug) + elif vcompare > 0: + self.logger.error( + "%s is listed as fixed in %s which is newer than %s", + cve, + line.version, + self.unstable_version, + ) + else: + self.logger.info( + "%s already has annotation for - %s %s", + cve, + self.source_package, + line.version, + ) + else: + mod_line = line._replace(version=self.unstable_version) + index = self.bugs[cve].annotations.index(line) + bug_list = list(self.bugs[cve].annotations) + bug_list[index] = mod_line + mod_bug = Bug(self.bugs[cve].file, self.bugs[cve].header, tuple(bug_list)) + modified.append(mod_bug) + if not modified: + return 0 + if os.path.exists(cve_file): + self.logger.critical("%s already exists", cve_file) + return -1 + for cve in modified: + self.logger.info( + "Writing to ./%s with update for %s - %s %s", + cve_file, + cve.header.name, + self.source_package, + self.unstable_version, + ) + with open(cve_file, "a") as snippet: + writecvelist(modified, snippet) + return 0 + + +class ParseSources(ParseChanges): + """Read latest version in unstable from updated local Sources files""" + + def parse(self): + """ + Support to pick up unstable_version from the local packages cache. + + Also supports explicitly setting the version for times when + the package has received an unrelated update in unstable. + """ + if self.unstable_version: + self.logger.info("Using forced version: %s", self.unstable_version) + self._read_cvelist() + self.add_unstable_version() + return 0 + + self.logger.info("Retrieving data from local packages data...") + if not self.source_package or not self.cves: + self.logger.error("for offline use, specify both --src and --cves options") + return 1 + # self.url contains pkgdir which needs to contain Sources files + os.chdir(self.url) + for srcs_file in glob.glob("sid*Sources"): + srcs = sourcepackages(srcs_file) # pylint: disable=no-value-for-parameter + if srcs.get(self.source_package): + self.unstable_version = srcs[self.source_package].version + # src package is only listed in one Sources file + break + self._read_cvelist() + self.add_unstable_version() + return 0 + + +class ParseTrackerAccepted(ParseChanges): + """ + Download and parse Accepted tracker NEWS + + e.g. https://tracker.debian.org/news/1285227/accepted-freerdp2-241dfsg1-1-source-into-unstable/ + """ + + MARKER = '<div class="email-news-body">' + + def parse(self): + self.logger.info("Retrieving data from distro-tracker...") + req = requests.get(self.url) + if req.status_code != requests.codes.ok: # pylint: disable=no-member + return 2 + self.parsed = [] + for line in req.text.splitlines(): + if not self.parsed and not line.startswith(self.MARKER): + continue + if self.MARKER in line: + line = line.replace(self.MARKER, "") + if "<pre>" in line: + line = line.replace("<pre>", "") + if line.startswith("\t"): + line = line.replace("\t", "") + self.parsed.append(line) + if line.startswith("</pre>"): + break + self._read_changes() + self._read_cvelist() + self.add_unstable_version() + return 0 + + +class ParseDDChanges(ParseChanges): + """ + Download and parse an email in the debian-devel-changes archive + + e.g. https://lists.debian.org/debian-devel-changes/2021/12/msg01280.html + """ + + def parse(self): + self.logger.info("Retrieving data from debian-devel-changes archive...") + req = requests.get(self.url) + if req.status_code != requests.codes.ok: # pylint: disable=no-member + return 3 + for line in req.text.splitlines(): + if not self.parsed and not line.startswith("<pre>"): + continue + pars = line.replace("<pre>", "") + self.parsed.append(pars) + if line.startswith("</pre>"): + break + self._read_changes() + self._read_cvelist() + self.add_unstable_version() + return 0 + + +class ParseDDStdIn(ParseChanges): + """ + Parse an email originating from debian-devel-changes passed + on STDIN + """ + + MARKER = "-----BEGIN PGP SIGNED MESSAGE-----" + + def parse(self): + self.logger.info("Retrieving data STDIN ...") + content = sys.stdin.read() + for line in content.splitlines(): + if not self.parsed and not line.startswith(self.MARKER): + continue + self.parsed.append(line) + if not self.parsed: + self.logger.warning("Unable to find PGP marker - unsigned content?") + return 1 + self._read_changes() + self._read_cvelist() + self.add_unstable_version() + return 0 + + +def main(): + """ + 1: Provide an option to parse the email from debian-devel-changes + 2: Provide an option to lookup the information using tracker.d.o + 3: Provide an option to read an email from debian-devel-changes on stdin + 4: Fallback to lookup the information in the local apt-cache + data populated by 'make update-packages' + data/packages/sid__main_Sources + data/packages/sid__contrib_Sources + data/packages/sid__non-free_Sources + """ + parser = argparse.ArgumentParser( + description="Grab CVE data from a package upload for manual review", + usage="%(prog)s [-h] [[--input] | [--archive URL] | [--tracker TRACKER]] | " + "[[--src SRC] & [--cves [CVES ...]]]", + epilog="Data is written to a new <source_package>.list " "file which can be used with './bin/merge-cve-files'", + ) + online = parser.add_argument_group( + "Online - query one of distro-tracker or " "debian-devel-changes mail archive or debian-devel-changes email" + ) + online.add_argument( + "--input", + action="store_true", + help="Read from a debian-devel-changes email on STDIN", + ) + online.add_argument( + "--archive", + help="URL of debian-devel-changes " "announcement in the list archive", + ) + online.add_argument( + "--tracker", + help="URL of tracker.debian.org 'Accepted NEWS' page for unstable", + ) + offline = parser.add_argument_group( + "Offline - run 'make update-packages' first & specify source package and CVE list" + ) + offline.add_argument("--src", help="Source package name to look up version in local packages files") + offline.add_argument( + "--force-version", + help="Explicitly set the fixed version, in case sid has moved ahead.", + ) + offline.add_argument("--cves", nargs="*", help="CVE ID tag with version from local packages files") + args = parser.parse_args() + if args.input: + data = ParseDDStdIn(args.input) + return data.parse() + if args.archive: + data = ParseDDChanges(args.archive) + return data.parse() + if args.tracker: + data = ParseTrackerAccepted(args.tracker) + return data.parse() + pkg_dir = os.path.join(".", "data", "packages") + if os.path.exists(pkg_dir): + data = ParseSources(pkg_dir) + data.source_package = args.src + data.cves = args.cves + if args.force_version: + data.unstable_version = args.force_version + return data.parse() + logger = logging.getLogger("grab-cve-in-fix") + logger.error("Unable to parse package data!") + return -1 + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/bin/merge-cve-files b/bin/merge-cve-files index a26e38ab68..36dee7acd5 100755 --- a/bin/merge-cve-files +++ b/bin/merge-cve-files @@ -4,13 +4,53 @@ # the main one. # # Copyright © 2020 Emilio Pozuelo Monfort <pochu@debian.org> +# Copyright (c) 2021-2022 Neil Williams <codehelp@debian.org> -import os.path +import os import sys import setup_paths # noqa from debian_support import internRelease -from sectracker.parsers import cvelist, writecvelist, PackageAnnotation, FlagAnnotation, XrefAnnotation +from sectracker.parsers import ( + Bug, + cvelist, + writecvelist, + PackageAnnotation, + FlagAnnotation, + StringAnnotation, + XrefAnnotation +) + +def merge_notes(bug, notes): + """ + Special support for StringAnnotations. + + notes is a dict containing a list of string annotations for + each CVE in the file being merged. Pick out the string annotations + for this bug, ignore if already exist, append if new. + """ + new_notes = [] + cve = bug.header.name + merge_list = notes.get(cve) # list of notes to merge + if not merge_list: + # nothing to merge + return bug + tagged_notes = [note.description for note in merge_list] + bug_notes = [ann.description for ann in bug.annotations if isinstance(ann, StringAnnotation)] + # get the list items in tagged_notes which are not in bug_notes + new_strings = list(set(tagged_notes) - set(bug_notes)) + if not new_strings: + return bug + for new_ann in merge_list: + if new_ann.description in new_strings: + new_notes.append(new_ann) + bug_list = list(bug.annotations) + bug_list.extend(new_notes) + mod_bug = Bug( + bug.file, bug.header, tuple(bug_list) + ) + return mod_bug + def merge_annotations(annotations, new_annotation): if not isinstance(new_annotation, PackageAnnotation): @@ -86,12 +126,26 @@ extra_data = parse_list(extra_list) for extra_bug in extra_data: bug = next(bug for bug in data if bug.header.name == extra_bug.header.name) + notes = {} new_annotations = bug.annotations for extra_annotation in extra_bug.annotations: + if isinstance(extra_annotation, FlagAnnotation): + continue + if isinstance(extra_annotation, StringAnnotation): + cve = f"{extra_bug.header.name}" + note_tag = notes.setdefault(cve, []) + note_tag.append(extra_annotation) + continue new_annotations = merge_annotations(new_annotations, extra_annotation) bug = bug._replace(annotations=new_annotations) + bug = merge_notes(bug, notes) data = [bug if bug.header.name == old_bug.header.name else old_bug for old_bug in data] with open(main_list, 'w') as f: writecvelist(data, f) + +# check for and erase an .xpck file built from the merge +xpck = f"{extra_list}.xpck" +if os.path.exists(xpck): + os.unlink(xpck) diff --git a/bin/remove-cve-dist-tags b/bin/remove-cve-dist-tags index 6e8d7214eb..18db2a0257 100755 --- a/bin/remove-cve-dist-tags +++ b/bin/remove-cve-dist-tags @@ -56,6 +56,12 @@ for cve in data: if keep_annotation(cve, annotation) ) cve = cve._replace(annotations=annotations) + if not cve.annotations: + # this shouldn't happen on a normal CVE file as we're only removing + # the dist specific tags, but it may happen in an ExtendFile, in + # which case we don't want to keep an empty CVE entry + continue + new_data.append(cve) with open(main_list, 'w') as f: diff --git a/bin/tracker_service.py b/bin/tracker_service.py index 4fe311c92e..4092a58bd9 100755 --- a/bin/tracker_service.py +++ b/bin/tracker_service.py @@ -458,7 +458,7 @@ data source.""")], def gen_source(): old_pkg = '' - for (package, releases, version, vulnerable) \ + for (package, release, version, vulnerable) \ in self.db.getSourcePackages(cursor, bug.name): if package == old_pkg: package = '' @@ -476,8 +476,7 @@ data source.""")], else: vuln = 'fixed' - releases = sorted(releases, key = debian_support.internRelease) - yield package, ', '.join(releases), version, vuln + yield package, ', '.join(release), version, vuln page.append(make_table(gen_source(), title=H2('Vulnerable and fixed packages'), diff --git a/bin/update-vuln b/bin/update-vuln new file mode 100755 index 0000000000..f6f93f2e46 --- /dev/null +++ b/bin/update-vuln @@ -0,0 +1,369 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +""" + update-vuln - #1001453 + + - mark a given released suite (stable/oldstable/LTS) as <not-affected> + for a specific CVE ID + - add a bug number to an existing CVE entry + - add a NOTE: entry to an existing CVE + +Only make one change to one CVE at a time. Review and merge that +change and delete the merged file before updating the same CVE. + +The workflow would be: +./bin/update-vuln --cve CVE-YYYY-NNNNN ... +# on exit zero: +./bin/merge-cve-files ./CVE-YYYY-NNNNN.list +# review change to data/CVE/list +git diff data/CVE/list +rm ./CVE-YYYY-NNNNN.list +# .. repeat +git add data/CVE/list +git commit + +""" +# Copyright 2021-2022 Neil Williams <codehelp@debian.org> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +# MA 02110-1301, USA. + +import os +import argparse +import bisect +import logging +import sys + +import setup_paths # noqa # pylint: disable=unused-import +from sectracker.parsers import ( + PackageAnnotation, + PackageBugAnnotation, + StringAnnotation, + Bug, + cvelist, + writecvelist, +) + +# pylint: disable=line-too-long + + +class ParseUpdates: + """ + Update a CVE with requested changes and produce a file for + manual review and use with merge-cve-files. + """ + + def __init__(self): + self.cves = [] + self.bugs = {} + self.marker = "aaaaaaaaaaaaa" # replacement for NoneType to always sort first + self.logger = logging.getLogger("update-vuln") + self.logger.setLevel(logging.DEBUG) + # console logging + ch_log = logging.StreamHandler() + ch_log.setLevel(logging.DEBUG) + formatter = logging.Formatter("%(name)s - %(levelname)s - %(message)s") + ch_log.setFormatter(formatter) + self.logger.addHandler(ch_log) + + def _read_cvelist(self): + """Build a list of Bug items for the CVE from data/CVE/list""" + os.chdir(os.path.dirname(os.path.dirname(os.path.realpath(__file__)))) + data, _ = cvelist("data/CVE/list") # pylint: disable=no-value-for-parameter + for cve in self.cves: + for bug in data: + if bug.header.name == cve: + self.bugs[cve] = bug + + def _add_annotation_to_cve(self, cve, annotation): + """ + Adds an annotation to a CVE entry. + + StringAnnotation - appended to the end + PackageAnnotation - inserted in alphabetical order by release + + Accounts for PackageAnnotation.release == None for unstable. + """ + if isinstance(annotation, PackageAnnotation): + store = {ann.release: ann for ann in self.bugs[cve].annotations if isinstance(ann, PackageAnnotation)} + store[annotation.release] = annotation + # this is needed despite python3 >= 3.7 having ordered dicts + # because using the dict.keys() would need a copy of that list anyway. + existing = [ann.release for ann in self.bugs[cve].annotations if isinstance(ann, PackageAnnotation)] + if None in existing: + # release == None for unstable + index = existing.index(None) + existing[index] = self.marker + insertion = annotation.release if annotation.release else self.marker + + # bisect cannot work with NoneType + bisect.insort(existing, insertion) + + if self.marker in existing: + index = existing.index(self.marker) + existing[index] = None + + bug_list = [] + for item in existing: + bug_list.append(store[item]) + + elif isinstance(annotation, StringAnnotation): + bug_list = list(self.bugs[cve].annotations) + bug_list.append(annotation) + else: + raise ValueError(f"Unsupported annotation type: {type(annotation)}") + + return Bug(self.bugs[cve].file, self.bugs[cve].header, tuple(bug_list)) + + def _replace_annotation_on_line(self, cve, line, mod_line): + index = self.bugs[cve].annotations.index(line) + bug_list = list(self.bugs[cve].annotations) + bug_list[index] = mod_line + return Bug(self.bugs[cve].file, self.bugs[cve].header, tuple(bug_list)) + + def write_modified(self, modified, cve_file): + """ + Write out a CVE snippet for review and merge + + Fails if the file already exists. + """ + if not modified: + return 0 + if not isinstance(modified, list): + return 0 + if os.path.exists(cve_file): + self.logger.critical( + "%s already exists - merge the update and remove the file first.", + cve_file, + ) + return -1 + for cve in modified: + self.logger.info("Writing to ./%s with update for %s", cve_file, cve.header.name) + with open(cve_file, "a") as snippet: + writecvelist(modified, snippet) + return 0 + + def mark_not_affected(self, suite, src, description): + """ + Writes out a CVE file snippet with the filename: + ./<cve>.list + Fails if the file already exists. + """ + release = suite + if suite in ("unstable", "sid"): + # special handling for unstable + suite = None + release = "unstable" + modified = [] + cve = self.cves[0] + cve_file = f"{cve}.list" + existing = [line.release for line in self.bugs[cve].annotations if isinstance(line, PackageAnnotation)] + if suite not in existing: + # line type release package kind version description flags + line = PackageAnnotation(0, "package", suite, src, "not-affected", None, description, []) + mod_bug = self._add_annotation_to_cve(cve, line) + modified.append(mod_bug) + for line in self.bugs[cve].annotations: + if not isinstance(line, PackageAnnotation): + continue # skip notes etc. + if line.release != suite: + continue + if line.package != src: + continue + # need to define the allowed changes + # if fixed, version would need to be undone too. + if line.kind == "not-affected": + self.logger.info("Nothing to do for %s in %s.", cve, suite) + return + mod_line = line._replace(kind="not-affected") + self.logger.info("Modified %s for %s in %s to <not-affected>", cve, src, release) + if mod_line.version: + self.logger.info("Removing version %s", line.version) + ver_line = mod_line + mod_line = ver_line._replace(version=None) + if description: + self.logger.info("Replacing description %s", line.description) + desc_line = mod_line + mod_line = desc_line._replace(description=description) + elif mod_line.description: + self.logger.info("Removing description %s", line.description) + desc_line = mod_line + mod_line = desc_line._replace(description=None) + # removing a bug annotation is not covered, yet. + mod_bug = self._replace_annotation_on_line(cve, line, mod_line) + modified.append(mod_bug) + self.write_modified(modified, cve_file) + + def add_note(self, note): + """ + Writes out a CVE file snippet with the filename: + ./<cve>.list + Fails if the file already exists. + """ + # use _add_annotation_to_cve to add the note + modified = [] + cve = self.cves[0] + cve_file = f"{cve}.list" + existing = [note.description for note in self.bugs[cve].annotations if isinstance(note, StringAnnotation)] + if note in existing: + self.logger.info("Note already exists, ignoring") + return + new_note = StringAnnotation(line=0, type="NOTE", description=note) + mod_bug = self._add_annotation_to_cve(cve, new_note) + modified.append(mod_bug) + self.write_modified(modified, cve_file) + + def add_bug_number(self, bug, itp=False): # pylint: disable=too-many-locals + """ + Writes out a CVE file snippet with the filename: + ./<cve>.list + Fails if the file already exists. + """ + # bugs only apply to unstable (or itp) + modified = [] + cve = self.cves[0] + cve_file = f"{cve}.list" + existing = [ + pkg.flags + for pkg in self.bugs[cve].annotations + if isinstance(pkg, PackageAnnotation) + if not pkg.release and pkg.kind != "removed" + ] + bugs = [bug for sublist in existing for bug in sublist] + if bugs: + self.logger.warning("%s already has a bug annotation for unstable: %s", cve, bugs[0].bug) + return -1 + pkgs = [ + pkg + for pkg in self.bugs[cve].annotations + if isinstance(pkg, PackageAnnotation) + if not pkg.release and pkg.kind != "removed" + ] + if itp: + # no useful entry will exist in pkgs + new_flags = [PackageBugAnnotation(bug)] + new_pkg = PackageAnnotation( + 0, + "package", + None, + itp, + "itp", + None, + None, + new_flags, + ) + others = [] + else: + if not pkgs: + self.logger.error("%s does not have a package annotation.", cve) + return -1 + old_pkg = pkgs[0] + if itp and old_pkg.kind == "fixed": + self.logger.error("%s is already marked as <fixed> but --itp flag was set.", cve) + return -3 + new_flags = [PackageBugAnnotation(bug)] + new_pkg = PackageAnnotation( + old_pkg.line, + old_pkg.type, + old_pkg.release, + old_pkg.package, + old_pkg.kind, + old_pkg.version, + old_pkg.description, + new_flags, + ) + bug_list = list(self.bugs[cve].annotations) + others = [pkg for pkg in bug_list if pkg.line != old_pkg.line] + bug_list = list(self.bugs[cve].annotations) + # may need to retain the original order. + new_list = [new_pkg] + others + mod_bug = Bug(self.bugs[cve].file, self.bugs[cve].header, tuple(new_list)) + modified.append(mod_bug) + self.write_modified(modified, cve_file) + return 0 + + def load_cve(self, cve): + """Load all data for the specified CVE""" + self.logger.info("Loading data for %s...", cve) + self.cves.append(cve) + self._read_cvelist() + + +def main(): + """ + This script does NOT reparse the output file - create, review and + merge ONE update at a time. + (For some operations, check-new-issues may be more suitable). + + For example, --bug 100 --itp intended_pkg_name + then, merge-cve-list, then: + --note "URL:" + """ + parser = argparse.ArgumentParser( + description="Make a single update to specified CVE data as not-affected, add bug number or add a note", + usage="%(prog)s [-h] --cve CVE [--src SRC --suite SUITE " + "[--description DESCRIPTION]] | [[--number NUMBER] [--itp SRC]] | [--note NOTE]", + epilog="Data is written to a new <cve_number>.list " + "file which can be used with './bin/merge-cve-files'. " + "Make sure the output file is merged and removed before " + "updating the same CVE again.", + ) + + required = parser.add_argument_group("Required arguments") + required.add_argument("--cve", required=True, help="The CVE ID to update") + + affected = parser.add_argument_group( + "Marking a CVE as not-affected - must use --src and --suite " + "Optionally add a description or omit to remove the current description" + ) + # needs to specify the src_package as well as suite to cope with removed etc. + affected.add_argument("--src", help="Source package name in SUITE") + affected.add_argument("--suite", default="unstable", help="Mark the CVE as <not-affected> in SUITE") + affected.add_argument( + "--description", + help="Optional description of why the SRC is unaffected in SUITE", + ) + + buggy = parser.add_argument_group("Add a bug number to the CVE") + buggy.add_argument("--number", help="Debian BTS bug number") + buggy.add_argument( + "--itp", + metavar="SRC", + help="Mark as an ITP bug for the specified source package name", + ) + + notes = parser.add_argument_group("Add a NOTE: entry to the CVE") + notes.add_argument("--note", help="Content of the NOTE: entry to add to the CVE") + + args = parser.parse_args() + parser = ParseUpdates() + parser.load_cve(args.cve) + + logger = logging.getLogger("update-vuln") + if not parser.bugs: + logger.critical("Unable to parse CVE ID %s", args.cve) + return -1 + if args.src and args.suite: + parser.mark_not_affected(args.suite, args.src, args.description) + if args.note: + parser.add_note(args.note) + if args.number: + # to set itp properly, the source package name also needs to be set. + parser.add_bug_number(args.number, args.itp) + return 0 + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/conf/cvelist.el b/conf/cvelist.el index d35874980e..0242d4fca5 100644 --- a/conf/cvelist.el +++ b/conf/cvelist.el @@ -81,7 +81,7 @@ (defun debian-cvelist-cvesearch () "Look up a CVE ID at the MITRE website." (interactive) - (browse-url (concat "https://cve.mitre.org/cgi-bin/cvename.cgi?name=" (thing-at-point 'symbol)))) + (browse-url (concat "https://www.cve.org/CVERecord?id=" (thing-at-point 'symbol)))) (defun debian-cvelist-ptslookup () "Look up a package name in Debian Package Tracker." diff --git a/data/CVE/2000.list b/data/CVE/2000.list index 4d09587612..d795255720 100644 --- a/data/CVE/2000.list +++ b/data/CVE/2000.list @@ -1022,7 +1022,7 @@ CVE-2000-0486 (Buffer overflow in Cisco TACACS+ tac_plus server allows remote at NOT-FOR-US: Cisco CVE-2000-0485 (Microsoft SQL Server allows local users to obtain database passwords v ...) NOT-FOR-US: Microsoft -CVE-2000-0484 (Buffer overflow in Small HTTP Server allows remote attackers to cause ...) +CVE-2000-0484 (Small HTTP Server ver 3.06 contains a memory corruption bug causing a ...) NOT-FOR-US: Data pre-dating the Security Tracker CVE-2000-0483 (The DocumentTemplate package in Zope 2.2 and earlier allows a remote a ...) NOT-FOR-US: Data pre-dating the Security Tracker diff --git a/data/CVE/2003.list b/data/CVE/2003.list index 9b08fd165b..ad61892565 100644 --- a/data/CVE/2003.list +++ b/data/CVE/2003.list @@ -1,3 +1,9 @@ +CVE-2003-5003 + RESERVED +CVE-2003-5002 + RESERVED +CVE-2003-5001 + RESERVED CVE-2003-1605 (curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote s ...) - curl 7.10.7-1 NOTE: https://curl.haxx.se/docs/CVE-2003-1605.html diff --git a/data/CVE/2004.list b/data/CVE/2004.list index a3b1af215a..3a95f73424 100644 --- a/data/CVE/2004.list +++ b/data/CVE/2004.list @@ -1809,11 +1809,11 @@ CVE-2004-1910 (rufsi.dll in Symantec Virus Detection allows remote attackers to CVE-2004-1909 (Claim Anti-Virus (ClamAV) 0.68 and earlier allows remote attackers to ...) - clamav 0.68.1 CVE-2004-1908 (McFreeScan.CoMcFreeScan.1 ActiveX object in Mcafee FreeScan allows rem ...) - NOT-FOR-US: Mcafee FreeScan + NOT-FOR-US: McAfee FreeScan CVE-2004-1907 (The Web Filtering functionality in Kerio Personal Firewall (KPF) 4.0.1 ...) NOT-FOR-US: Kerio Personal Firewall CVE-2004-1906 (Mcafee FreeScan allows remote attackers to cause a denial of service a ...) - NOT-FOR-US: Mcafee FreeScan + NOT-FOR-US: McAfee FreeScan CVE-2004-1905 (ascontrol.dll in Panda ActiveScan 5.0 allows remote attackers to cause ...) NOT-FOR-US: Panda ActiveScan CVE-2004-1904 (Buffer overflow in ascontrol.dll in Panda ActiveScan 5.0 allows remote ...) @@ -6187,7 +6187,7 @@ CVE-2004-0099 (mksnap_ffs in FreeBSD 5.1 and 5.2 only sets the snapshot flag whe CVE-2004-0096 (Unknown vulnerability in mod_python 2.7.9 allows remote attackers to c ...) - libapache-mod-python 2:2.7.10 CVE-2004-0095 (McAfee ePolicy Orchestrator agent allows remote attackers to cause a d ...) - NOT-FOR-US: mcafee + NOT-FOR-US: McAfee CVE-2004-0094 (Integer signedness errors in XFree86 4.1.0 allow remote attackers to c ...) {DSA-443} - xfree86 4.2.1-6 diff --git a/data/CVE/2005.list b/data/CVE/2005.list index e655115ee8..d5b0e08cad 100644 --- a/data/CVE/2005.list +++ b/data/CVE/2005.list @@ -1,3 +1,5 @@ +CVE-2005-10001 + RESERVED CVE-2005-3590 (The getgrouplist function in the GNU C library (glibc) before version ...) - glibc 2.3.5-3 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=661 @@ -30,7 +32,8 @@ CVE-2005-4890 (There is a possible tty hijacking in shadow 4.x before 4.1.5 and [lenny] - shadow <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=173008 - sudo 1.7.4p4 (low; bug #657784) - NOTE: sudo might be fixed earlier, use_pty present in stable + NOTE: sudo might be fixed earlier, use_pty present in stable. Only since 1.9.6-1~exp2 + NOTE: use_pty is added to default configuration. CVE-2005-4889 (lib/fsm.c in RPM before 4.4.3 does not properly reset the metadata of ...) - rpm 4.7.0-1 (bug #584257; unimportant) NOTE: Marking as unimportant since rpm isn't used as a package manager diff --git a/data/CVE/2007.list b/data/CVE/2007.list index 0f12a169a0..3a8985e71a 100644 --- a/data/CVE/2007.list +++ b/data/CVE/2007.list @@ -1,3 +1,5 @@ +CVE-2007-20001 (StarWind iSCSI SAN before 3.5 build 2007-08-09 allows socket exhaustio ...) + NOT-FOR-US: StarWind CVE-2007-6763 (SAS Drug Development (SDD) before 32DRG02 mishandles logout actions, w ...) NOT-FOR-US: SAS Drug Development (SDD) CVE-2007-6762 (In the Linux kernel before 2.6.20, there is an off-by-one bug in net/n ...) @@ -7663,7 +7665,7 @@ CVE-2007-3543 (Unrestricted file upload vulnerability in WordPress before 2.2.1 - wordpress 2.2.1-1 [etch] - wordpress <not-affected> (Vulnerable code not present) CVE-2007-3542 (Cross-site scripting (XSS) vulnerability in admin/auth.php in Pluxml 0 ...) - NOT-FOR-US: Pluxml + - pluxml <undetermined> CVE-2007-3541 (Cross-site scripting (XSS) vulnerability in Kurinton sHTTPd 20070408 a ...) NOT-FOR-US: Kurinton sHTTPd CVE-2007-3540 (Multiple cross-site scripting (XSS) vulnerabilities in search.asp in r ...) @@ -7927,7 +7929,7 @@ CVE-2007-3434 (index.php in Pharmacy System 2 and earlier allows remote attacker CVE-2007-3433 (SQL injection vulnerability in index.php in Pharmacy System 2 and earl ...) NOT-FOR-US: Pharmacy System CVE-2007-3432 (Unrestricted file upload vulnerability in admin/images.php in Pluxml 0 ...) - NOT-FOR-US: Pluxml + - pluxml <undetermined> CVE-2007-3431 (PHP remote file inclusion vulnerability in cal.func.php in Valerio Cap ...) NOT-FOR-US: Dagger CVE-2007-3430 (SQL injection vulnerability in index.php in Simple Invoices 2007 05 25 ...) diff --git a/data/CVE/2008.list b/data/CVE/2008.list index f6a7b9e8ab..605b8fb349 100644 --- a/data/CVE/2008.list +++ b/data/CVE/2008.list @@ -1,3 +1,5 @@ +CVE-2008-10001 + RESERVED CVE-2008-7321 (The tubepress plugin before 1.6.5 for WordPress has XSS. ...) NOT-FOR-US: tubepress plugin for WordPress CVE-2008-7320 (** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate ...) @@ -2630,7 +2632,7 @@ CVE-2008-6097 (Multiple cross-site scripting (XSS) vulnerabilities in WikyBlog b CVE-2008-6096 (Cross-site scripting (XSS) vulnerability in Juniper NetScreen ScreenOS ...) NOT-FOR-US: Juniper NetScreen ScreenOS CVE-2008-6095 (Cross-site scripting (XSS) vulnerability in surveillanceView.htm in Op ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2008-6094 (Cross-site scripting (XSS) vulnerability in user.do in Celoxis Technol ...) NOT-FOR-US: Celoxis Technologies Celoxis CVE-2008-6093 (SQL injection vulnerability in index.php in Noname CMS 1.0, when magic ...) @@ -6890,7 +6892,7 @@ CVE-2008-4322 (Stack-based buffer overflow in RealFlex Technologies Ltd. RealWin CVE-2008-4321 (Buffer overflow in FlashGet (formerly JetCar) FTP 1.9 allows remote FT ...) NOT-FOR-US: FlashGet FTP CVE-2008-4320 (Multiple cross-site scripting (XSS) vulnerabilities in OpenNMS before ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2008-4319 (fileadmin.php in Libra File Manager (aka Libra PHP File Manager) 1.18 ...) NOT-FOR-US: Libra File Manager CVE-2008-4318 (Observer 0.3.2.1 and earlier allows remote attackers to execute arbitr ...) diff --git a/data/CVE/2010.list b/data/CVE/2010.list index 8f778de65a..9ff03ef468 100644 --- a/data/CVE/2010.list +++ b/data/CVE/2010.list @@ -1,3 +1,5 @@ +CVE-2010-10001 + RESERVED CVE-2010-5340 (IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webm ...) NOT-FOR-US: IceWarp Webclient CVE-2010-5339 (IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webm ...) @@ -75,11 +77,13 @@ CVE-2010-5313 (Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2 [squeeze] - linux-2.6 <no-dsa> (KVM not supported in Squeeze LTS) NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fc3a9157d314 (v2.6.38-rc1) CVE-2010-5312 (Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the ...) - {DSA-3249-1 DLA-258-1} + {DSA-3249-1 DLA-2889-1 DLA-258-1} + - drupal7 <removed> - jqueryui 1.10.1+dfsg-1 - owncloud <not-affected> (embedded copy, bug #722500, of version 1.10.1, already fixed) NOTE: http://bugs.jqueryui.com/ticket/6016 NOTE: https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3 + NOTE: https://www.drupal.org/sa-core-2022-002 CVE-2010-5311 RESERVED CVE-2010-XXXX [insecure handling of /tmp files in debian/preinst] diff --git a/data/CVE/2012.list b/data/CVE/2012.list index aaccf05cff..d986dec88d 100644 --- a/data/CVE/2012.list +++ b/data/CVE/2012.list @@ -1,3 +1,5 @@ +CVE-2012-20001 (PrestaShop before 1.5.2 allows XSS via the "<object data='data:text ...) + NOT-FOR-US: PrestaShop CVE-2012-10001 (The Limit Login Attempts plugin before 1.7.1 for WordPress does not cl ...) NOT-FOR-US: Limit Login Attempts plugin for WordPress CVE-2012-6721 (Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) ...) @@ -4969,9 +4971,9 @@ CVE-2012-4677 (Tunnelblick 3.3beta20 and earlier allows local users to gain priv CVE-2012-4676 (The errorExitIfAttackViaString function in Tunnelblick 3.3beta20 and e ...) NOT-FOR-US: Tunnelblick CVE-2012-4675 (Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote ...) - NOT-FOR-US: PluXml + - pluxml <undetermined> CVE-2012-4674 (PluXml before 5.1.6 allows remote attackers to obtain the installation ...) - NOT-FOR-US: PluXml + - pluxml <undetermined> CVE-2012-4673 (SQL injection vulnerability in application/controllers/invoice.php in ...) NOT-FOR-US: Neoinvoice CVE-2012-4672 (Apple iChat Server does not verify that a request was made for an XMPP ...) @@ -5608,10 +5610,11 @@ CVE-2012-4428 (openslp: SLPIntersectStringList()' Function has a DoS vulnerabili [squeeze] - openslp-dfsg <no-dsa> (Minor issue) [wheezy] - openslp-dfsg <no-dsa> (Minor issue) CVE-2012-4427 (The gnome-shell plugin 3.4.1 in GNOME allows remote attackers to force ...) - - gnome-shell <unfixed> (unimportant) + - gnome-shell 3.34.0-2 (unimportant) NOTE: I don't see much of a problem here, if you install from a repo, you need to trust it NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=684215 - NOTE: As far as I can see there is still a yes/no prompt for the user. I suggest unfixed unimportant. -- helmut + NOTE: Problem with GNOME Shell's NPAPI browser extension which is not shipped + NOTE: anymore since GNOME 3.32. CVE-2012-4426 (Multiple format string vulnerabilities in mcrypt 2.6.8 and earlier mig ...) - mcrypt 2.6.8-1.1 [squeeze] - mcrypt <no-dsa> (minor issue, it doesn't affect libmcrypt) diff --git a/data/CVE/2013.list b/data/CVE/2013.list index bc0f675557..9fc3286a3f 100644 --- a/data/CVE/2013.list +++ b/data/CVE/2013.list @@ -1,3 +1,7 @@ +CVE-2013-20004 (StarWind iSCSI SAN before 6.0 build 2013-03-20 allows a memory leak. ...) + NOT-FOR-US: StarWind +CVE-2013-20003 (Z-Wave devices from Sierra Designs (circa 2013) and Silicon Labs (usin ...) + NOT-FOR-US: Z-Wave devices CVE-2013-20002 (Elemin allows remote attackers to upload and execute arbitrary PHP cod ...) NOT-FOR-US: Elemin CVE-2013-20001 (An issue was discovered in OpenZFS through 2.0.3. When an NFS share is ...) @@ -156,7 +160,7 @@ CVE-2013-7446 (Use-after-free vulnerability in net/unix/af_unix.c in the Linux k NOTE: Introduced by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ec0d215f9420564fc8286dcf93d2d068bb53a07e (v2.6.26-rc9) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7d267278a9ece963d77eefec61630223fce08c6c (v4.4-rc4) CVE-2013-7445 (The Direct Rendering Manager (DRM) subsystem in the Linux kernel throu ...) - - linux <unfixed> + - linux <unfixed> (bug #1000886) [bullseye] - linux <ignored> (Minor issue, requires invasive changes) [buster] - linux <ignored> (Minor issue, requires invasive changes) [stretch] - linux <ignored> (Minor issue, requires invasive changes) @@ -19122,7 +19126,7 @@ CVE-2013-0341 [external entity expansion] REJECTED CVE-2013-0340 (expat 2.1.0 and earlier does not properly handle entities expansion un ...) [experimental] - expat 2.4.1-1 - - expat <unfixed> (unimportant) + - expat 2.4.1-2 (unimportant; bug #1001864) NOTE: Expat provides API to mitigate expansion attacks, ultimately under control of the app using Expat NOTE: https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0340.html CVE-2013-0339 (libxml2 through 2.9.1 does not properly handle external entities expan ...) diff --git a/data/CVE/2014.list b/data/CVE/2014.list index ab8fd028d0..2a1783abae 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -5195,8 +5195,8 @@ CVE-2014-8600 (Multiple cross-site scripting (XSS) vulnerabilities in KDE-Runtim NOTE: webkit not covered by security support CVE-2014-8599 RESERVED -CVE-2014-8597 - RESERVED +CVE-2014-8597 (A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.0 ...) + NOT-FOR-US: PHP-Fusion CVE-2014-8596 (Multiple SQL injection vulnerabilities in PHP-Fusion 7.02.07 allow rem ...) NOT-FOR-US: PHP-Fusion CVE-2014-8595 (arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not ...) @@ -16519,7 +16519,7 @@ CVE-2014-3962 (Multiple SQL injection vulnerabilities in Videos Tube 1.0 allow r CVE-2014-3961 (SQL injection vulnerability in the Export CSV page in the Participants ...) NOT-FOR-US: WordPress plugin Participants Database CVE-2014-3960 (Multiple cross-site scripting (XSS) vulnerabilities in OpenNMS before ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2014-3980 (libfep 0.0.5 before 0.1.0 does not properly use UNIX domain sockets in ...) - libfep <itp> (bug #658575) CVE-2014-3959 (Cross-site scripting (XSS) vulnerability in list.jsp in the Configurat ...) diff --git a/data/CVE/2015.list b/data/CVE/2015.list index 787b5a0494..4456217dd6 100644 --- a/data/CVE/2015.list +++ b/data/CVE/2015.list @@ -1,3 +1,9 @@ +CVE-2015-10002 + RESERVED +CVE-2015-20106 (The ClickBank Affiliate Ads WordPress plugin through 1.20 does not esc ...) + NOT-FOR-US: WordPress plugin +CVE-2015-20105 (The ClickBank Affiliate Ads WordPress plugin through 1.20 does not hav ...) + NOT-FOR-US: WordPress plugin CVE-2015-10001 (The WP-Stats WordPress plugin before 2.52 does not have CSRF check whe ...) NOT-FOR-US: WordPress plugin CVE-2015-20067 (The WP Attachment Export WordPress plugin before 0.2.4 does not have p ...) @@ -5271,7 +5277,7 @@ CVE-2015-7858 (SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows re CVE-2015-7857 (SQL injection vulnerability in the getListQuery function in administra ...) NOT-FOR-US: Joomla! CVE-2015-7856 (OpenNMS has a default password of rtc for the rtc account, which makes ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2015-7855 (The decodenetnum function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3 ...) {DSA-3388-1 DLA-335-1} - ntp 1:4.2.8p4+dfsg-1 diff --git a/data/CVE/2016.list b/data/CVE/2016.list index 3e6f99b8d6..d7e669870d 100644 --- a/data/CVE/2016.list +++ b/data/CVE/2016.list @@ -1,3 +1,8 @@ +CVE-2016-20013 (sha256crypt and sha512crypt through 0.6 allow attackers to cause a den ...) + NOTE: https://akkadia.org/drepper/SHA-crypt.txt + NOTE: https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/ + NOTE: https://twitter.com/solardiz/status/795601240151457793 + TODO: check, several sources (busybox, sssd, dietlibc, php*, ...) do embed an implentation of the code, but only track those with security impact CVE-2016-20012 (OpenSSH through 8.7 allows remote attackers, who have a suspicion that ...) - openssh <unfixed> (unimportant) NOTE: https://github.com/openssh/openssh-portable/pull/270 @@ -8522,7 +8527,7 @@ CVE-2016-1000239 CVE-2016-1000238 RESERVED CVE-2016-1000237 (sanitize-html before 1.4.3 has XSS. ...) - NOT-FOR-US: sanitize-html + - node-sanitize-html <not-affected> (Fixed before initial upload) CVE-2016-1000236 (Node-cookie-signature before 1.0.6 is affected by a timing attack due ...) - node-cookie-signature 1.1.0-1 (unimportant; bug #838618) NOTE: https://nodesecurity.io/advisories/134 @@ -11733,6 +11738,8 @@ CVE-2016-7111 (MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Con NOTE: https://github.com/mantisbt/mantisbt/commit/b3511d2feb47eaee41feb5f69cf3c8a2c9acd229 NOTE: https://mantisbt.org/bugs/view.php?id=21263 CVE-2016-7103 (Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 mi ...) + {DLA-2889-1} + - drupal7 <removed> - jqueryui 1.12.1+dfsg-1 [jessie] - jqueryui <no-dsa> (Minor issue) [wheezy] - jqueryui <no-dsa> (Minor issue) @@ -11740,6 +11747,7 @@ CVE-2016-7103 (Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12 NOTE: https://github.com/jquery/jquery-ui/pull/1622 NOTE: https://github.com/jquery/jquery-ui/pull/1632 NOTE: https://github.com/jquery/api.jqueryui.com/issues/281 + NOTE: https://www.drupal.org/sa-core-2022-002 CVE-2016-7094 (Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS ...) {DSA-3663-1 DLA-614-1} - xen 4.8.0~rc3-1 @@ -14002,21 +14010,26 @@ CVE-2016-6355 (Memory leak in Cisco IOS XR 5.1.x through 5.1.3, 5.2.x through 5. CVE-2016-6353 (Cloudera Search in CDH before 5.7.0 allows unauthorized document acces ...) NOT-FOR-US: Cloudera CVE-2016-6348 (JacksonJsonpInterceptor in RESTEasy might allow remote attackers to co ...) - - resteasy <unfixed> (low; bug #837170) + - resteasy 3.1.0-1 (low; bug #837170) [jessie] - resteasy <no-dsa> (Minor issue) - - resteasy3.0 <undetermined> + - resteasy3.0 3.0.26-1 + NOTE: https://github.com/resteasy/Resteasy/commit/7cc46c65b11de69b87ef8850dc68cca3de8cd7c6 (3.1.0.CR1) CVE-2016-6347 (Cross-site scripting (XSS) vulnerability in the default exception hand ...) - - resteasy <unfixed> (low; bug #837170) + - resteasy 3.1.0-1 (low; bug #837170) [jessie] - resteasy <no-dsa> (Minor issue) - - resteasy3.0 <undetermined> + - resteasy3.0 3.0.26-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1372124 CVE-2016-6346 (RESTEasy enables GZIPInterceptor, which allows remote attackers to cau ...) - - resteasy <unfixed> (low; bug #837170) + - resteasy 3.1.0-1 (low; bug #837170) [jessie] - resteasy <no-dsa> (Minor issue) - - resteasy3.0 <undetermined> + - resteasy3.0 3.0.26-1 + NOTE: https://issues.jboss.org/browse/RESTEASY-1484 (not public) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1372120 CVE-2016-6345 (RESTEasy allows remote authenticated users to obtain sensitive informa ...) - - resteasy <unfixed> (low; bug #837170) + - resteasy 3.1.0-1 (low; bug #837170) [jessie] - resteasy <no-dsa> (Minor issue) - - resteasy3.0 <undetermined> + - resteasy3.0 3.0.26-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1372117 CVE-2016-6344 (Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a ...) NOT-FOR-US: Red Hat JBoss bpm Suite CVE-2016-6343 (JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Re ...) @@ -14732,7 +14745,7 @@ CVE-2016-1000103 REJECTED CVE-2016-1000102 REJECTED -CVE-2016-1000027 (Pivotal Spring Framework 4.1.4 suffers from a potential remote code ex ...) +CVE-2016-1000027 (Pivotal Spring Framework through 5.3.16 suffers from a potential remot ...) - libspring-java 4.2.7-1 (unimportant) NOTE: https://www.tenable.com/security/research/tra-2016-20 NOTE: This is not a vulnerability in Spring itself, just how applications are using it @@ -22027,9 +22040,9 @@ CVE-2016-3738 (Red Hat OpenShift Enterprise 3.2 does not properly restrict acces CVE-2016-3737 (The server in Red Hat JBoss Operations Network (JON) before 3.3.6 allo ...) NOT-FOR-US: Red Hat / JBoss Operations Network server CVE-2016-3736 - RESERVED -CVE-2016-3735 - RESERVED + REJECTED +CVE-2016-3735 (Piwigo is image gallery software written in PHP. When a criteria is no ...) + - piwigo <removed> CVE-2016-3734 (Cross-site request forgery (CSRF) vulnerability in markposts.php in Mo ...) - moodle 2.7.14+dfsg-1 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755 @@ -23610,7 +23623,7 @@ CVE-2016-3104 (mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow NOTE: MongoDB 2.4 installation with authentication enabled, upgraded NOTE: to 2.6, and did not complete a full upgrade CVE-2016-3103 - RESERVED + REJECTED CVE-2016-3102 (The Script Security plugin before 1.18.1 in Jenkins might allow remote ...) - jenkins <removed> CVE-2016-3101 (Cross-site scripting (XSS) vulnerability in the Extra Columns plugin b ...) @@ -25803,7 +25816,7 @@ CVE-2016-2410 (A Qualcomm video kernel driver in Android 6.x before 2016-04-01 a NOT-FOR-US: Android CVE-2016-2409 (A Texas Instruments (TI) haptic kernel driver in Android 6.x before 20 ...) NOT-FOR-US: Android -CVE-2016-2408 (An unspecified client-side component in Pulse Secure Desktop Client be ...) +CVE-2016-2408 (Pulse Secure Desktop before 5.2R2 and Pulse Secure Installer Service b ...) NOT-FOR-US: Pulse Secure Desktop Client CVE-2016-2407 REJECTED @@ -26864,8 +26877,7 @@ CVE-2016-2125 (It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 alwa - samba 2:4.5.2+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2016-2125.html NOTE: Patch (with some more) here: https://download.samba.org/pub/samba/patches/security/samba-4.3.12-security-20016-12-19.patch -CVE-2016-2124 [SMB1 client connections can be downgraded to plaintext authentication] - RESERVED +CVE-2016-2124 (A flaw was found in the way samba implemented SMB1 authentication. An ...) {DSA-5003-1} - samba 2:4.13.14+dfsg-1 [buster] - samba <no-dsa> (Minor issue) @@ -29774,11 +29786,10 @@ CVE-2016-1240 (The Tomcat init script in the tomcat7 package before 7.0.56-3+deb - tomcat7 7.0.70-3 - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs -CVE-2016-1239 [loads arbitrary code from the current untrusted directory] - RESERVED +CVE-2016-1239 (duck before 0.10 did not properly handle loading of untrusted code fro ...) - duck 0.10 [jessie] - duck 0.7+deb8u1 - NOTE: https://anonscm.debian.org/cgit/collab-maint/duck.git/commit/?id=b43b5bbf07973c54b8f1c581a941f4facc97177a (0.10) + NOTE: https://salsa.debian.org/debian/duck/-/commit/b43b5bbf07973c54b8f1c581a941f4facc97177a (0.10) CVE-2016-1238 ((1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) ...) {DSA-3628-1 DLA-1578-1 DLA-584-1 DLA-565-1} - perl 5.22.2-3 diff --git a/data/CVE/2017.list b/data/CVE/2017.list index bafc5c83b0..dcb1defe6c 100644 --- a/data/CVE/2017.list +++ b/data/CVE/2017.list @@ -1,5 +1,23 @@ -CVE-2017-20008 +CVE-2017-20016 RESERVED +CVE-2017-20015 + RESERVED +CVE-2017-20014 + RESERVED +CVE-2017-20013 + RESERVED +CVE-2017-20012 + RESERVED +CVE-2017-20011 + RESERVED +CVE-2017-20010 + RESERVED + NOT-FOR-US: MODX Revolution +CVE-2017-20009 + RESERVED + NOT-FOR-US: MODX Revolution +CVE-2017-20008 (The myCred WordPress plugin before 1.7.8 does not sanitise and escape ...) + NOT-FOR-US: WordPress plugin CVE-2017-20007 (Ingeteam INGEPAC DA AU AUC_1.13.0.28 (and before) web application allo ...) NOT-FOR-US: Ingeteam INGEPAC DA AU CVE-2017-20006 (UnRAR 5.6.1.2 and 5.6.1.3 has a heap-based buffer overflow in Unpack:: ...) @@ -630,9 +648,8 @@ CVE-2017-18640 (The Alias feature in SnakeYAML 1.18 allows entity expansion duri CVE-2017-18639 (Progress Sitefinity CMS before 10.1 allows XSS via /Pages Parameter : ...) NOT-FOR-US: Progress Sitefinity CMS CVE-2017-1002201 (In haml versions prior to version 5.0.0.beta.2, when using user input ...) - {DLA-1986-1} + {DLA-2864-1 DLA-1986-1} - ruby-haml 5.0.4-1 - [stretch] - ruby-haml <no-dsa> (Minor issue) NOTE: https://snyk.io/vuln/SNYK-RUBY-HAML-20362 NOTE: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2 CVE-2017-18638 (send_email in graphite-web/webapp/graphite/composer/views.py in Graphi ...) @@ -647,9 +664,8 @@ CVE-2017-18637 CVE-2017-18636 (CDG through 2017-01-01 allows downloadDocument.jsp?command=download&am ...) NOT-FOR-US: CDG CVE-2017-18635 (An XSS vulnerability was discovered in noVNC before 0.6.2 in which the ...) - {DLA-1946-1} + {DLA-2854-1 DLA-1946-1} - novnc 1:1.0.0-1 - [stretch] - novnc <no-dsa> (Minor issue) NOTE: https://bugs.launchpad.net/horizon/+bug/1656435 NOTE: https://github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L534 NOTE: https://github.com/novnc/noVNC/issues/748 @@ -1246,9 +1262,8 @@ CVE-2017-18360 (In change_port_settings in drivers/usb/serial/io_ti.c in the Lin [jessie] - linux 3.16.48-1 NOTE: Fixed by: https://git.kernel.org/linus/6aeb75e6adfaed16e58780309613a578fe1ee90b CVE-2017-18359 (PostGIS 2.x before 2.3.3, as used with PostgreSQL, allows remote attac ...) - {DLA-1653-1} + {DLA-2857-1 DLA-1653-1} - postgis 2.3.3+dfsg-1 (low) - [stretch] - postgis <no-dsa> (Minor issue) NOTE: https://trac.osgeo.org/postgis/ticket/3704 NOTE: https://trac.osgeo.org/postgis/changeset/15444 NOTE: https://trac.osgeo.org/postgis/changeset/15445 @@ -5204,9 +5219,8 @@ CVE-2017-17095 (tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attack CVE-2017-17088 (The Enterprise version of SyncBreeze 10.2.12 and earlier is affected b ...) NOT-FOR-US: SyncBreeze CVE-2017-17087 (fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp f ...) - {DLA-1871-1} + {DLA-2876-1 DLA-1871-1} - vim 2:8.0.1401-1 - [stretch] - vim <no-dsa> (Minor issue) [wheezy] - vim <no-dsa> (Minor issue) NOTE: https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8 (8.0.1263) CVE-2017-17086 (Indeo Otter through 1.7.4 mishandles a "</script>" substring in ...) @@ -5720,15 +5734,15 @@ CVE-2017-16911 (The vhci_hcd driver in the Linux Kernel before version 4.14.8 an [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 CVE-2017-16910 (An error within the "LibRaw::xtrans_interpolate()" function (internal/ ...) + {DLA-2903-1} - libraw 0.18.6-1 - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <no-dsa> (Minor issue) [wheezy] - libraw <no-dsa> (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e CVE-2017-16909 (An error related to the "LibRaw::panasonic_load_raw()" function (dcraw ...) + {DLA-2903-1} - libraw 0.18.6-1 - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <no-dsa> (Minor issue) [wheezy] - libraw <no-dsa> (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 @@ -5785,7 +5799,7 @@ CVE-2017-16896 (A SQL injection in classes/handler/public.php in the forgotpass CVE-2017-16895 (The (1) arq_updater, (2) arqcommitter, (3) standardrestorer, (4) arqgl ...) NOT-FOR-US: Arq CVE-2017-16894 (In Laravel framework through 5.5.21, remote attackers can obtain sensi ...) - NOT-FOR-US: Laravel framework + - php-laravel-framework <undetermined> CVE-2017-16893 (The application Piwigo is affected by an SQL injection vulnerability i ...) - piwigo <removed> CVE-2017-16892 (In Bftpd before 4.7, there is a memory leak in the file rename functio ...) @@ -6019,19 +6033,18 @@ CVE-2017-1000235 (I, Librarian version <=4.6 & 4.7 is vulnerable to OS Co CVE-2017-1000234 (I, Librarian version <=4.6 & 4.7 is vulnerable to Directory Enu ...) - i-librarian <itp> (bug #649291) CVE-2017-1000232 (A double-free vulnerability in str2host.c in ldns 1.7.0 have unspecifi ...) + {DLA-2910-1} - ldns 1.7.0-4 (bug #882014) - [stretch] - ldns <no-dsa> (Minor issue) [jessie] - ldns <no-dsa> (Minor issue) [wheezy] - ldns <not-affected> (Vulnerable code not present) NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1257 - NOTE: https://git.nlnetlabs.nl/ldns/commit/?id=3bdeed02505c9bbacb3b64a97ddcb1de967153b7 + NOTE: https://github.com/NLnetLabs/ldns/commit/3bdeed02505c9bbacb3b64a97ddcb1de967153b7 CVE-2017-1000231 (A double-free vulnerability in parse.c in ldns 1.7.0 have unspecified ...) - {DLA-1182-1} + {DLA-2910-1 DLA-1182-1} - ldns 1.7.0-4 (bug #882015) - [stretch] - ldns <no-dsa> (Minor issue) [jessie] - ldns <no-dsa> (Minor issue) NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256 - NOTE: https://git.nlnetlabs.nl/ldns/commit/?id=c8391790c96d4c8a2c10f9ab1460fda83b509fc2 + NOTE: https://github.com/NLnetLabs/ldns/commit/c8391790c96d4c8a2c10f9ab1460fda83b509fc2 CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of optipng 0.7.6 ...) {DSA-4058-1 DLA-1184-1} - optipng 0.7.6-1.1 (bug #882032) @@ -6865,8 +6878,8 @@ CVE-2017-16612 (libXcursor before 1.1.15 has various integer overflows that coul NOTE: For src:wayland originally fixed in 1.14.0-2 but the 1.15.0-1 upload NOTE: did not merge in the 1.14.0-2 upload. CVE-2017-16611 (In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker ...) + {DLA-2901-1} - libxfont 1:2.0.3-1 (low; bug #883929) - [stretch] - libxfont <no-dsa> (Minor issue) [jessie] - libxfont <no-dsa> (Minor issue) [wheezy] - libxfont <postponed> (Minor issue) - libxfont1 <removed> (unimportant) @@ -8330,9 +8343,9 @@ CVE-2017-16019 (GitBook is a command line tool (and Node.js library) for buildin CVE-2017-16018 (Restify is a framework for building REST APIs. Restify >=2.0.0 < ...) NOT-FOR-US: Restify CVE-2017-16017 (sanitize-html is a library for scrubbing html input for malicious valu ...) - NOT-FOR-US: sanitize-html + - node-sanitize-html <not-affected> (Fixed before initial upload) CVE-2017-16016 (Sanitize-html is a library for scrubbing html input of malicious value ...) - NOT-FOR-US: sanitize-html + - node-sanitize-html <not-affected> (Fixed before initial upload) CVE-2017-16015 (Forms is a library for easily creating HTML forms. Versions before 1.3 ...) NOT-FOR-US: Forms CVE-2017-16014 (Http-proxy is a proxying library. Because of the way errors are handle ...) @@ -11984,7 +11997,8 @@ CVE-2017-14777 CVE-2017-14776 REJECTED CVE-2017-14775 (Laravel before 5.5.10 mishandles the remember_me token verification pr ...) - NOT-FOR-US: Laravel + - php-laravel-framework <not-affected> (Fixed before initial upload to Debian) + NOTE: https://github.com/laravel/framework/pull/21320 CVE-2017-14774 RESERVED CVE-2017-14773 (Skybox Manager Client Application prior to 8.5.501 is prone to an elev ...) @@ -12505,7 +12519,7 @@ CVE-2017-14612 ("Shpock Boot Sale & Classifieds" app before 3.17.0 -- aka sh CVE-2017-14611 (SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote att ...) NOT-FOR-US: Cockpit CMS (different from src:cockpit) CVE-2017-14610 (bareos-dir, bareos-fd, and bareos-sd in bareos-core in Bareos 16.2.6 a ...) - - bareos <unfixed> (low; bug #877334) + - bareos <removed> (low; bug #877334) [buster] - bareos <ignored> (Minor issue) [stretch] - bareos <ignored> (Minor issue) [jessie] - bareos <no-dsa> (Minor issue) @@ -12514,9 +12528,8 @@ CVE-2017-14609 (The server daemons in Kannel 1.5.0 and earlier create a PID file - kannel <not-affected> (No real security issue in combination with start-stop-daemon from dpkg, see #877361) NOTE: https://redmine.kannel.org/issues/771 CVE-2017-14608 (In LibRaw through 0.18.4, an out of bounds read flaw related to kodak_ ...) - {DLA-1109-1} + {DLA-2903-1 DLA-1109-1} - libraw 0.18.5-1 (low) - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <no-dsa> (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/commit/d13e8f6d1e987b7491182040a188c16a395f1d21 NOTE: https://github.com/LibRaw/LibRaw/issues/101 @@ -13281,8 +13294,8 @@ CVE-2017-14341 (ImageMagick 7.0.6-6 has a large loop vulnerability in ReadWPGIma NOTE: https://github.com/ImageMagick/ImageMagick/commit/7d63315a64267c565d1f34b9cb523a14616fed24 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4eae304e773bad8a876c3c26fdffac24d4253ae4 CVE-2017-14348 (LibRaw before 0.18.4 has a heap-based Buffer Overflow in the processCa ...) + {DLA-2903-1} - libraw 0.18.5-1 - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <not-affected> (Vulnerable code not present) [wheezy] - libraw <not-affected> (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/100 @@ -13491,8 +13504,8 @@ CVE-2017-14266 (tcprewrite in Tcpreplay 3.4.4 has a Heap-Based Buffer Overflow v NOTE: are addressed with the same patch: NOTE: Patch enforce-maxpacket.patch addresses the issue CVE-2017-14265 (A Stack-based Buffer Overflow was discovered in xtrans_interpolate in ...) + {DLA-2903-1} - libraw 0.18.5-1 - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <no-dsa> (Minor issue) [wheezy] - libraw <not-affected> (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/99 @@ -14034,9 +14047,9 @@ CVE-2017-14108 (libgedit.a in GNOME gedit through 3.22.1 allows remote attackers NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=791037 NOTE: negligible security impact CVE-2017-14107 (The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mis ...) + {DLA-2858-1} [experimental] - libzip 1.3.0+dfsg.1-1 - libzip 1.5.1-3 (low; bug #874010) - [stretch] - libzip <no-dsa> (Minor issue) [jessie] - libzip <no-dsa> (Minor issue) [wheezy] - libzip <no-dsa> (Minor issue) - php5 <removed> (unimportant) @@ -14508,18 +14521,18 @@ CVE-2017-13912 RESERVED CVE-2017-13911 (A configuration issue was addressed with additional restrictions. This ...) NOT-FOR-US: Apple -CVE-2017-13910 - RESERVED -CVE-2017-13909 - RESERVED -CVE-2017-13908 - RESERVED -CVE-2017-13907 - RESERVED -CVE-2017-13906 - RESERVED -CVE-2017-13905 - RESERVED +CVE-2017-13910 (An access issue was addressed with additional sandbox restrictions on ...) + NOT-FOR-US: Apple +CVE-2017-13909 (An issue existed in the storage of sensitive tokens. This issue was ad ...) + NOT-FOR-US: Apple +CVE-2017-13908 (An issue in handling file permissions was addressed with improved vali ...) + NOT-FOR-US: Apple +CVE-2017-13907 (A state management issue was addressed with improved state validation. ...) + NOT-FOR-US: Apple +CVE-2017-13906 (A memory corruption issue was addressed with improved memory handling. ...) + NOT-FOR-US: Apple +CVE-2017-13905 (A race condition was addressed with additional validation. This issue ...) + NOT-FOR-US: Apple CVE-2017-13904 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13903 (An issue was discovered in certain Apple products. iOS before 11.2.1 i ...) @@ -14544,8 +14557,8 @@ CVE-2017-13894 RESERVED CVE-2017-13893 RESERVED -CVE-2017-13892 - RESERVED +CVE-2017-13892 (An issue existed in the handling of Contact sharing. This issue was ad ...) + NOT-FOR-US: Apple CVE-2017-13891 (In iOS before 11.2, an inconsistent user interface issue was addressed ...) NOT-FOR-US: Apple CVE-2017-13890 (An issue was discovered in certain Apple products. macOS before 10.13. ...) @@ -14574,8 +14587,8 @@ CVE-2017-13882 RESERVED CVE-2017-13881 RESERVED -CVE-2017-13880 - RESERVED +CVE-2017-13880 (A memory corruption issue was addressed with improved memory handling. ...) + NOT-FOR-US: Apple CVE-2017-13879 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13878 (An issue was discovered in certain Apple products. macOS before 10.13. ...) @@ -14670,8 +14683,8 @@ CVE-2017-13837 (An issue was discovered in certain Apple products. macOS before NOT-FOR-US: Apple CVE-2017-13836 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple -CVE-2017-13835 - RESERVED +CVE-2017-13835 (A memory corruption issue was addressed with improved memory handling. ...) + NOT-FOR-US: Apple CVE-2017-13834 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13833 (An issue was discovered in certain Apple products. macOS before 10.13. ...) @@ -15012,8 +15025,8 @@ CVE-2017-13736 (There are lots of memory leaks in the GMCommand function in magi - graphicsmagick <unfixed> (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484192 CVE-2017-13735 (There is a floating point exception in the kodak_radc_load_raw functio ...) + {DLA-2903-1} - libraw 0.18.5-1 (low; bug #874729) - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <no-dsa> (Minor issue) [wheezy] - libraw <no-dsa> (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/issues/96 @@ -18079,9 +18092,8 @@ CVE-2017-12615 (When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP CVE-2017-12614 (It was noticed an XSS in certain 404 pages that could be exploited to ...) - airflow <itp> (bug #819700) CVE-2017-12613 (When apr_time_exp*() or apr_os_exp_time*() functions are invoked with ...) - {DLA-1162-1} + {DLA-2897-1 DLA-1162-1} - apr 1.6.3-1 (low; bug #879708) - [stretch] - apr <no-dsa> (Minor issue) [jessie] - apr <no-dsa> (Minor issue) NOTE: mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E NOTE: Fixed by: https://github.com/apache/apr/commit/ad958385a4180d7a83d90589689fcd36e3bbc57a @@ -21192,9 +21204,8 @@ CVE-2017-11531 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/c81594c6ee93581b97e8f8c743200b1366d83989 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1885ab1231e82f90d3f0e839555ee3e1a441bbf8 CVE-2017-11521 (The SdpContents::Session::Medium::parse function in resip/stack/SdpCon ...) - {DLA-1439-1 DLA-1040-1} + {DLA-2865-1 DLA-1439-1 DLA-1040-1} - resiprocate <removed> (low; bug #869404) - [stretch] - resiprocate <no-dsa> (Minor issue) NOTE: https://github.com/resiprocate/resiprocate/pull/88 NOTE: https://github.com/resiprocate/resiprocate/pull/88/commits/4b8ffa5afd3291a2701f8d39c31ada443f79a5c8 CVE-2017-11520 @@ -22715,7 +22726,7 @@ CVE-2017-11073 (In android for MSM, Firefox OS for MSM, QRD Android, with all An CVE-2017-11072 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: HTC component for Android CVE-2017-11071 - RESERVED + REJECTED CVE-2017-11070 RESERVED CVE-2017-11069 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) @@ -22817,7 +22828,7 @@ CVE-2017-11022 (In android for MSM, Firefox OS for MSM, QRD Android, with all An CVE-2017-11021 RESERVED CVE-2017-11020 - RESERVED + REJECTED CVE-2017-11019 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11018 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) @@ -27676,7 +27687,7 @@ CVE-2017-9310 (QEMU (aka Quick Emulator), when built with the e1000e NIC emulati [wheezy] - qemu-kvm <not-affected> (Vulnerable code not present) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4154c7e03fa55b4cf52509a83d50d6c09d743b77 CVE-2017-9303 (Laravel 5.4.x before 5.4.22 does not properly constrain the host porti ...) - NOT-FOR-US: Laravel + - php-laravel-framework <not-affected> (Fixed before initial upload to Debian) CVE-2017-9302 (RealPlayer 16.0.2.32 allows remote attackers to cause a denial of serv ...) NOT-FOR-US: RealPlayer CVE-2017-9301 (plugins\audio_filter\libmpgatofixed32_plugin.dll in VideoLAN VLC media ...) @@ -27762,9 +27773,12 @@ CVE-2017-9269 (In libzypp before August 2018 GPG keys attached to YUM repositori - libzypp 17.3.1-1 (bug #899065) [jessie] - libzypp <ignored> (Minor issue) CVE-2017-9268 (In the open build service before 201707022 the wipetrigger and rebuild ...) - - open-build-service <unfixed> (low) + - open-build-service 2.9.4-1 (low) [stretch] - open-build-service <no-dsa> (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1045519 + NOTE: https://github.com/openSUSE/open-build-service/pull/3267 + NOTE: https://github.com/openSUSE/open-build-service/pull/3269 + NOTE: https://github.com/openSUSE/open-build-service/commit/b43efe6be46387b16c0b27cf8ee7b9ca53f905ef CVE-2017-9267 (In Novell eDirectory before 9.0.3.1 the LDAP interface was not strictl ...) NOT-FOR-US: Novell eDirectory CVE-2017-9266 @@ -32391,8 +32405,8 @@ CVE-2017-7698 (A Use After Free in the pdf2swf part of swftools 0.9.2 and earlie NOTE: https://github.com/matthiaskramm/swftools/pull/19 NOTE: Vulnerable code removed with the 0.9.2+dfs1-2 upload CVE-2017-7697 (In libsamplerate before 0.1.9, a buffer over-read occurs in the calc_o ...) + {DLA-2845-1} - libsamplerate 0.1.9-1 (bug #860159) - [stretch] - libsamplerate <no-dsa> (Minor issue) [jessie] - libsamplerate <no-dsa> (Minor issue) [wheezy] - libsamplerate <no-dsa> (Minor issue) NOTE: https://github.com/erikd/libsamplerate/issues/11 @@ -34776,19 +34790,18 @@ CVE-2017-6964 (dmcrypt-get-device, as shipped in the eject package of Debian and CVE-2017-6963 RESERVED CVE-2017-6962 (An issue was discovered in apng2gif 1.7. There is an integer overflow ...) + {DLA-2911-1} - apng2gif 1.8-0.1 (bug #854447) - [stretch] - apng2gif <no-dsa> (Minor issue; can be fixed via point release) [jessie] - apng2gif <not-affected> (Vulnerable code introduced later with refactoring) [wheezy] - apng2gif <not-affected> (Vulnerable code introduced later with refactoring) CVE-2017-6961 (An issue was discovered in apng2gif 1.7. There is improper sanitizatio ...) + {DLA-2911-1} - apng2gif 1.8-0.1 (bug #854441) - [stretch] - apng2gif <no-dsa> (Minor issue; can be fixed via point release) [jessie] - apng2gif <not-affected> (Vulnerable code introduced later with refactoring) [wheezy] - apng2gif <not-affected> (Vulnerable code introduced later with refactoring) CVE-2017-6960 (An issue was discovered in apng2gif 1.7. There is an integer overflow ...) - {DLA-2165-1 DLA-981-1} + {DLA-2911-1 DLA-2165-1 DLA-981-1} - apng2gif 1.8-0.1 (bug #854367) - [stretch] - apng2gif <no-dsa> (Minor issue; can be fixed via point release) CVE-2017-6959 REJECTED CVE-2017-6958 (An XSS vulnerability in the MantisBT Source Integration Plugin (before ...) @@ -36568,6 +36581,7 @@ CVE-2017-6312 (Integer overflow in io-ico.c in gdk-pixbuf allows context-depende NOTE: Tests: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=a6303ad765882555cf1b278a09be5f9e4cf3a39d CVE-2017-6311 (gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows context-dependent attack ...) - gdk-pixbuf 2.36.10-1 (bug #858491; unimportant) + [stretch] - gdk-pixbuf <ignored> (thumbnailer not installed before 2.36.5-3) [jessie] - gdk-pixbuf <not-affected> (Code introduced in 2.36.1) [wheezy] - gdk-pixbuf <not-affected> (Code introduced in 2.36.1) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=778204 @@ -45562,6 +45576,7 @@ CVE-2017-2871 (Insufficient security checks exist in the recovery procedure used CVE-2017-2870 (An exploitable integer overflow vulnerability exists in the tiff_image ...) {DLA-2043-1} - gdk-pixbuf 2.36.10-1 (unimportant; bug #873787) + [stretch] - gdk-pixbuf <ignored> (Built with GCC in Debian) NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=31a6cff3dfc6944aad4612a9668b8ad39122e48b NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=770986 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=780269 @@ -46031,7 +46046,7 @@ CVE-2017-2682 (The Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/ NOT-FOR-US: Siemens CVE-2017-2681 (Specially crafted PROFINET DCP packets sent on a local Ethernet segmen ...) NOT-FOR-US: Siemens -CVE-2017-2680 (Specially crafted PROFINET DCP broadcast packets could cause a Denial- ...) +CVE-2017-2680 (Specially crafted PROFINET DCP broadcast packets could cause a denial ...) NOT-FOR-US: Siemens CVE-2017-2679 REJECTED @@ -46601,8 +46616,8 @@ CVE-2017-2490 (An issue was discovered in certain Apple products. iOS before 10. NOT-FOR-US: Apple involving Kernel component CVE-2017-2489 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple involving Intel Graphics Driver -CVE-2017-2488 - RESERVED +CVE-2017-2488 (A cryptographic weakness existed in the authentication protocol of Rem ...) + NOT-FOR-US: Apple CVE-2017-2487 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving FontParser component CVE-2017-2486 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) @@ -46859,8 +46874,8 @@ CVE-2017-2377 (An issue was discovered in certain Apple products. iOS before 10. CVE-2017-2376 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support -CVE-2017-2375 - RESERVED +CVE-2017-2375 (An issue existed in preventing the uploading of CallKit call history t ...) + NOT-FOR-US: Apple CVE-2017-2374 (An issue was discovered in certain Apple products. GarageBand before 1 ...) NOT-FOR-US: Apple CVE-2017-2373 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) @@ -51082,10 +51097,10 @@ CVE-2017-0372 (Parameters injection in the SyntaxHighlight extension of Mediawik NOTE: https://phabricator.wikimedia.org/T158689 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000209.html -CVE-2017-0371 - RESERVED +CVE-2017-0371 (MediaWiki before 1.23.16, 1.24.x through 1.27.x before 1.27.2, and 1.2 ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki <end-of-life> (Not supported in Wheezy LTS) + NOTE: https://phabricator.wikimedia.org/T140591 NOTE: https://phabricator.wikimedia.org/T68404 CVE-2017-0370 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw were Spam b ...) - mediawiki 1:1.27.2-1 diff --git a/data/CVE/2018.list b/data/CVE/2018.list index 03cbe090b0..8d31324b2a 100644 --- a/data/CVE/2018.list +++ b/data/CVE/2018.list @@ -1,9 +1,39 @@ +CVE-2018-25030 + RESERVED +CVE-2018-25029 (The Z-Wave specification requires that S2 security can be downgraded t ...) + NOT-FOR-US: Z-Wave specification +CVE-2018-25028 (An issue was discovered in the libpulse-binding crate before 1.2.1 for ...) + NOT-FOR-US: Rust crate libpulse-binding +CVE-2018-25027 (An issue was discovered in the libpulse-binding crate before 1.2.1 for ...) + NOT-FOR-US: Rust crate libpulse-binding +CVE-2018-25026 (An issue was discovered in the actix-web crate before 0.7.15 for Rust. ...) + NOT-FOR-US: Rust crate actix-web +CVE-2018-25025 (An issue was discovered in the actix-web crate before 0.7.15 for Rust. ...) + NOT-FOR-US: Rust crate actix-web +CVE-2018-25024 (An issue was discovered in the actix-web crate before 0.7.15 for Rust. ...) + NOT-FOR-US: Rust crate actix-web +CVE-2018-25023 (An issue was discovered in the smallvec crate before 0.6.13 for Rust. ...) + - rust-smallvec 1.1.0-1 + [buster] - rust-smallvec <no-dsa> (Minor issue) + NOTE: https://rustsec.org/advisories/RUSTSEC-2018-0018.html + NOTE: https://github.com/servo/rust-smallvec/issues/126 +CVE-2018-25022 (The Onion module in toxcore before 0.2.2 doesn't restrict which packet ...) + - libtoxcore 0.2.2-1 + NOTE: https://blog.tox.chat/2018/04/security-vulnerability-and-new-toxcore-release + NOTE: https://github.com/TokTok/c-toxcore/issues/873 + NOTE: https://github.com/TokTok/c-toxcore/pull/872 +CVE-2018-25021 (The TCP Server module in toxcore before 0.2.8 doesn't free the TCP pri ...) + - libtoxcore 0.2.8-1 + NOTE: https://blog.tox.chat/2018/10/memory-leak-bug-and-new-toxcore-release-fixing-it/ + NOTE: https://github.com/TokTok/c-toxcore/issues/1214 + NOTE: https://github.com/TokTok/c-toxcore/pull/1216 +CVE-2018-25020 (The BPF subsystem in the Linux kernel before 4.17 mishandles situation ...) + - linux 4.17.3-1 + NOTE: https://git.kernel.org/linus/050fad7c4534c13c8eb1d9c2ba66012e014773cb (4.17-rc7) CVE-2018-25019 (The LearnDash LMS WordPress plugin before 2.5.4 does not have any auth ...) NOT-FOR-US: WordPress plugin CVE-2018-25018 (UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write durin ...) - - unrar-nonfree <unfixed> (bug #990541) - [bullseye] - unrar-nonfree <no-dsa> (Non-free not supported) - [buster] - unrar-nonfree <no-dsa> (Non-free not supported) + - unrar-nonfree 1:5.6.6-1 (bug #990541) [stretch] - unrar-nonfree <no-dsa> (Non-free not supported) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9845 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/unrar/OSV-2018-204.yaml @@ -1420,9 +1450,8 @@ CVE-2018-20723 (A cross-site scripting (XSS) vulnerability exists in color_templ CVE-2018-20722 RESERVED CVE-2018-20721 (URI_FUNC() in UriParse.c in uriparser before 0.9.1 has an out-of-bound ...) - {DLA-1682-1} + {DLA-2834-1 DLA-1682-1} - uriparser 0.9.1-1 (low) - [stretch] - uriparser <no-dsa> (Minor issue) NOTE: https://github.com/uriparser/uriparser/commit/cef25028de5ff872c2e1f0a6c562eb3ea9ecbce4 CVE-2018-20720 (ABB Relion 630 devices 1.1 before 1.1.0.C0, 1.2 before 1.2.0.B3, and 1 ...) NOT-FOR-US: ABB Relion 630 devices @@ -2525,24 +2554,24 @@ CVE-2018-20367 (The "mall some commodity details: commodity consultation" compon CVE-2018-20366 RESERVED CVE-2018-20365 (LibRaw::raw2image() in libraw_cxx.cpp has a heap-based buffer overflow ...) + {DLA-2903-1} - libraw 0.19.2-2 (bug #917111) - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <not-affected> (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/195 NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/7e29b9f29449fde30cc878fbb137d61c14bba3a4 NOTE: Additionally needed: https://github.com/LibRaw/LibRaw/commit/a7c17cb6bbec1e79f058d84511f9c3b142cbdfa7 NOTE: CVE-2018-20363, CVE-2018-20364 and CVE-2018-20365 have same root cause CVE-2018-20364 (LibRaw::copy_bayer in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL point ...) + {DLA-2903-1} - libraw 0.19.2-2 (bug #917112) - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <not-affected> (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/194 NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/7e29b9f29449fde30cc878fbb137d61c14bba3a4 NOTE: Additionally needed: https://github.com/LibRaw/LibRaw/commit/a7c17cb6bbec1e79f058d84511f9c3b142cbdfa7 NOTE: CVE-2018-20363, CVE-2018-20364 and CVE-2018-20365 have same root cause CVE-2018-20363 (LibRaw::raw2image in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL pointe ...) + {DLA-2903-1} - libraw 0.19.2-2 (bug #917113) - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <not-affected> (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/193 NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/7e29b9f29449fde30cc878fbb137d61c14bba3a4 @@ -2641,7 +2670,7 @@ CVE-2018-20338 (Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL NOT-FOR-US: Zoho ManageEngine OpManager CVE-2018-20337 (There is a stack-based buffer overflow in the parse_makernote function ...) - libraw 0.19.2-1 (bug #917080) - [stretch] - libraw <no-dsa> (Minor issue) + [stretch] - libraw <not-affected> (Vulnerable code not present) [jessie] - libraw <not-affected> (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/192 CVE-2018-20336 (An issue was discovered in ASUSWRT 3.0.0.4.384.20308. There is a stack ...) @@ -5347,13 +5376,12 @@ CVE-2018-19475 (psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=aeea342904978c9fe17d85f4906a0f6fcce2d315 (master) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700153 CVE-2018-19518 (University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_o ...) - {DSA-4353-1 DLA-1700-1 DLA-1608-1} + {DSA-4353-1 DLA-2866-1 DLA-1700-1 DLA-1608-1} - php7.3 7.3.0-1 (bug #913775) - php7.2 <removed> (bug #913835) - php7.0 <removed> (bug #913836) - php5 <removed> - uw-imap 8:2007f~dfsg-6 (bug #914632) - [stretch] - uw-imap <no-dsa> (Minor issue) NOTE: Fixed in 5.6.39, 7.0.33, 7.1.25, 7.2.13, 7.3.0 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76428 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77153 @@ -6409,8 +6437,8 @@ CVE-2018-19050 (MetInfo 6.1.3 has XSS via the admin/index.php?a=dogetpassword la CVE-2018-19049 RESERVED CVE-2018-19052 (An issue was discovered in mod_alias_physical_handler in mod_alias.c i ...) + {DLA-2887-1} - lighttpd 1.4.52-1 (bug #913528) - [stretch] - lighttpd <no-dsa> (Minor issue) [jessie] - lighttpd <no-dsa> (Minor issue) NOTE: https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1 CVE-2018-19048 (Simditor through 2.3.21 allows DOM XSS via an onload attribute within ...) @@ -6982,7 +7010,7 @@ CVE-2018-19131 (Squid before 4.4 has XSS via a crafted X.509 certificate during NOTE: Squid in Debian builds without TLS support CVE-2018-18806 (School Equipment Monitoring System 1.0 allows SQL injection via the lo ...) NOT-FOR-US: School Equipment Monitoring System -CVE-2018-18805 (PointOfSales 1.0 allows SQL injection via the login screen, related to ...) +CVE-2018-18805 (Point Of Sales 1.0 allows SQL injection via the login screen, related ...) NOT-FOR-US: PointOfSales CVE-2018-18804 (Bakeshop Inventory System 1.0 has SQL injection via the login screen, ...) NOT-FOR-US: Bakeshop Inventory System @@ -8931,9 +8959,8 @@ CVE-2018-1000807 (Python Cryptographic Authority pyopenssl version prior to vers NOTE: https://github.com/pyca/pyopenssl/pull/723 NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 CVE-2018-1000805 (Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 con ...) - {DLA-1556-1} + {DLA-2860-1 DLA-1556-1} - paramiko 2.4.2-0.1 (bug #910760) - [stretch] - paramiko <no-dsa> (Minor issue) NOTE: https://github.com/paramiko/paramiko/issues/1283 NOTE: https://github.com/paramiko/paramiko/commit/56c96a659658acdbb873aef8809a7b508434dcce CVE-2018-1000804 (contiki-ng version 4 contains a Buffer Overflow vulnerability in AQL ( ...) @@ -9393,8 +9420,8 @@ CVE-2018-17877 (A lottery smart contract implementation for Greedy 599, an Ether NOT-FOR-US: Greedy 599 CVE-2018-17876 (A Stored XSS vulnerability has been discovered in the v5.5.0 version o ...) NOT-FOR-US: Coaster CMS -CVE-2018-17875 - RESERVED +CVE-2018-17875 (A remote code execution issue in the ping command on Poly Trio 8800 5. ...) + NOT-FOR-US: Poly Trio 8800 devices CVE-2018-17874 (ExpressionEngine before 4.3.5 has reflected XSS. ...) NOT-FOR-US: ExpressionEngine CVE-2018-17873 (An incorrect access control vulnerability in the FTP configuration of ...) @@ -11440,7 +11467,7 @@ CVE-2018-17038 RESERVED CVE-2018-17037 (user/editpost.php in UCMS 1.4.6 mishandles levels, which allows escala ...) NOT-FOR-US: UCMS -CVE-2018-17036 (An issue was discovered in UCMS 1.4.6. It allows PHP code injection du ...) +CVE-2018-17036 (An issue was discovered in UCMS 1.4.6 and 1.6. It allows PHP code inje ...) NOT-FOR-US: UCMS CVE-2018-17035 (UCMS 1.4.6 has SQL injection during installation via the install/index ...) NOT-FOR-US: UCMS @@ -13037,7 +13064,11 @@ CVE-2018-16474 (A stored xss in tianma-static module versions <=1.0.4 allows CVE-2018-16473 (A path traversal in takeapeek module versions <=0.2.2 allows an att ...) NOT-FOR-US: takeapeek CVE-2018-16472 (A prototype pollution attack in cached-path-relative versions <=1.0 ...) - NOT-FOR-US: cached-path-relative + - node-cached-path-relative 1.0.2-1 + [buster] - node-cached-path-relative <no-dsa> (Minor issue) + NOTE: https://hackerone.com/reports/390847 + NOTE: https://github.com/ashaffer/cached-path-relative/issues/3 + NOTE: Fixed by: https://github.com/ashaffer/cached-path-relative/commit/a43cffec84ed0e9eceecb43b534b6937a8028fc0 CVE-2018-16471 (There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. ...) {DLA-1585-1} - ruby-rack 1.6.4-6 (bug #913005) @@ -13535,8 +13566,14 @@ CVE-2018-16303 (PDF-XChange Editor through 7.0.326.1 allows remote attackers to NOT-FOR-US: PDF-XChange Editor CVE-2018-16302 (MediaComm Zip-n-Go before 4.95 has a Buffer Overflow via a crafted fil ...) NOT-FOR-US: MediaComm Zip-n-Go -CVE-2018-16301 - REJECTED +CVE-2018-16301 (The command-line argument parser in tcpdump before 4.99.0 has a buffer ...) + - tcpdump 4.99.0-1 (unimportant) + NOTE: https://github.com/the-tcpdump-group/libpcap/issues/855 + NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/ad7c25bc0decf96dc7768c9e903734d38528b1bd + NOTE: https://www.tcpdump.org/public-cve-list.txt + NOTE: Fixed by: https://github.com/the-tcpdump-group/tcpdump/commit/faf8fb70af3a013e5d662b8283dec742fd6b1a77 (tcpdump-4.99-bp) + NOTE: Fixed by: https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 (tcpdump-4.9) + NOTE: Negligible security impact CVE-2018-16300 (The BGP parser in tcpdump before 4.9.3 allows stack consumption in pri ...) {DSA-4547-1 DLA-1955-1} - tcpdump 4.9.3-1 (bug #941698) @@ -16380,7 +16417,7 @@ CVE-2018-15135 CVE-2018-15134 RESERVED CVE-2018-15133 (In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote c ...) - NOT-FOR-US: Laravel + - php-laravel-framework <not-affected> (Fixed before initial upload to Debian) CVE-2018-15132 (An issue was discovered in ext/standard/link_win32.c in PHP before 5.6 ...) - php7.2 <not-affected> (Windows-specific) - php7.1 <not-affected> (Windows-specific) @@ -19639,25 +19676,25 @@ CVE-2018-13981 (The websites that were built from Zeta Producer Desktop CMS befo CVE-2018-13980 (The websites that were built from Zeta Producer Desktop CMS before 14. ...) NOT-FOR-US: Zeta Producer Desktop CMS CVE-2018-13979 - RESERVED + REJECTED CVE-2018-13978 - RESERVED + REJECTED CVE-2018-13977 - RESERVED + REJECTED CVE-2018-13976 - RESERVED + REJECTED CVE-2018-13975 - RESERVED + REJECTED CVE-2018-13974 - RESERVED + REJECTED CVE-2018-13973 - RESERVED + REJECTED CVE-2018-13972 - RESERVED + REJECTED CVE-2018-13971 - RESERVED + REJECTED CVE-2018-13970 - RESERVED + REJECTED CVE-2018-13969 REJECTED CVE-2018-13968 @@ -22524,12 +22561,8 @@ CVE-2018-12702 (The approveAndCallcode function of a smart contract implementati NOT-FOR-US: Globalvillage ecosystem CVE-2018-12701 RESERVED -CVE-2018-12700 (A Stack Exhaustion issue was discovered in debug_write_type in debug.c ...) - - binutils 2.32.51.20190707-1 (unimportant) - NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454 - NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23057 - NOTE: Fixed by: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=03e51746ed98d9106803f6009ebd71ea670ad3b9 - NOTE: binutils not covered by security support +CVE-2018-12700 + REJECTED CVE-2018-12699 (finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause ...) - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85454 @@ -22993,9 +23026,8 @@ CVE-2018-12586 CVE-2018-12585 (An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allo ...) NOT-FOR-US: OPC UA Java and .NET Legacy Stack CVE-2018-12584 (The ConnectionBase::preparseNewBytes function in resip/stack/Connectio ...) - {DLA-1439-1} + {DLA-2865-1 DLA-1439-1} - resiprocate <removed> (bug #905495) - [stretch] - resiprocate <no-dsa> (Minor issue) NOTE: http://joachimdezutter.webredirect.org/advisory.html NOTE: https://github.com/resiprocate/resiprocate/commit/2cb291191c93c7c4e371e22cb89805a5b31d6608 CVE-2018-12583 (An issue was discovered in AKCMS 6.1. CSRF can delete an article via a ...) @@ -24656,7 +24688,7 @@ CVE-2018-12021 (Singularity 2.3.0 through 2.5.1 is affected by an incorrect acce - singularity-container 2.5.2-1 NOTE: https://github.com/singularityware/singularity/releases/tag/2.5.2 CVE-2018-12020 (mainproc.c in GnuPG before 2.2.8 mishandles the original filename duri ...) - {DSA-4224-1 DSA-4223-1 DSA-4222-1} + {DSA-4224-1 DSA-4223-1 DSA-4222-1 DLA-2862-1} - enigmail 2:2.0.7-1 [jessie] - enigmail <end-of-life> (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html) - gnupg2 2.2.8-1 @@ -24804,7 +24836,7 @@ CVE-2018-11956 (In all android releases(Android for MSM, Firefox OS for MSM, QRD CVE-2018-11955 (Lack of check on length of reason-code fetched from payload may lead d ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11954 - RESERVED + REJECTED CVE-2018-11953 (While processing ssid IE length from remote AP, possible out-of-bounds ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11952 @@ -25039,7 +25071,7 @@ CVE-2018-11839 CVE-2018-11838 (Possible double free issue in WLAN due to lack of checking memory free ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11837 - RESERVED + REJECTED CVE-2018-11836 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-11835 @@ -25463,11 +25495,17 @@ CVE-2018-11727 (** DISPUTED ** The libfsntfs_attribute_read_from_mft function in NOTE: https://github.com/libyal/libfsntfs/commit/7a17c43be39919227b4fe24684a8a29a90ee54ad NOTE: Negligable/questionable security impact CVE-2018-11726 (The mobi_decode_font_resource function in util.c in Libmobi 0.3 allows ...) - NOT-FOR-US: Libmobi + - libmobi <not-affected> (Fixed before initial upload to Debian) + NOTE: https://seclists.org/fulldisclosure/2018/May/48 + NOTE: https://github.com/bfabiszewski/libmobi/commit/6904ebc247f01b5fe27d58c5dbb27e38af8449fb (v0.4) CVE-2018-11725 (The mobi_parse_index_entry function in index.c in Libmobi 0.3 allows r ...) - NOT-FOR-US: Libmobi + - libmobi <not-affected> (Fixed before initial upload to Debian) + NOTE: https://seclists.org/fulldisclosure/2018/May/48 + NOTE: https://github.com/bfabiszewski/libmobi/commit/c625698e297ac877eb4bc0d35cd0e605253c33e5 (v0.4) CVE-2018-11724 (The mobi_pk1_decrypt function in encryption.c in Libmobi 0.3 allows re ...) - NOT-FOR-US: Libmobi + - libmobi <not-affected> (Fixed before initial upload to Debian) + NOTE: https://seclists.org/fulldisclosure/2018/May/48 + NOTE: https://github.com/bfabiszewski/libmobi/commit/b5657d7e2357782147a80a4d63a4b5fb7c05305f (v0.4) CVE-2018-11723 (** DISPUTED ** The libpff_name_to_id_map_entry_read function in libpff ...) - libpff 20180714-1 (low; bug #901967) [stretch] - libpff <no-dsa> (Minor issue) @@ -25579,7 +25617,7 @@ CVE-2018-11691 (Emerson DeltaV Smart Switch Command Center application, availabl NOT-FOR-US: Emerson devices CVE-2018-11690 (The Balbooa Gridbox extension version 2.4.0 and previous versions for ...) NOT-FOR-US: Balbooa Gridbox extension for Joomla! -CVE-2018-11689 (Smart Viewer in Samsung Web Viewer for Samsung DVR is vulnerable to cr ...) +CVE-2018-11689 (Web Viewer for Hanwha DVR 2.17 and Smart Viewer in Samsung Web Viewer ...) NOT-FOR-US: Smart Viewer in Samsung Web Viewer for Samsung DVR CVE-2018-11688 (Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scri ...) NOT-FOR-US: Ignite Realtime Openfire @@ -26237,19 +26275,26 @@ CVE-2018-11439 (The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in NOTE: Pull request: https://github.com/taglib/taglib/pull/869 NOTE: Upstream fix: https://github.com/taglib/taglib/commit/2c4ae870ec086f2ddd21a47861a3709c36faac45 CVE-2018-11438 (The mobi_decompress_lz77 function in compression.c in Libmobi 0.3 allo ...) - NOT-FOR-US: Libmobi + - libmobi <not-affected> (Fixed before/with initial upload to Debian) + NOTE: https://seclists.org/fulldisclosure/2018/May/48 CVE-2018-11437 (The mobi_reconstruct_parts function in parse_rawml.c in Libmobi 0.3 al ...) - NOT-FOR-US: Libmobi + - libmobi <not-affected> (Fixed before/with initial upload to Debian) + NOTE: https://seclists.org/fulldisclosure/2018/May/48 CVE-2018-11436 (The buffer_addraw function in buffer.c in Libmobi 0.3 allows remote at ...) - NOT-FOR-US: Libmobi + - libmobi <not-affected> (Fixed before/with initial upload to Debian) + NOTE: https://seclists.org/fulldisclosure/2018/May/48 CVE-2018-11435 (The mobi_decompress_huffman_internal function in compression.c in Libm ...) - NOT-FOR-US: Libmobi + - libmobi <not-affected> (Fixed before/with initial upload to Debian) + NOTE: https://seclists.org/fulldisclosure/2018/May/48 CVE-2018-11434 (The buffer_fill64 function in compression.c in Libmobi 0.3 allows remo ...) - NOT-FOR-US: Libmobi + - libmobi <not-affected> (Fixed before/with initial upload to Debian) + NOTE: https://seclists.org/fulldisclosure/2018/May/48 CVE-2018-11433 (The mobi_get_kf8boundary_seqnumber function in util.c in Libmobi 0.3 a ...) - NOT-FOR-US: Libmobi + - libmobi <not-affected> (Fixed before/with initial upload to Debian) + NOTE: https://seclists.org/fulldisclosure/2018/May/48 CVE-2018-11432 (The mobi_parse_mobiheader function in read.c in Libmobi 0.3 allows rem ...) - NOT-FOR-US: Libmobi + - libmobi <not-affected> (Fixed before/with initial upload to Debian) + NOTE: https://seclists.org/fulldisclosure/2018/May/48 CVE-2018-11431 RESERVED CVE-2018-11430 (An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB ...) @@ -28824,14 +28869,14 @@ CVE-2018-10530 RESERVED CVE-2018-10529 (An issue was discovered in LibRaw 0.18.9. There is an out-of-bounds re ...) - libraw 0.18.11-1 (low; bug #897186) - [stretch] - libraw <no-dsa> (Minor issue) + [stretch] - libraw <not-affected> (Vulnerable code not present) [jessie] - libraw <no-dsa> (Minor issue) [wheezy] - libraw <no-dsa> (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/commit/f0c505a3e5d47989a5f69be2d0d4f250af6b1a6c NOTE: https://github.com/LibRaw/LibRaw/issues/144 CVE-2018-10528 (An issue was discovered in LibRaw 0.18.9. There is a stack-based buffe ...) - libraw 0.18.11-1 (low; bug #897185) - [stretch] - libraw <no-dsa> (Minor issue) + [stretch] - libraw <not-affected> (Vulnerable code not present) [jessie] - libraw <no-dsa> (Minor issue) [wheezy] - libraw <no-dsa> (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/commit/895529fc2f2eb8bc633edd6b04b5b237eb4db564 @@ -29530,8 +29575,8 @@ CVE-2018-10230 (Zend Debugger in Zend Server before 9.1.3 has XSS, aka ZSR-2455. NOT-FOR-US: Zend Server CVE-2018-10229 (A hardware vulnerability in GPU memory modules allows attackers to acc ...) NOT-FOR-US: GPU memory hardware issue -CVE-2018-10228 - RESERVED +CVE-2018-10228 (Cross-site scripting (XSS) vulnerability in /application/controller/ad ...) + - limesurvey <itp> (bug #472802) CVE-2018-10227 (MiniCMS v1.10 has XSS via the mc-admin/conf.php site_link parameter. ...) NOT-FOR-US: MiniCMS CVE-2018-10226 @@ -29604,8 +29649,8 @@ CVE-2018-10196 (NULL pointer dereference vulnerability in the rebuild_vlists fun NOTE: https://gitlab.com/graphviz/graphviz/issues/1367 NOTE: https://issuetracker.google.com/issues/77810342 CVE-2018-10195 (lrzsz before version 0.12.21~rc can leak information to the receiving ...) + {DLA-2900-1} - lrzsz 0.12.21-10 (low; bug #897010) - [stretch] - lrzsz <no-dsa> (Minor issue) [jessie] - lrzsz <no-dsa> (Minor issue) [wheezy] - lrzsz <no-dsa> (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1090051 @@ -35592,9 +35637,8 @@ CVE-2018-7751 (The svg_probe function in libavformat/img2dec.c in FFmpeg through - libav <not-affected> (Vulnerable code not present) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/a6cba062051f345e8ebfdff34aba071ed73d923f CVE-2018-7750 (transport.py in the SSH server implementation of Paramiko before 1.17. ...) - {DLA-1556-1} + {DLA-2860-1 DLA-1556-1} - paramiko 2.4.2-0.1 (bug #892859) - [stretch] - paramiko <no-dsa> (Minor issue) [wheezy] - paramiko <no-dsa> (Minor issue) NOTE: https://github.com/paramiko/paramiko/issues/1175 NOTE: https://github.com/paramiko/paramiko/commit/fa29bd8446c8eab237f5187d28787727b4610516 @@ -39801,7 +39845,7 @@ CVE-2018-6332 (A potential denial-of-service issue in the Proxygen handling of i CVE-2018-6331 (Buck parser-cache command loads/saves state using Java serialized obje ...) NOT-FOR-US: Buck parser-cache CVE-2018-6330 (Laravel 5.4.15 is vulnerable to Error based SQL injection in save.php ...) - NOT-FOR-US: Laravel Framework + - php-laravel-framework <undetermined> CVE-2018-6329 (It was discovered that the Unitrends Backup (UB) before 10.1.0 libbpex ...) NOT-FOR-US: Unitrends Backup CVE-2018-6328 (It was discovered that the Unitrends Backup (UB) before 10.1.0 user in ...) @@ -41360,21 +41404,18 @@ CVE-2018-5821 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android CVE-2018-5820 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2018-5819 (An error within the "parse_sinar_ia()" function (internal/dcraw_common ...) - {DLA-1734-1} + {DLA-2903-1 DLA-1734-1} - libraw 0.19.1-1 - [stretch] - libraw <no-dsa> (Minor issue) NOTE: https://www.flexera.com/company/secunia-research/advisories/SR-2018-27.html NOTE: https://github.com/LibRaw/LibRaw/commit/9eb76dc153f5acf42ec7325a33fe7ccdcadaf8d6 CVE-2018-5818 (An error within the "parse_rollei()" function (internal/dcraw_common.c ...) - {DLA-1734-1} + {DLA-2903-1 DLA-1734-1} - libraw 0.19.1-1 - [stretch] - libraw <no-dsa> (Minor issue) NOTE: https://www.flexera.com/company/secunia-research/advisories/SR-2018-27.html NOTE: https://github.com/LibRaw/LibRaw/commit/9eb76dc153f5acf42ec7325a33fe7ccdcadaf8d6 CVE-2018-5817 (A type confusion error within the "unpacked_load_raw()" function withi ...) - {DLA-1734-1} + {DLA-2903-1 DLA-1734-1} - libraw 0.19.1-1 - [stretch] - libraw <no-dsa> (Minor issue) NOTE: https://www.flexera.com/company/secunia-research/advisories/SR-2018-27.html NOTE: https://github.com/LibRaw/LibRaw/commit/9eb76dc153f5acf42ec7325a33fe7ccdcadaf8d6 CVE-2018-5816 (An integer overflow error within the "identify()" function (internal/d ...) @@ -41384,8 +41425,8 @@ CVE-2018-5816 (An integer overflow error within the "identify()" function (inter NOTE: http://seclists.org/bugtraq/2018/Jul/58 NOTE: Issue caused by an incomplete fix for CVE-2018-5804 CVE-2018-5815 (An integer overflow error within the "parse_qt()" function (internal/d ...) + {DLA-2903-1} - libraw 0.18.13-1 (low) - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <no-dsa> (Minor issue) NOTE: http://seclists.org/bugtraq/2018/Jul/58 CVE-2018-5814 (In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4. ...) @@ -41395,55 +41436,54 @@ CVE-2018-5814 (In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and NOTE: https://git.kernel.org/linus/22076557b07c12086eeb16b8ce2b0b735f7a27e7 NOTE: https://git.kernel.org/linus/c171654caa875919be3c533d3518da8be5be966e CVE-2018-5813 (An error within the "parse_minolta()" function (dcraw/dcraw.c) in LibR ...) + {DLA-2903-1} - libraw 0.18.11-1 (low) - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <no-dsa> (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-13/ CVE-2018-5812 (An error within the "nikon_coolscan_load_raw()" function (internal/dcr ...) + {DLA-2903-1} - libraw 0.18.11-1 - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <not-affected> (Vulnerable code not present) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-10/ CVE-2018-5811 (An error within the "nikon_coolscan_load_raw()" function (internal/dcr ...) + {DLA-2903-1} - libraw 0.18.11-1 - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <not-affected> (Vulnerable code not present) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-10/ CVE-2018-5810 (An error within the "rollei_load_raw()" function (internal/dcraw_commo ...) + {DLA-2903-1} - libraw 0.18.11-1 - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <no-dsa> (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-10/ CVE-2018-5809 (An error within the "LibRaw::parse_exif()" function (internal/dcraw_co ...) - libraw 0.18.11-1 - [stretch] - libraw <no-dsa> (Minor issue) + [stretch] - libraw <not-affected> (Vulnerable code not present) [jessie] - libraw <not-affected> (Vulnerable code not present) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-9/ NOTE: https://github.com/LibRaw/LibRaw/commit/fd6330292501983ac75fe4162275794b18445bd9 CVE-2018-5808 (An error within the "find_green()" function (internal/dcraw_common.cpp ...) - {DLA-1734-1} + {DLA-2903-1 DLA-1734-1} - libraw 0.18.11-1 - [stretch] - libraw <no-dsa> (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-9/ NOTE: https://github.com/LibRaw/LibRaw/commit/fd6330292501983ac75fe4162275794b18445bd9 CVE-2018-5807 (An error within the "samsung_load_raw()" function (internal/dcraw_comm ...) + {DLA-2903-1} - libraw 0.18.11-1 - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <no-dsa> (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-10/ CVE-2018-5806 (An error within the "leaf_hdr_load_raw()" function (internal/dcraw_com ...) + {DLA-2903-1} - libraw 0.18.8-1 (low) - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <no-dsa> (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03 CVE-2018-5805 (A boundary error within the "quicktake_100_load_raw()" function (inter ...) + {DLA-2903-1} - libraw 0.18.8-1 (low) - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <no-dsa> (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03 CVE-2018-5804 (A type confusion error within the "identify()" function (internal/dcra ...) + {DLA-2903-1} - libraw 0.18.8-1 (low) - [stretch] - libraw <no-dsa> (Minor issue) [jessie] - libraw <no-dsa> (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03 CVE-2018-5803 (In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4 ...) @@ -41451,23 +41491,20 @@ CVE-2018-5803 (In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.1 - linux 4.15.11-1 NOTE: Fixed by: https://git.kernel.org/linus/07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c CVE-2018-5802 (An error within the "kodak_radc_load_raw()" function (internal/dcraw_c ...) - {DLA-1734-1} + {DLA-2903-1 DLA-1734-1} - libraw 0.18.7-1 - [stretch] - libraw <no-dsa> (Minor issue) [wheezy] - libraw <ignored> (Minor issue) NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-5801 (An error within the "LibRaw::unpack()" function (src/libraw_cxx.cpp) i ...) - {DLA-1734-1} + {DLA-2903-1 DLA-1734-1} - libraw 0.18.7-1 - [stretch] - libraw <no-dsa> (Minor issue) [wheezy] - libraw <ignored> (Minor issue) NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-5800 (An off-by-one error within the "LibRaw::kodak_ycbcr_load_raw()" functi ...) - {DLA-1734-1} + {DLA-2903-1 DLA-1734-1} - libraw 0.18.7-1 - [stretch] - libraw <no-dsa> (Minor issue) [wheezy] - libraw <ignored> (Minor issue) NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 @@ -41581,9 +41618,8 @@ CVE-2018-5766 (In Libav through 12.2, there is an invalid memcpy in the av_packe CVE-2018-5765 RESERVED CVE-2018-5764 (The parse_arguments function in options.c in rsyncd in rsync before 3. ...) - {DLA-1725-1 DLA-1247-1} + {DLA-2833-1 DLA-1725-1 DLA-1247-1} - rsync 3.1.2-2.2 (bug #887588) - [stretch] - rsync <no-dsa> (Minor issue) NOTE: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=7706303828fcde524222babb2833864a4bd09e07 CVE-2018-5763 (An issue was discovered in OXID eShop Enterprise Edition before 5.3.7 ...) NOT-FOR-US: OXID eShop Enterprise Edition @@ -44792,8 +44828,8 @@ CVE-2018-4480 RESERVED CVE-2018-4479 RESERVED -CVE-2018-4478 - RESERVED +CVE-2018-4478 (A validation issue was addressed with improved logic. This issue is fi ...) + NOT-FOR-US: Apple CVE-2018-4477 RESERVED CVE-2018-4476 @@ -45206,8 +45242,8 @@ CVE-2018-4304 (A denial of service issue was addressed with improved validation. NOT-FOR-US: Apple CVE-2018-4303 (An input validation issue was addressed with improved input validation ...) NOT-FOR-US: Apple -CVE-2018-4302 - RESERVED +CVE-2018-4302 (A null pointer dereference was addressed with improved validation. Thi ...) + NOT-FOR-US: Apple CVE-2018-4301 RESERVED NOT-FOR-US: Apple @@ -52261,7 +52297,10 @@ CVE-2018-1281 (The clustered setup of Apache MXNet allows users to specify which CVE-2018-1280 (Pivotal Greenplum Command Center versions 2.x prior to 2.5.1 contains ...) NOT-FOR-US: Pivotal CVE-2018-1279 (Pivotal RabbitMQ for PCF, all versions, uses a deterministically gener ...) - - rabbitmq-server <not-affected> (Specific to RabbitMQ setup in Pivotal, see bug #924768) + - rabbitmq-server 3.9.8-5 (bug #924768) + [bullseye] - rabbitmq-server <no-dsa> (Minor issue) + [buster] - rabbitmq-server <no-dsa> (Minor issue) + [stretch] - rabbitmq-server <postponed> (Minor issue; documentation-only fix) NOTE: https://pivotal.io/security/cve-2018-1279 CVE-2018-1278 (Apps Manager included in Pivotal Application Service, versions 1.12.x ...) NOT-FOR-US: Pivotal @@ -52996,9 +53035,8 @@ CVE-2018-1057 (On a Samba 4 AD DC the LDAP server in all versions of Samba from NOTE: https://www.samba.org/samba/security/CVE-2018-1057.html NOTE: https://wiki.samba.org/index.php/CVE-2018-1057 CVE-2018-1056 (An out-of-bounds heap buffer read flaw was found in the way advancecom ...) - {DLA-1702-1 DLA-1281-1} + {DLA-2868-1 DLA-1702-1 DLA-1281-1} - advancecomp 2.1-1 (bug #889270) - [stretch] - advancecomp <no-dsa> (Minor issue, can be fixed via point release) NOTE: https://sourceforge.net/p/advancemame/bugs/259/ NOTE: https://github.com/amadvance/advancecomp/commit/7deeafc02b29cc51d51079e66f4f43f986ff9cc5 CVE-2018-1055 diff --git a/data/CVE/2019.list b/data/CVE/2019.list index 3353b738b3..5458ea22b4 100644 --- a/data/CVE/2019.list +++ b/data/CVE/2019.list @@ -1,3 +1,13 @@ +CVE-2019-25057 (In Corda before 4.1, the meaning of serialized data can be modified vi ...) + NOT-FOR-US: Corda +CVE-2019-25056 (In Bromite through 78.0.3904.130, there are adblock rules in the relea ...) + NOT-FOR-US: Bromite +CVE-2019-25055 (An issue was discovered in the libpulse-binding crate before 2.6.0 for ...) + NOT-FOR-US: Rust crate libpulse-binding +CVE-2019-25054 (An issue was discovered in the pnet crate before 0.27.2 for Rust. Ther ...) + NOT-FOR-US: Rust crate pnet +CVE-2019-25053 + RESERVED CVE-2019-25052 (In Linaro OP-TEE before 3.7.0, by using inconsistent or malformed data ...) NOT-FOR-US: Linaro/OP-TEE OP-TEE CVE-2019-25051 (objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acom ...) @@ -545,9 +555,9 @@ CVE-2019-20808 (In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI V [jessie] - qemu <not-affected> (Vulnerable code introduced later) NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=aab0e2a661b2b6bf7915c0aefe807fb60d6d9d13 (v4.2.0-rc0) CVE-2019-20807 (In Vim before 8.1.0881, users can circumvent the rvim restricted mode ...) + {DLA-2876-1} - vim 2:8.1.2136-1 [buster] - vim <no-dsa> (Minor issue) - [stretch] - vim <no-dsa> (Minor issue) [jessie] - vim <no-dsa> (Minor issue) NOTE: https://github.com/vim/vim/commit/8c62a08faf89663e5633dc5036cd8695c80f1075 CVE-2019-20806 (An issue was discovered in the Linux kernel before 5.2. There is a NUL ...) @@ -972,11 +982,12 @@ CVE-2019-20630 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as de NOTE: https://github.com/gpac/gpac/issues/1268 CVE-2019-20629 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - gpac 1.0.1+dfsg1-2 (bug #972053) - [buster] - gpac <no-dsa> (Minor issue) - [stretch] - gpac <no-dsa> (Minor issue) + [buster] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0) + [stretch] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0) [jessie] - gpac <ignored> (Minor issue) - NOTE: https://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7 NOTE: https://github.com/gpac/gpac/issues/1264 + NOTE: Introduced by: https://github.com/gpac/gpac/commit/bb002ad4f92d216f8ab7c8466102279ef8af6f88 (v0.8.0) + NOTE: Fixed by: qhttps://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7 (v0.9.0-preview) CVE-2019-20628 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - gpac 1.0.1+dfsg1-2 (bug #972053) [buster] - gpac <no-dsa> (Minor issue) @@ -2190,10 +2201,11 @@ CVE-2019-20166 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm CVE-2019-20165 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) {DLA-2072-1} - gpac 1.0.1+dfsg1-2 (bug #972053) - [buster] - gpac <no-dsa> (Minor issue) - [stretch] - gpac <no-dsa> (Minor issue) + [buster] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0) + [stretch] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0) NOTE: https://github.com/gpac/gpac/issues/1338 NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #1) + NOTE: Introduced by https://github.com/gpac/gpac/commit/86d072b6a13baa1a4a90168098a0f8354c24d8cf CVE-2019-20164 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) - gpac <not-affected> (Vulnerable code introduced in 0.7.0) NOTE: https://github.com/gpac/gpac/issues/1332 @@ -2427,8 +2439,8 @@ CVE-2019-20084 RESERVED CVE-2019-20083 RESERVED -CVE-2019-20082 - RESERVED +CVE-2019-20082 (ASUS RT-N53 3.0.0.4.376.3754 devices have a buffer overflow via a long ...) + NOT-FOR-US: ASUS CVE-2019-20081 RESERVED CVE-2019-20080 @@ -3497,11 +3509,14 @@ CVE-2019-19729 (An issue was discovered in the BSON ObjectID (aka bson-objectid) CVE-2019-19728 (SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 executes srun --u ...) {DSA-4841-1} - slurm-llnl 19.05.5-1 - [stretch] - slurm-llnl <no-dsa> (Minor issue) + [stretch] - slurm-llnl <ignored> (Minor issue, fix introduces regression, upstream refuses access to bug tracker) [jessie] - slurm-llnl <ignored> (Minor issue, fix introduces regression, upstream refuses access to bug tracker) NOTE: https://github.com/SchedMD/slurm/commit/5ac031b2ef5462f6e8e47dad0247bd474614c118 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1159692 + NOTE: https://bugs.schedmd.com/show_bug.cgi?id=8084 NOTE: Fixed upstream in 18.08.9, 19.05.5 + NOTE: regression: running 'srun --uid ...' can lock the node 'alloc' state, requiring manually reset + NOTE: (with 'nobody' in stretch, with all users in jessie) CVE-2019-19727 (SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 has weak slurmdbd ...) - slurm-llnl 19.05.5-1 (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1155784 @@ -4209,10 +4224,9 @@ CVE-2019-19480 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x thro NOTE: fixes are not related "directly" to the CVE assignment for the incorrect NOTE: free operation in sc_pkcs15_decode_prkdf_entry. CVE-2019-19479 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0. ...) - {DLA-2046-1} + {DLA-2832-1 DLA-2046-1} - opensc 0.20.0-1 (bug #947383) [buster] - opensc <no-dsa> (Minor issue) - [stretch] - opensc <no-dsa> (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18693 NOTE: https://github.com/OpenSC/OpenSC/commit/c3f23b836e5a1766c36617fe1da30d22f7b63de2 CVE-2019-19478 @@ -4407,7 +4421,7 @@ CVE-2019-19393 (The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00 CVE-2019-19392 (The forDNN.UsersExportImport module before 1.2.0 for DNN (formerly Dot ...) NOT-FOR-US: forDNN.UsersExportImport module for DNN CVE-2019-19391 (** DISPUTED ** In LuaJIT through 2.0.5, as used in Moonjit before 2.1. ...) - - luajit <unfixed> (bug #946053; unimportant) + - luajit 2.1.0~beta3+git20210112+dfsg-2 (bug #946053; unimportant) NOTE: https://github.com/LuaJIT/LuaJIT/pull/526 NOTE: Negligible security impact. The debug library is unsafe per se and one is NOTE: not supposed to release an application with the debug library. @@ -5065,8 +5079,8 @@ CVE-2019-19140 RESERVED CVE-2019-19139 RESERVED -CVE-2019-19138 - RESERVED +CVE-2019-19138 (Ivanti Workspace Control before 10.4.50.0 allows attackers to degrade ...) + NOT-FOR-US: Ivanti CVE-2019-19137 RESERVED CVE-2019-19136 @@ -6043,9 +6057,8 @@ CVE-2019-18805 (An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Lin [jessie] - linux <not-affected> (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/19fad20d15a6494f47f85d869f00b11343ee5c78 CVE-2019-18804 (DjVuLibre 3.5.27 has a NULL pointer dereference in the function DJVU:: ...) - {DLA-2667-1 DLA-1985-1} + {DSA-5032-1 DLA-2667-1 DLA-1985-1} - djvulibre 3.5.27.1-14 (bug #945114) - [buster] - djvulibre <no-dsa> (Minor issue) NOTE: https://sourceforge.net/p/djvu/bugs/309/ NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125/ CVE-2019-18803 @@ -8985,10 +8998,9 @@ CVE-2019-17546 (tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL throug NOTE: https://gitlab.com/libtiff/libtiff/commit/4bb584a35f87af42d6cf09d15e9ce8909a839145 NOTE: gdal uses system libtiff libraries since 2.0.1+dfsg-1~exp1 (#684233) CVE-2019-17545 (GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ...) - {DLA-1984-1} + {DLA-2877-1 DLA-1984-1} - gdal 2.4.2+dfsg-2 (low) [buster] - gdal <no-dsa> (Minor issue) - [stretch] - gdal <no-dsa> (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16178 NOTE: https://github.com/OSGeo/gdal/commit/148115fcc40f1651a5d15fa34c9a8c528e7147bb CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer over- ...) @@ -9133,12 +9145,11 @@ CVE-2019-17500 CVE-2019-17499 (The setter.xml component of the Common Gateway Interface on Compal CH7 ...) NOT-FOR-US: Compal CH7465LG devices CVE-2019-17498 (In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic i ...) - {DLA-1991-1} + {DLA-2848-1 DLA-1991-1} - libssh2 1.9.0-1 (low; bug #943562) [buster] - libssh2 <no-dsa> (Minor issue) - [stretch] - libssh2 <no-dsa> (Minor issue) NOTE: https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c - NOTE: https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/ + NOTE: https://securitylab.github.com/research/libssh2-integer-overflow-CVE-2019-17498/ NOTE: Backported SUSE patch for versions <= 1.8.0 (including struct string_buf, NOTE: and the functions _libssh2_check_length(), _libssh2_get_u32() and NOTE: libssh2_get_string(), forming part of the fix): @@ -10176,16 +10187,14 @@ CVE-2019-17044 (An issue was discovered in BMC Patrol Agent 9.0.10i. Weak execut CVE-2019-17043 (An issue was discovered in BMC Patrol Agent 9.0.10i. Weak execution pe ...) NOT-FOR-US: BMC Patrol Agent CVE-2019-17042 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmc ...) - {DLA-1952-1} + {DLA-2835-1 DLA-1952-1} - rsyslog 8.1910.0-1 (bug #942065) [buster] - rsyslog <no-dsa> (Minor issue, pmcisconames module not loaded by default) - [stretch] - rsyslog <no-dsa> (Minor issue, pmcisconames module not loaded by default) NOTE: https://github.com/rsyslog/rsyslog/pull/3883 CVE-2019-17041 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfr ...) - {DLA-1952-1} + {DLA-2835-1 DLA-1952-1} - rsyslog 8.1910.0-1 (bug #942067) [buster] - rsyslog <no-dsa> (Minor issue, pmaixforwardedfrom module not loaded by default) - [stretch] - rsyslog <no-dsa> (Minor issue, pmaixforwardedfrom module not loaded by default) NOTE: https://github.com/rsyslog/rsyslog/pull/3884 CVE-2019-17040 (contrib/pmdb2diag/pmdb2diag.c in Rsyslog v8.1908.0 allows out-of-bound ...) - rsyslog 8.1910.0-1 (unimportant) @@ -10726,8 +10735,8 @@ CVE-2019-16865 (An issue was discovered in Pillow before 6.2.0. When reading spe NOTE: https://github.com/python-pillow/Pillow/commit/f228d0ccbf6bf9392d7fcd51356ef2cfda80c75a NOTE: https://github.com/python-pillow/Pillow/commit/b9693a51c99c260bd66d1affeeab4a226cf7e5a5 NOTE: https://github.com/python-pillow/Pillow/commit/cc16025e234b7a7a4dd3a86d2fdc0980698db9cc -CVE-2019-16864 - RESERVED +CVE-2019-16864 (CompleteFTPService.exe in the server in EnterpriseDT CompleteFTP befor ...) + NOT-FOR-US: EnterpriseDT CompleteFTP CVE-2019-16863 (STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow a ...) NOT-FOR-US: STMicroelectronics CVE-2019-16862 (Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x befor ...) @@ -11964,7 +11973,9 @@ CVE-2019-16330 (In NCH Express Accounts Accounting v7.02, persistent cross site CVE-2019-16329 RESERVED CVE-2019-16328 (In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify ...) - - rpyc <removed> + - rpyc <not-affected> (Vulnerable code newer in a released Debian version) + NOTE: Issue only affected 4.1.0 and 4.1.1 upstream and fixed in 4.1.2 + NOTE: https://rpyc.readthedocs.io/en/latest/docs/security.html#security CVE-2019-16327 (D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypa ...) NOT-FOR-US: D-Link CVE-2019-16326 (D-Link DIR-601 B1 2.00NA devices have CSRF because no anti-CSRF token ...) @@ -12410,12 +12421,14 @@ CVE-2019-16167 (sysstat before 12.1.6 has memory corruption due to an Integer Ov NOTE: Introduced after: https://github.com/sysstat/sysstat/commit/65ac30359e49ee717397e39950d7c24a6610d57c (v11.7.1) NOTE: Fixed by: https://github.com/sysstat/sysstat/commit/edbf507678bf10914e9804ff8a06737fdcb2e781 CVE-2019-16166 (GNU cflow through 1.6 has a heap-based buffer over-read in the nexttok ...) - - cflow <unfixed> (unimportant; bug #939916) + - cflow 1:1.6-6 (unimportant; bug #939916) NOTE: https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00000.html + NOTE: https://git.savannah.gnu.org/cgit/cflow.git/commit/?id=b9a7cd5e9d4efb54141dd0d11c319bb97a4600c6 NOTE: Crash in CLI tool, no security impact CVE-2019-16165 (GNU cflow through 1.6 has a use-after-free in the reference function i ...) - - cflow <unfixed> (unimportant; bug #939915) + - cflow 1:1.6-6 (unimportant; bug #939915) NOTE: https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00001.html + NOTE: https://git.savannah.gnu.org/cgit/cflow.git/commit/?id=b9a7cd5e9d4efb54141dd0d11c319bb97a4600c6 NOTE: Crash in CLI tool, no security impact CVE-2019-16164 (MyHTML through 4.0.5 has a NULL pointer dereference in myhtml_tree_nod ...) NOT-FOR-US: MyHTML @@ -12910,16 +12923,14 @@ CVE-2019-15948 (Texas Instruments CC256x and WL18xx dual-mode Bluetooth controll CVE-2019-15947 (In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted ...) - bitcoin 0.20.1~dfsg-1 (bug #939608) CVE-2019-15946 (OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Octet ...) - {DLA-1916-1} + {DLA-2832-1 DLA-1916-1} - opensc 0.20.0-1 (bug #939669) [buster] - opensc <no-dsa> (Minor issue) - [stretch] - opensc <no-dsa> (Minor issue) NOTE: https://github.com/OpenSC/OpenSC/commit/a3fc7693f3a035a8a7921cffb98432944bb42740 CVE-2019-15945 (OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Bitst ...) - {DLA-1916-1} + {DLA-2832-1 DLA-1916-1} - opensc 0.20.0-1 (bug #939668) [buster] - opensc <no-dsa> (Minor issue) - [stretch] - opensc <no-dsa> (Minor issue) NOTE: https://github.com/OpenSC/OpenSC/commit/412a6142c27a5973c61ba540e33cdc22d5608e68 CVE-2019-15944 (In Counter-Strike: Global Offensive before 8/29/2019, community game s ...) NOT-FOR-US: Counter-Strike: Global Offensive @@ -14076,10 +14087,9 @@ CVE-2019-15533 (XENFCoreSharp before 2019-07-16 allows SQL injection in web/veri CVE-2019-15532 (CyberChef before 8.31.2 allows XSS in core/operations/TextEncodingBrut ...) NOT-FOR-US: CyberChef CVE-2019-15531 (GNU Libextractor through 1.9 has a heap-based buffer over-read in the ...) - {DLA-1904-1} + {DLA-2851-1 DLA-1904-1} - libextractor 1:1.9-2 (bug #935553) [buster] - libextractor <no-dsa> (Minor issue) - [stretch] - libextractor <no-dsa> (Minor issue) NOTE: https://bugs.gnunet.org/view.php?id=5846 NOTE: https://git.gnunet.org/libextractor.git/commit/?id=d2b032452241708bee68d02aa02092cfbfba951a CVE-2019-15530 (An issue was discovered on D-Link DIR-823G devices with firmware V1.0. ...) @@ -14900,10 +14910,9 @@ CVE-2019-15166 (lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4 - tcpdump 4.9.3-1 (bug #941698) NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/0b661e0aa61850234b64394585cf577aac570bf4 CVE-2019-15165 (sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB ...) - {DLA-1967-1} + {DLA-2850-1 DLA-1967-1} - libpcap 1.9.1-1 (low; bug #941697) [buster] - libpcap <ignored> (Minor issue) - [stretch] - libpcap <ignored> (Minor issue) NOTE: https://github.com/the-tcpdump-group/libpcap/commit/87d6bef033062f969e70fa40c43dfd945d5a20ab NOTE: https://github.com/the-tcpdump-group/libpcap/commit/a5a36d9e82dde7265e38fe1f87b7f11c461c29f6 CVE-2019-15164 (rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may ...) @@ -14970,27 +14979,23 @@ CVE-2019-15147 (GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GP CVE-2019-15146 (GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in ...) NOT-FOR-US: gpmf-parser CVE-2019-15145 (DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack ...) - {DLA-2667-1 DLA-1902-1} + {DSA-5032-1 DLA-2667-1 DLA-1902-1} - djvulibre 3.5.27.1-11 (low) - [buster] - djvulibre <no-dsa> (Minor issue) NOTE: https://sourceforge.net/p/djvu/bugs/298/ NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/9658b01431cd7ff6344d7787f855179e73fe81a7/ CVE-2019-15144 (In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate< ...) - {DLA-2667-1 DLA-1902-1} + {DSA-5032-1 DLA-2667-1 DLA-1902-1} - djvulibre 3.5.27.1-11 (low) - [buster] - djvulibre <no-dsa> (Minor issue) NOTE: https://sourceforge.net/p/djvu/bugs/299/ NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/e15d51510048927f172f1bf1f27ede65907d940d/ CVE-2019-15143 (In DjVuLibre 3.5.27, the bitmap reader component allows attackers to c ...) - {DLA-2667-1 DLA-1902-1} + {DSA-5032-1 DLA-2667-1 DLA-1902-1} - djvulibre 3.5.27.1-11 (low) - [buster] - djvulibre <no-dsa> (Minor issue) NOTE: https://sourceforge.net/p/djvu/bugs/297/ NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f/ CVE-2019-15142 (In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows a ...) - {DLA-2667-1 DLA-1902-1} + {DSA-5032-1 DLA-2667-1 DLA-1902-1} - djvulibre 3.5.27.1-11 (low) - [buster] - djvulibre <no-dsa> (Minor issue) NOTE: https://sourceforge.net/p/djvu/bugs/296/ NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e/ CVE-2019-15141 (WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows att ...) @@ -15206,7 +15211,7 @@ CVE-2019-15060 (The traceroute function on the TP-Link TL-WR840N v4 router with CVE-2019-15059 (In Liberty lisPBX 2.0-4, configuration backup files can be retrieved r ...) NOT-FOR-US: Liberty lisPBX CVE-2019-15058 (stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer ov ...) - - libstb <unfixed> (bug #934973) + - libstb 0.0~git20210910.af1a5bc+ds-1 (bug #934973) [bullseye] - libstb <no-dsa> (Minor issue) [buster] - libstb <no-dsa> (Minor issue) NOTE: https://github.com/nothings/stb/issues/790 @@ -16465,7 +16470,7 @@ CVE-2019-14666 (GLPI through 9.4.3 is prone to account takeover by abusing the a NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-47hq-pfrr-jh5q NOTE: Only supported behind an authenticated HTTP zone CVE-2019-14665 (Brandy 1.20.1 has a heap-based buffer overflow in define_array in vari ...) - - brandy <unfixed> (unimportant; bug #933996) + - brandy 1.22.13-1 (unimportant; bug #933996) NOTE: https://sourceforge.net/p/brandy/bugs/8/ NOTE: Negligible security impact CVE-2019-14664 (In Enigmail below 2.1, an attacker in possession of PGP encrypted emai ...) @@ -16473,11 +16478,11 @@ CVE-2019-14664 (In Enigmail below 2.1, an attacker in possession of PGP encrypte [jessie] - enigmail <end-of-life> (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html) NOTE: https://sourceforge.net/p/enigmail/bugs/984/ CVE-2019-14663 (Brandy 1.20.1 has a stack-based buffer overflow in fileio_openin in fi ...) - - brandy <unfixed> (unimportant; bug #933996) + - brandy 1.22.13-1 (unimportant; bug #933996) NOTE: https://sourceforge.net/p/brandy/bugs/6/ NOTE: Negligible security impact CVE-2019-14662 (Brandy 1.20.1 has a stack-based buffer overflow in fileio_openout in f ...) - - brandy <unfixed> (unimportant; bug #933996) + - brandy 1.22.13-1 (unimportant; bug #933996) NOTE: https://sourceforge.net/p/brandy/bugs/7/ NOTE: Negligible security impact CVE-2019-14661 @@ -16874,7 +16879,7 @@ CVE-2019-14513 (Improper bounds checking in Dnsmasq before 2.76 allows an attack CVE-2019-14512 (LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/P ...) - limesurvey <itp> (bug #472802) CVE-2019-14511 (Sphinx Technologies Sphinx 3.1.1 by default has no authentication and ...) - - sphinxsearch <unfixed> (unimportant; bug #939762) + - sphinxsearch 2.2.11-4 (unimportant; bug #939762) NOTE: Issue is just with the default configuration, but can be easily reconfigured NOTE: to listen on localhost only. sphinxsearch will not be started automatically NOTE: and an admin needs first to create anyway a /etc/sphinxsearch/sphinx.conf @@ -17867,123 +17872,123 @@ CVE-2019-14192 (An issue was discovered in Das U-Boot through 2019.07. There is NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/ NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/fe7288069d2e6659117049f7d27e261b550bb725 CVE-2019-14191 - RESERVED + REJECTED CVE-2019-14190 - RESERVED + REJECTED CVE-2019-14189 - RESERVED + REJECTED CVE-2019-14188 - RESERVED + REJECTED CVE-2019-14187 - RESERVED + REJECTED CVE-2019-14186 - RESERVED + REJECTED CVE-2019-14185 - RESERVED + REJECTED CVE-2019-14184 - RESERVED + REJECTED CVE-2019-14183 - RESERVED + REJECTED CVE-2019-14182 - RESERVED + REJECTED CVE-2019-14181 - RESERVED + REJECTED CVE-2019-14180 - RESERVED + REJECTED CVE-2019-14179 - RESERVED + REJECTED CVE-2019-14178 - RESERVED + REJECTED CVE-2019-14177 - RESERVED + REJECTED CVE-2019-14176 - RESERVED + REJECTED CVE-2019-14175 - RESERVED + REJECTED CVE-2019-14174 - RESERVED + REJECTED CVE-2019-14173 - RESERVED + REJECTED CVE-2019-14172 - RESERVED + REJECTED CVE-2019-14171 - RESERVED + REJECTED CVE-2019-14170 - RESERVED + REJECTED CVE-2019-14169 - RESERVED + REJECTED CVE-2019-14168 - RESERVED + REJECTED CVE-2019-14167 - RESERVED + REJECTED CVE-2019-14166 - RESERVED + REJECTED CVE-2019-14165 - RESERVED + REJECTED CVE-2019-14164 - RESERVED + REJECTED CVE-2019-14163 - RESERVED + REJECTED CVE-2019-14162 - RESERVED + REJECTED CVE-2019-14161 - RESERVED + REJECTED CVE-2019-14160 - RESERVED + REJECTED CVE-2019-14159 - RESERVED + REJECTED CVE-2019-14158 - RESERVED + REJECTED CVE-2019-14157 - RESERVED + REJECTED CVE-2019-14156 - RESERVED + REJECTED CVE-2019-14155 - RESERVED + REJECTED CVE-2019-14154 - RESERVED + REJECTED CVE-2019-14153 - RESERVED + REJECTED CVE-2019-14152 - RESERVED + REJECTED CVE-2019-14151 - RESERVED + REJECTED CVE-2019-14150 - RESERVED + REJECTED CVE-2019-14149 - RESERVED + REJECTED CVE-2019-14148 - RESERVED + REJECTED CVE-2019-14147 - RESERVED + REJECTED CVE-2019-14146 - RESERVED + REJECTED CVE-2019-14145 - RESERVED + REJECTED CVE-2019-14144 - RESERVED + REJECTED CVE-2019-14143 - RESERVED + REJECTED CVE-2019-14142 - RESERVED + REJECTED CVE-2019-14141 - RESERVED + REJECTED CVE-2019-14140 - RESERVED + REJECTED CVE-2019-14139 - RESERVED + REJECTED CVE-2019-14138 - RESERVED + REJECTED CVE-2019-14137 - RESERVED + REJECTED CVE-2019-14136 - RESERVED + REJECTED CVE-2019-14135 (Possible integer overflow to buffer overflow in WLAN while parsing non ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14134 (Possible out of bound access in WLAN handler when the received value o ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14133 - RESERVED + REJECTED CVE-2019-14132 (Buffer over-write when this 0-byte buffer is typecasted to some other ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14131 (Out of bound write can occur in radio measurement request if STA recei ...) @@ -17993,13 +17998,13 @@ CVE-2019-14130 (Memory corruption can occurs in trusted application if offset si CVE-2019-14129 RESERVED CVE-2019-14128 - RESERVED + REJECTED CVE-2019-14127 (Possible buffer overflow while playing mkv clip due to lack of validat ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14126 - RESERVED + REJECTED CVE-2019-14125 - RESERVED + REJECTED CVE-2019-14124 (Memory failure in content protection module due to not having pointer ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14123 (Possible buffer overflow and over read possible due to missing bounds ...) @@ -18013,7 +18018,7 @@ CVE-2019-14120 CVE-2019-14119 (u'While processing SMCInvoke asynchronous message header, message coun ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14118 - RESERVED + REJECTED CVE-2019-14117 (u'Whenever the page list is updated via privileged user, the previous ...) NOT-FOR-US: Snapdragon CVE-2019-14116 (Privilege escalation by using an altered debug policy image can occur ...) @@ -18031,21 +18036,21 @@ CVE-2019-14111 (Possible buffer overflow while handling NAN reception of NMF in CVE-2019-14110 (Buffer overflow can occur in function wlan firmware while copying asso ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14109 - RESERVED + REJECTED CVE-2019-14108 RESERVED CVE-2019-14107 - RESERVED + REJECTED CVE-2019-14106 - RESERVED + REJECTED CVE-2019-14105 (Kernel was reading the CSL defined reserved field as uint16 instead of ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14104 (Slab-out-of-bounds access can occur if the context pointer is invalid ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14103 - RESERVED + REJECTED CVE-2019-14102 - RESERVED + REJECTED CVE-2019-14101 (Out of bounds read can happen in diag event set mask command handler w ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14100 (Register write via debugfs is disabled by default to prevent register ...) @@ -18057,7 +18062,7 @@ CVE-2019-14098 (Possible buffer overflow in data offload handler due to lack of CVE-2019-14097 (Possible buffer overflow in WLAN Parser due to lack of length check wh ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14096 - RESERVED + REJECTED CVE-2019-14095 (Buffer overflow occurs while processing LMP packet in which name lengt ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14094 (Integer overflow in diag command handler when user inputs a large valu ...) @@ -18081,7 +18086,7 @@ CVE-2019-14086 (Possible integer overflow while checking the length of frame whi CVE-2019-14085 (Possible Integer underflow in WLAN function due to lack of check of da ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14084 - RESERVED + REJECTED CVE-2019-14083 (While parsing Service Descriptor Extended Attribute received as part o ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14082 (Potential buffer over-read due to lack of bound check of memory offset ...) @@ -18121,7 +18126,7 @@ CVE-2019-14066 (Integer overflow in calculating estimated output buffer size whe CVE-2019-14065 (u'Pointer double free in HavenSvc due to not setting the pointer to NU ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-14064 - RESERVED + REJECTED CVE-2019-14063 (Out of bound access due to Invalid inputs to dapm mux settings which r ...) NOT-FOR-US: Snapdragon CVE-2019-14062 (Buffer overflows while decoding setup message from Network due to lack ...) @@ -18133,7 +18138,7 @@ CVE-2019-14060 (Uninitialized stack data gets used If memory is not allocated fo CVE-2019-14059 RESERVED CVE-2019-14058 - RESERVED + REJECTED CVE-2019-14057 (Buffer Over read of codec private data while parsing an mkv file due t ...) NOT-FOR-US: Snapdragon CVE-2019-14056 (u'Possible integer overflow in API due to lack of check on large oid r ...) @@ -18255,15 +18260,15 @@ CVE-2019-13999 (u'Lack of check for integer overflow for round up and addition o CVE-2019-13998 (u'Lack of check that the TX FIFO write and read indices that are read ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-13997 - RESERVED + REJECTED CVE-2019-13996 - RESERVED + REJECTED CVE-2019-13995 (u'Lack of integer overflow check for addition of fragment size and rem ...) NOT-FOR-US: Snapdragon CVE-2019-13994 (u'Lack of check that the current received data fragment size of a part ...) NOT-FOR-US: Snapdragon CVE-2019-13993 - RESERVED + REJECTED CVE-2019-13992 (u'Out of bound memory access if stack push and pop operation are perfo ...) NOT-FOR-US: Snapdragon CVE-2019-13991 (Embedded systems based on Arduino before Rev3 allow remote attackers t ...) @@ -18405,7 +18410,7 @@ CVE-2019-13935 (Improper Neutralization of Input During Web Page Generation ('Cr NOT-FOR-US: Siemens CVE-2019-13934 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: Siemens -CVE-2019-13933 (A vulnerability has been identified in SCALANCE X-200RNA switch family ...) +CVE-2019-13933 (A vulnerability has been identified in SCALANCE X-300 switch family (i ...) NOT-FOR-US: Siemens CVE-2019-13932 (A vulnerability has been identified in XHQ (All versions < V6.0.0.2 ...) NOT-FOR-US: Siemens @@ -20672,11 +20677,10 @@ CVE-2019-13117 (In numbers.c in libxslt 1.1.33, an xsl:number with certain forma CVE-2019-13116 (The MuleSoft Mule Community Edition runtime engine before 3.8 allows r ...) NOT-FOR-US: MuleSoft Mule CVE-2019-13115 (In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha2 ...) - {DLA-1730-3} + {DLA-2848-1 DLA-1730-3} - libssh2 1.9.0-1 (bug #932329) [buster] - libssh2 <no-dsa> (Minor issue) - [stretch] - libssh2 <no-dsa> (Minor issue) - NOTE: https://blog.semmle.com/libssh2-integer-overflow/ + NOTE: https://securitylab.github.com/research/libssh2-integer-overflow/ NOTE: https://github.com/libssh2/libssh2/pull/350 NOTE: https://github.com/libssh2/libssh2/commit/ff1b155731ff8f790f12d980911d9fd84d0e1598 CVE-2019-13114 (http.c in Exiv2 through 0.27.1 allows a malicious http server to cause ...) @@ -21440,9 +21444,8 @@ CVE-2019-12840 (In Webmin through 1.910, any user authorized to the "Package Upd CVE-2019-12839 (In OrangeHRM 4.3.1 and before, there is an input validation error with ...) NOT-FOR-US: OrangeHRM CVE-2019-12838 (SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL ...) - {DSA-4572-1 DLA-2143-1} + {DSA-4572-1 DLA-2886-1 DLA-2143-1} - slurm-llnl 19.05.3.2-1 (bug #931880) - [stretch] - slurm-llnl <no-dsa> (Too intrusive to backport) NOTE: https://github.com/SchedMD/slurm/commit/afa7d743f407c60a7c8a4bd98a10be32c82988b5 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2019/000025.html CVE-2019-12837 (The Java API in accesuniversitat.gencat.cat 1.7.5 allows remote attack ...) @@ -23522,6 +23525,7 @@ CVE-2019-12067 (The ahci_commit_buf function in ide/ahci.c in QEMU allows attack NOTE: patch not sanctioned as of 20210202 NOTE: patched function introduced in 2014/2.1.50 but affected code pre-existed NOTE: https://github.com/qemu/qemu/commit/659142ecf71a0da240ab0ff7cf929ee25c32b9bc + NOTE: No upstream patch as of 2022-01-28 CVE-2019-12066 RESERVED CVE-2019-12065 @@ -25270,14 +25274,12 @@ CVE-2019-11457 (Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via CVE-2019-11456 (Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code. ...) NOT-FOR-US: Gila CMS CVE-2019-11455 (A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit bef ...) - {DLA-1767-1} + {DLA-2855-1 DLA-1767-1} - monit 1:5.25.3-1 (bug #927775) - [stretch] - monit <no-dsa> (Minor issue) NOTE: https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a CVE-2019-11454 (Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash ...) - {DLA-1767-1} + {DLA-2855-1 DLA-1767-1} - monit 1:5.25.3-1 (bug #927775) - [stretch] - monit <no-dsa> (Minor issue) NOTE: https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3 NOTE: https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c CVE-2019-11453 @@ -26157,7 +26159,7 @@ CVE-2019-11099 CVE-2019-11098 (Insufficient input validation in MdeModulePkg in EDKII may allow an un ...) [experimental] - edk2 2021.02-1 - edk2 2020.11-5 (bug #991495) - [bullseye] - edk2 <no-dsa> (Minor issue) + [bullseye] - edk2 2020.11-2+deb11u1 [buster] - edk2 <no-dsa> (Minor issue) [stretch] - edk2 <no-dsa> (Minor issue) NOTE: https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability @@ -26681,7 +26683,7 @@ CVE-2019-10936 (A vulnerability has been identified in Development/Evaluation Ki NOT-FOR-US: Siemens CVE-2019-10935 (A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier ...) NOT-FOR-US: Siemens -CVE-2019-10934 (A vulnerability has been identified in TIA Portal V14 (All versions &l ...) +CVE-2019-10934 (A vulnerability has been identified in TIA Portal V14 (All versions), ...) NOT-FOR-US: Siemens CVE-2019-10933 (A vulnerability has been identified in Spectrum Power 3 (Corporate Use ...) NOT-FOR-US: Siemens @@ -27611,7 +27613,7 @@ CVE-2019-10621 (Use after free issue when MAP and UNMAP calls at same time as da CVE-2019-10620 (Kernel memory error in debug module due to improper check of user data ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10619 - RESERVED + REJECTED CVE-2019-10618 (Driver may access an invalid address while processing IO control due t ...) NOT-FOR-US: Snapdragon CVE-2019-10617 (Low privilege users can access service configuration which contains re ...) @@ -27623,7 +27625,7 @@ CVE-2019-10615 (u'Possibility of integer overflow in keymaster 4 while allocatin CVE-2019-10614 (Out of boundary access is possible as there is no validation of data a ...) NOT-FOR-US: Snapdragon CVE-2019-10613 - RESERVED + REJECTED CVE-2019-10612 (UTCB object has a function pointer called by the reaper to deallocate ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10611 (Buffer overflow can occur while processing clip due to lack of check o ...) @@ -27651,7 +27653,7 @@ CVE-2019-10601 (Out of bound access can occur while processing firmware event du CVE-2019-10600 (Use of local variable as argument to netlink CB callback goes out of i ...) NOT-FOR-US: Snapdragon CVE-2019-10599 - RESERVED + REJECTED CVE-2019-10598 (Out of bound access can occur while processing peer info in IBSS conne ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10597 (kernel writes to user passed address without any checks can lead to ar ...) @@ -27703,7 +27705,7 @@ CVE-2019-10575 (Wlan binary which is not signed with OEMs RoT is working on secu CVE-2019-10574 (Lack of boundary checks for data offsets received from HLOS can lead t ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10573 - RESERVED + REJECTED CVE-2019-10572 (Improper check in video driver while processing data from video firmwa ...) NOT-FOR-US: Snapdragon CVE-2019-10571 (Snapshot of IB can lead to invalid address access due to missing check ...) @@ -27713,7 +27715,7 @@ CVE-2019-10570 CVE-2019-10569 (Stack buffer overflow due to instance id is misplaced inside definitio ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10568 - RESERVED + REJECTED CVE-2019-10567 (There is a way to deceive the GPU kernel driver into thinking there is ...) NOT-FOR-US: Snapdragon CVE-2019-10566 (Buffer overflow can occur in wlan module if supported rates or extende ...) @@ -27729,7 +27731,7 @@ CVE-2019-10562 (u'Improper authentication and signature verification of debug po CVE-2019-10561 (Improper initialization of local variables which are parameters to sfs ...) NOT-FOR-US: Snapdragon CVE-2019-10560 - RESERVED + REJECTED CVE-2019-10559 (Accessing data buffer beyond the available data while parsing ogg clip ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-10558 (While transferring data from APPS to DSP, Out of bound in FastRPC HLOS ...) @@ -32424,9 +32426,8 @@ CVE-2019-9211 (There is a reachable assertion abort in the function write_long_s NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1683499 NOTE: Crash in CLI tool, no security impact CVE-2019-9210 (In AdvanceCOMP 2.1, png_compress in pngex.cc in advpng has an integer ...) - {DLA-1702-1} + {DLA-2868-1 DLA-1702-1} - advancecomp 2.1-2 (low; bug #923416) - [stretch] - advancecomp <no-dsa> (Minor issue) NOTE: https://sourceforge.net/p/advancemame/bugs/277/ NOTE: Fixed by https://github.com/amadvance/advancecomp/commit/fcf71a89265c78fc26243574dda3a872574a5c02 CVE-2019-9209 (In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the ASN.1 BER and rel ...) @@ -32768,7 +32769,7 @@ CVE-2019-9083 (SQLiteManager 1.20 and 1.24 allows SQL injection via the /sqlitem CVE-2019-9082 (ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other pro ...) NOT-FOR-US: ThinkPHP CVE-2019-9081 (The Illuminate component of Laravel Framework 5.7.x has a deserializat ...) - NOT-FOR-US: Laravel Framework + - php-laravel-framework <undetermined> CVE-2019-9080 (DomainMOD before 4.14.0 uses MD5 without a salt for password storage. ...) NOT-FOR-US: DomainMOD CVE-2019-9079 @@ -33280,16 +33281,16 @@ CVE-2019-8924 (XAMPP through 5.6.8 allows XSS via the cds-fpdf.php interpret or NOT-FOR-US: XAMPP CVE-2019-8923 (XAMPP through 5.6.8 and previous allows SQL injection via the cds-fpdf ...) NOT-FOR-US: XAMPP -CVE-2019-8922 - RESERVED +CVE-2019-8922 (A heap-based buffer overflow was discovered in bluetoothd in BlueZ thr ...) {DLA-2827-1} - bluez 5.54-1 + [buster] - bluez <no-dsa> (Minor issue) NOTE: https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow/ NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=6c7243fb6ab90b7b855cead98c66394fedea135f (5.51) -CVE-2019-8921 - RESERVED +CVE-2019-8921 (An issue was discovered in bluetoothd in BlueZ through 5.48. The vulne ...) {DLA-2827-1} - bluez 5.54-1 + [buster] - bluez <no-dsa> (Minor issue) NOTE: https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow/ NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7bf67b32709d828fafa26256b4c78331760c6e93 (5.51) CVE-2019-8920 (iart.php in XAMPP 1.7.0 has XSS, a related issue to CVE-2008-3569. ...) @@ -33876,10 +33877,10 @@ CVE-2019-8705 (A memory corruption issue was addressed with improved validation. NOT-FOR-US: Apple CVE-2019-8704 (An authentication issue was addressed with improved state management. ...) NOT-FOR-US: Apple -CVE-2019-8703 - RESERVED -CVE-2019-8702 - RESERVED +CVE-2019-8703 (This issue was addressed with improved entitlements. This issue is fix ...) + NOT-FOR-US: Apple +CVE-2019-8702 (This issue was addressed with a new entitlement. This issue is fixed i ...) + NOT-FOR-US: Apple CVE-2019-8701 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2019-8700 @@ -34092,8 +34093,8 @@ CVE-2019-8644 (Multiple memory corruption issues were addressed with improved me [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0004.html -CVE-2019-8643 - RESERVED +CVE-2019-8643 (CVE-2019-8643: Arun Sharma of VMWare This issue is fixed in macOS Moja ...) + NOT-FOR-US: Apple CVE-2019-8642 (An issue existed in the handling of S-MIME certificates. This issue wa ...) NOT-FOR-US: Apple CVE-2019-8641 (An out-of-bounds read was addressed with improved input validation. ...) @@ -34744,8 +34745,8 @@ CVE-2019-8385 (An issue was discovered in Thomson Reuters Desktop Extensions 1.9 CVE-2019-8384 RESERVED CVE-2019-8383 (An issue was discovered in AdvanceCOMP through 2.1. An invalid memory ...) + {DLA-2868-1} - advancecomp 2.1-2.1 (bug #928730) - [stretch] - advancecomp <no-dsa> (Minor issue) [jessie] - advancecomp <ignored> (Minor issue) NOTE: https://sourceforge.net/p/advancemame/bugs/272/ NOTE: https://github.com/amadvance/advancecomp/commit/78a56b21340157775be2462a19276b4d31d2bd01 @@ -34758,8 +34759,8 @@ CVE-2019-8381 (An issue was discovered in Tcpreplay 4.3.1. An invalid memory acc CVE-2019-8380 (An issue was discovered in Bento4 1.5.1-628. A NULL pointer dereferenc ...) NOT-FOR-US: Bento4 CVE-2019-8379 (An issue was discovered in AdvanceCOMP through 2.1. A NULL pointer der ...) + {DLA-2868-1} - advancecomp 2.1-2.1 (bug #928729) - [stretch] - advancecomp <no-dsa> (Minor issue) [jessie] - advancecomp <ignored> (Minor issue) NOTE: https://sourceforge.net/p/advancemame/bugs/271/ NOTE: https://github.com/amadvance/advancecomp/commit/7894a6e684ce68ddff9f4f4919ab8e3911ac8040 @@ -36357,9 +36358,8 @@ CVE-2019-7651 (EPP.sys in Emsisoft Anti-Malware prior to version 2018.12 allows CVE-2019-7650 RESERVED CVE-2019-7653 (The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CL ...) - {DLA-1717-1} + {DLA-2861-1 DLA-1717-1} - rdflib 4.2.2-2 (low; bug #921751) - [stretch] - rdflib <no-dsa> (Minor issue) NOTE: Debian specific issue as respective scripts are overwritten in Debian NOTE: packaging as wrappers invoking python -m. CVE-2019-7649 (global.encryptPassword in bootstrap/global.js in CMSWing 1.3.7 relies ...) @@ -37156,7 +37156,7 @@ CVE-2019-1000019 (libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a7 NOTE: https://github.com/libarchive/libarchive/pull/1120 NOTE: https://github.com/libarchive/libarchive/commit/65a23f5dbee4497064e9bb467f81138a62b0dae1 CVE-2019-1000017 (Chamilo Chamilo-lms version 1.11.8 and earlier contains an Incorrect A ...) - NOT-FOR-US: Chamilo Chamilo-lms + NOT-FOR-US: Chamilo LMS CVE-2019-1000016 (FFMPEG version 4.1 contains a CWE-129: Improper Validation of Array In ...) - ffmpeg 7:4.1.1-1 (low; bug #922066) [stretch] - ffmpeg <not-affected> (Vulnerable code not present) @@ -37164,10 +37164,10 @@ CVE-2019-1000016 (FFMPEG version 4.1 contains a CWE-129: Improper Validation of - libav <removed> [jessie] - libav <not-affected> (Vulnerable code not present) CVE-2019-1000015 (Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site S ...) - NOT-FOR-US: Chamilo Chamilo-lms + NOT-FOR-US: Chamilo LMS CVE-2019-1000014 (Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracl ...) - rebar <not-affected> (vulnerable code is not present) - - rebar3 <itp> (bug #824773) + - rebar3 <not-affected> (Fixed before initial upload to Debian) NOTE: https://github.com/erlang/rebar3/pull/1986 CVE-2019-1000013 (Hex package manager hex_core version 0.3.0 and earlier contains a Sign ...) NOT-FOR-US: Hex package manager @@ -38824,9 +38824,8 @@ CVE-2019-6692 (A malicious DLL preload vulnerability in Fortinet FortiClient for CVE-2019-6691 (phpwind 9.0.2.170426 UTF8 allows SQL Injection via the admin.php?m=bac ...) NOT-FOR-US: phpwind CVE-2019-6690 (python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg t ...) - {DLA-1675-1} + {DLA-2862-1 DLA-1675-1} - python-gnupg 0.4.4-1 - [stretch] - python-gnupg <no-dsa> (Minor issue) NOTE: https://github.com/stigtsp/CVE-2019-6690-python-gnupg-vulnerability NOTE: https://github.com/vsajip/python-gnupg/commit/39eca266dd837e2ad89c94eb17b7a6f50b25e7cf#diff-88b99bb28683bd5b7e3a204826ead112 NOTE: https://github.com/vsajip/python-gnupg/commit/3003b654ca1c29b0510a54b9848571b3ad57df19#diff-88b99bb28683bd5b7e3a204826ead112 @@ -39072,7 +39071,7 @@ CVE-2019-6570 (A vulnerability has been identified in SINEMA Remote Connect Serv NOT-FOR-US: Siemens CVE-2019-6569 (The monitor barrier of the affected products insufficiently blocks dat ...) NOT-FOR-US: Scalance -CVE-2019-6568 (A vulnerability has been identified in RFID 181EIP, SIMATIC ET 200SP O ...) +CVE-2019-6568 (A vulnerability has been identified in RFID 181EIP, SIMATIC CP 1604, S ...) NOT-FOR-US: Siemens CVE-2019-6567 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...) NOT-FOR-US: Siemens @@ -39867,9 +39866,8 @@ CVE-2019-6246 (An issue was discovered in SVG++ (aka svgpp) 1.2.3. After calling - svgpp 1.2.3+dfsg1-5 (bug #919321) NOTE: https://github.com/svgpp/svgpp/issues/70 CVE-2019-6245 (An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SV ...) - {DLA-1656-1} + {DLA-2872-1 DLA-1656-1} - agg 1:2.4-r127+dfsg1-1 (low; bug #919322) - [stretch] - agg <no-dsa> (Minor issue) - svgpp <unfixed> (unimportant; bug #919321) NOTE: https://github.com/svgpp/svgpp/issues/70 NOTE: Fixed in src:agg with: https://sourceforge.net/p/agg/svn/119/ @@ -42706,7 +42704,7 @@ CVE-2019-5068 (An exploitable shared memory permissions vulnerability exists in {DLA-1993-1} - mesa 19.2.6-1 (low; bug #944298) [buster] - mesa 18.3.6-2+deb10u1 - [stretch] - mesa <no-dsa> (Minor issue) + [stretch] - mesa <ignored> (Affected code is not built in stretch) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0857 NOTE: https://lists.freedesktop.org/pipermail/mesa-dev/2019-October/223704.html NOTE: https://cgit.freedesktop.org/mesa/mesa/commit/?id=02c3dad0f3b4d26e0faa5cc51d06bc50d693dcdc @@ -44243,10 +44241,10 @@ CVE-2019-4354 RESERVED CVE-2019-4353 RESERVED -CVE-2019-4352 - RESERVED -CVE-2019-4351 - RESERVED +CVE-2019-4352 (IBM Maximo Anywhere 7.6.4.0 applications could allow obfuscation of th ...) + NOT-FOR-US: IBM +CVE-2019-4351 (IBM Maximo Anywhere 7.6.4.0 applications could disclose sensitive info ...) + NOT-FOR-US: IBM CVE-2019-4350 RESERVED CVE-2019-4349 (IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 application ...) @@ -44365,8 +44363,8 @@ CVE-2019-4293 (IBM Storwize V7000 Unified (2073) 1.6 configuration may allow an NOT-FOR-US: IBM CVE-2019-4292 (IBM Security Guardium 10.5 could allow a remote attacker to upload arb ...) NOT-FOR-US: IBM -CVE-2019-4291 - RESERVED +CVE-2019-4291 (IBM Maximo Anywhere 7.6.4.0 could allow an attacker to reverse enginee ...) + NOT-FOR-US: IBM CVE-2019-4290 RESERVED CVE-2019-4289 @@ -46032,7 +46030,7 @@ CVE-2019-3614 CVE-2019-3613 (DLL Search Order Hijacking vulnerability in McAfee Agent (MA) prior to ...) NOT-FOR-US: McAfee CVE-2019-3612 (Information Disclosure vulnerability in McAfee DXL Platform and TIE Se ...) - NOT-FOR-US: McAFee + NOT-FOR-US: McAfee CVE-2019-3611 RESERVED CVE-2019-3610 (Data Leakage Attacks vulnerability in Microsoft Windows client in McAf ...) @@ -46267,9 +46265,8 @@ CVE-2019-3502 CVE-2019-3501 (The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted ...) NOT-FOR-US: OUGC Awards plugin for MyBB CVE-2019-3500 (aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Au ...) - {DLA-1636-1} + {DLA-2873-1 DLA-1636-1} - aria2 1.34.0-4 (low; bug #918058) - [stretch] - aria2 <no-dsa> (Minor issue) NOTE: https://github.com/aria2/aria2/issues/1329 NOTE: Masking of all authorization and cookie header fields (but not userinfo in URL): NOTE: https://github.com/aria2/aria2/commit/37368130ca7de5491a75fd18a20c5c5cc641824a @@ -48801,95 +48798,95 @@ CVE-2019-2386 (After user deletion in MongoDB Server the improper invalidation o CVE-2019-2385 RESERVED CVE-2019-2384 - RESERVED + REJECTED CVE-2019-2383 - RESERVED + REJECTED CVE-2019-2382 - RESERVED + REJECTED CVE-2019-2381 - RESERVED + REJECTED CVE-2019-2380 - RESERVED + REJECTED CVE-2019-2379 - RESERVED + REJECTED CVE-2019-2378 - RESERVED + REJECTED CVE-2019-2377 - RESERVED + REJECTED CVE-2019-2376 - RESERVED + REJECTED CVE-2019-2375 - RESERVED + REJECTED CVE-2019-2374 - RESERVED + REJECTED CVE-2019-2373 - RESERVED + REJECTED CVE-2019-2372 - RESERVED + REJECTED CVE-2019-2371 - RESERVED + REJECTED CVE-2019-2370 - RESERVED + REJECTED CVE-2019-2369 - RESERVED + REJECTED CVE-2019-2368 - RESERVED + REJECTED CVE-2019-2367 - RESERVED + REJECTED CVE-2019-2366 - RESERVED + REJECTED CVE-2019-2365 - RESERVED + REJECTED CVE-2019-2364 - RESERVED + REJECTED CVE-2019-2363 - RESERVED + REJECTED CVE-2019-2362 - RESERVED + REJECTED CVE-2019-2361 - RESERVED + REJECTED CVE-2019-2360 - RESERVED + REJECTED CVE-2019-2359 - RESERVED + REJECTED CVE-2019-2358 - RESERVED + REJECTED CVE-2019-2357 - RESERVED + REJECTED CVE-2019-2356 - RESERVED + REJECTED CVE-2019-2355 - RESERVED + REJECTED CVE-2019-2354 - RESERVED + REJECTED CVE-2019-2353 - RESERVED + REJECTED CVE-2019-2352 - RESERVED + REJECTED CVE-2019-2351 - RESERVED + REJECTED CVE-2019-2350 - RESERVED + REJECTED CVE-2019-2349 - RESERVED + REJECTED CVE-2019-2348 - RESERVED + REJECTED CVE-2019-2347 - RESERVED + REJECTED CVE-2019-2346 (Firmware is getting into loop of overwriting memory when scan command ...) NOT-FOR-US: Qualcomm components for Android CVE-2019-2345 (Race condition while accessing DMA buffer in jpeg driver in Snapdragon ...) NOT-FOR-US: Snapdragon CVE-2019-2344 - RESERVED + REJECTED CVE-2019-2343 (Out of bound read and information disclosure in firmware due to insuff ...) NOT-FOR-US: Snapdragon CVE-2019-2342 - RESERVED + REJECTED CVE-2019-2341 (Buffer overflow when the audio buffer size provided by user is larger ...) NOT-FOR-US: Snapdragon CVE-2019-2340 - RESERVED + REJECTED CVE-2019-2339 (Out of bound access due to lack of check of whiltelist array size whil ...) NOT-FOR-US: Snapdragon CVE-2019-2338 (Crafted image that has a valid signature from a non-QC entity can be l ...) @@ -48997,7 +48994,7 @@ CVE-2019-2288 (Out of bound write in TZ while copying the secure dump structure CVE-2019-2287 (Improper validation for inputs received from firmware can lead to an o ...) NOT-FOR-US: Snapdragon CVE-2019-2286 - RESERVED + REJECTED CVE-2019-2285 (Out of bound write issue is observed while giving information about pr ...) NOT-FOR-US: Snapdragon CVE-2019-2284 (Possible use-after-free issue due to a race condition while calling ca ...) @@ -49005,11 +49002,11 @@ CVE-2019-2284 (Possible use-after-free issue due to a race condition while calli CVE-2019-2283 (Improper validation of read and write index of tx and rx fifo`s before ...) NOT-FOR-US: Snapdragon CVE-2019-2282 - RESERVED + REJECTED CVE-2019-2281 (An unauthenticated bitmap image can be loaded in to memory and subsequ ...) NOT-FOR-US: Snapdragon CVE-2019-2280 - RESERVED + REJECTED CVE-2019-2279 (Shared memory gets updated with invalid data and may lead to access be ...) NOT-FOR-US: Snapdragon CVE-2019-2278 (User keystore signature is ignored in boot and can lead to bypass boot ...) diff --git a/data/CVE/2020.list b/data/CVE/2020.list index 7da43405f5..654068a6d0 100644 --- a/data/CVE/2020.list +++ b/data/CVE/2020.list @@ -1,3 +1,17 @@ +CVE-2020-22592 + RESERVED +CVE-2020-36515 + RESERVED +CVE-2020-36514 (An issue was discovered in the acc_reader crate through 2020-12-27 for ...) + NOT-FOR-US: Rust crate acc_reader +CVE-2020-36513 (An issue was discovered in the acc_reader crate through 2020-12-27 for ...) + NOT-FOR-US: Rust crate acc_reader +CVE-2020-36512 (An issue was discovered in the buffoon crate through 2020-12-31 for Ru ...) + NOT-FOR-US: Rust crate buffoon +CVE-2020-36511 (An issue was discovered in the bite crate through 2020-12-31 for Rust. ...) + NOT-FOR-US: Rust crate bite +CVE-2020-36510 + RESERVED CVE-2020-36505 (The Delete All Comments Easily WordPress plugin through 1.3 is lacking ...) NOT-FOR-US: WordPress plugin CVE-2020-36504 (The WP-Pro-Quiz WordPress plugin through 0.37 does not have CSRF check ...) @@ -58,7 +72,8 @@ CVE-2020-36478 (An issue was discovered in Mbed TLS before 2.25.0 (and before 2. NOTE: https://github.com/ARMmbed/mbedtls/issues/3629 NOTE: https://github.com/ARMmbed/mbedtls/commit/ca17ebfbc02b57e2bcb42efe64a5f2002c756ea8 (development) CVE-2020-36477 (An issue was discovered in Mbed TLS before 2.24.0. The verification of ...) - - mbedtls <unfixed> + [experimental] - mbedtls 2.28.0-0.1 + - mbedtls 2.28.0-0.3 [stretch] - mbedtls <not-affected> (2.4 not affected) NOTE: https://github.com/ARMmbed/mbedtls/issues/3498 NOTE: https://github.com/ARMmbed/mbedtls/commit/f3e4bd8632b71dc491e52e6df87dc3e409d2b869 (development) @@ -93,6 +108,7 @@ CVE-2020-36466 (An issue was discovered in the cgc crate through 2020-12-10 for NOT-FOR-US: Rust crate cgc CVE-2020-36465 (An issue was discovered in the generic-array crate before 0.13.3 for R ...) - rust-generic-array 0.14.4-1 + [buster] - rust-generic-array <no-dsa> (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0146.html CVE-2020-36464 (An issue was discovered in the heapless crate before 0.6.1 for Rust. T ...) NOT-FOR-US: Rust crate heapless @@ -246,7 +262,7 @@ CVE-2020-36407 (libavif 0.8.0 and 0.8.1 has an out-of-bounds write in avifDecode NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24811 NOTE: https://github.com/AOMediaCodec/libavif/commit/0a8e7244d494ae98e9756355dfbfb6697ded2ff9 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libavif/OSV-2020-1597.yaml -CVE-2020-36406 (uWebSockets 18.11.0 and 18.12.0 has a stack-based buffer overflow in u ...) +CVE-2020-36406 (** DISPUTED ** uWebSockets 18.11.0 and 18.12.0 has a stack-based buffe ...) NOT-FOR-US: uWebSockets CVE-2020-36405 (Keystone Engine 0.9.2 has a use-after-free in llvm_ks::X86Operand::get ...) NOT-FOR-US: keystone engine @@ -460,8 +476,7 @@ CVE-2020-36325 (** DISPUTED ** An issue was discovered in Jansson through 2.13.1 - jansson <unfixed> (unimportant) NOTE: https://github.com/akheron/jansson/issues/548 NOTE: Disputed security impact (only if programmer fails to follow API specifications) -CVE-2020-13672 [SA-CORE-2021-002] - RESERVED +CVE-2020-13672 (Cross-site Scripting (XSS) vulnerability in Drupal core's sanitization ...) {DLA-2637-1} - drupal7 <removed> NOTE: https://www.drupal.org/sa-core-2021-002 @@ -1057,20 +1072,45 @@ CVE-2020-36137 RESERVED CVE-2020-36136 RESERVED -CVE-2020-36135 - RESERVED -CVE-2020-36134 - RESERVED -CVE-2020-36133 - RESERVED +CVE-2020-36135 (AOM v2.0.1 was discovered to contain a NULL pointer dereference via th ...) + - aom 3.2.0-1 + [bullseye] - aom <no-dsa> (Minor issue) + [buster] - aom <no-dsa> (Minor issue) + NOTE: https://aomedia.googlesource.com/aom/+/94bcbfe76b0fd5b8ac03645082dc23a88730c949 (v2.1.0-rc1) + NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=2910&q=&can=1 + NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=2911 +CVE-2020-36134 (AOM v2.0.1 was discovered to contain a segmentation violation via the ...) + - aom <not-affected> (Vulnerable code never in a Debian released version) + NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=2914 + NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=2940 + NOTE: Introduced by: https://aomedia.googlesource.com/aom/+/4567c355bf55a7430819e9d30df259bcb83cfe0d (v2.1.0-rc1) + NOTE: Fixed by: https://aomedia.googlesource.com/aom/+/5a1b33b710050b69557d26cf53d4943325481beb (v2.1.0-rc1) +CVE-2020-36133 (AOM v2.0.1 was discovered to contain a global buffer overflow via the ...) + - aom 3.2.0-1 + [bullseye] - aom <no-dsa> (Minor issue) + [buster] - aom <no-dsa> (Minor issue) + NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=2913&q=&can=1 + NOTE: https://aomedia.googlesource.com/aom/+/5c9bc4181071684d157fc47c736acf6c69a85d85 (v3.2.0-rc1) CVE-2020-36132 RESERVED -CVE-2020-36131 - RESERVED -CVE-2020-36130 - RESERVED -CVE-2020-36129 - RESERVED +CVE-2020-36131 (AOM v2.0.1 was discovered to contain a stack buffer overflow via the c ...) + - aom 3.2.0-1 + [bullseye] - aom <no-dsa> (Minor issue) + [buster] - aom <no-dsa> (Minor issue) + NOTE: https://aomedia.googlesource.com/aom/+/94bcbfe76b0fd5b8ac03645082dc23a88730c949 (v2.1.0-rc1) + NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=2911&q=&can=1 +CVE-2020-36130 (AOM v2.0.1 was discovered to contain a NULL pointer dereference via th ...) + - aom 3.2.0-1 + [bullseye] - aom <no-dsa> (Minor issue) + [buster] - aom <no-dsa> (Minor issue) + NOTE: https://aomedia.googlesource.com/aom/+/be4ee75fd762d361d0679cc892e4c74af8140093%5E%21/#F0 (v2.1.0-rc1) + NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=2905&q=&can=1 +CVE-2020-36129 (AOM v2.0.1 was discovered to contain a stack buffer overflow via the c ...) + - aom 3.2.0-1 + [bullseye] - aom <not-affected> (Vulnerable code introduced later) + [buster] - aom <not-affected> (Vulnerable code introduced later) + NOTE: https://aomedia.googlesource.com/aom/+/7a20d10027fd91fbe11e38182a1d45238e102c4a%5E%21/#F0 (v3.2.0-rc1) + NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=2912&q=&can=1 CVE-2020-36128 (Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by ...) NOT-FOR-US: Pax Technology PAXSTORE CVE-2020-36127 (Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by ...) @@ -1210,12 +1250,12 @@ CVE-2020-36066 (GJSON <1.6.5 allows attackers to cause a denial of service (r NOTE: fix in golang-github-tidwall-gjson is dependency on golang-github-tidwall-match v1.0.3 CVE-2020-36065 RESERVED -CVE-2020-36064 - RESERVED +CVE-2020-36064 (Online Course Registration v1.0 was discovered to contain hardcoded cr ...) + NOT-FOR-US: Online Course Registration CVE-2020-36063 RESERVED -CVE-2020-36062 - RESERVED +CVE-2020-36062 (Dairy Farm Shop Management System v1.0 was discovered to contain hardc ...) + NOT-FOR-US: PHPGurukul Dairy Farm Shop Management System CVE-2020-36061 RESERVED CVE-2020-36060 @@ -1226,8 +1266,8 @@ CVE-2020-36058 RESERVED CVE-2020-36057 RESERVED -CVE-2020-36056 - RESERVED +CVE-2020-36056 (Beetel 777VR1-DI Hardware Version REV.1.01 Firmware Version V01.00.09_ ...) + NOT-FOR-US: Beetel CVE-2020-36055 RESERVED CVE-2020-36054 @@ -2522,7 +2562,7 @@ CVE-2020-35506 (A use-after-free vulnerability was found in the am53c974 SCSI ho [experimental] - qemu 1:6.0+dfsg-1~exp0 - qemu 1:6.0+dfsg-3 (bug #984454) [bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream) - [buster] - qemu <postponed> (Fix along in future DSA) + [buster] - qemu <not-affected> (Vulnerable code not present, FIFO support added later) [stretch] - qemu <postponed> (Fix along in future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909996 NOTE: https://bugs.launchpad.net/qemu/+bug/1909247 @@ -2560,6 +2600,7 @@ CVE-2020-35503 (A NULL pointer dereference flaw was found in the megasas-gen2 SC [buster] - qemu <postponed> (Fix along in future DSA) [stretch] - qemu <postponed> (Fix along in future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910346 + NOTE: No upstream patch as of 2022-01-28 CVE-2020-35502 (A flaw was found in Privoxy in versions before 3.0.29. Memory leaks wh ...) {DLA-2548-1} - privoxy 3.0.29-1 @@ -2856,8 +2897,8 @@ CVE-2020-35400 RESERVED CVE-2020-35399 RESERVED -CVE-2020-35398 - RESERVED +CVE-2020-35398 (An issue was discovered in UTI Mutual fund Android application 5.4.18 ...) + NOT-FOR-US: UTI Mutual fund Android application CVE-2020-35397 RESERVED CVE-2020-35396 (EGavilan Barcodes generator 1.0 is affected by: Cross Site Scripting ( ...) @@ -3228,22 +3269,22 @@ CVE-2020-35218 RESERVED CVE-2020-35217 (Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSR ...) NOT-FOR-US: Vert.x-Web framework -CVE-2020-35216 - RESERVED -CVE-2020-35215 - RESERVED -CVE-2020-35214 - RESERVED -CVE-2020-35213 - RESERVED +CVE-2020-35216 (An issue in Atomix v3.1.5 allows attackers to cause a denial of servic ...) + NOT-FOR-US: Atomix +CVE-2020-35215 (An issue in Atomix v3.1.5 allows attackers to access sensitive informa ...) + NOT-FOR-US: Atomix +CVE-2020-35214 (An issue in Atomix v3.1.5 allows a malicious Atomix node to remove sta ...) + NOT-FOR-US: Atomix +CVE-2020-35213 (An issue in Atomix v3.1.5 allows attackers to cause a denial of servic ...) + NOT-FOR-US: Atomix CVE-2020-35212 RESERVED -CVE-2020-35211 - RESERVED -CVE-2020-35210 - RESERVED -CVE-2020-35209 - RESERVED +CVE-2020-35211 (An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become t ...) + NOT-FOR-US: Atomix +CVE-2020-35210 (A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of ...) + NOT-FOR-US: Atomix +CVE-2020-35209 (An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a t ...) + NOT-FOR-US: Atomix CVE-2020-35208 (** DISPUTED ** An issue was discovered in the LogMein LastPass Passwor ...) NOT-FOR-US: LogMein LastPass Password Manager (aka com.lastpass.ilastpass) app for iOS CVE-2020-35207 (** DISPUTED ** An issue was discovered in the LogMein LastPass Passwor ...) @@ -3405,7 +3446,8 @@ CVE-2020-35132 (An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 NOTE: https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1906474 NOTE: https://github.com/leenooks/phpLDAPadmin/commit/c87571f6b7be15d5cd8b26381b6eb31ad03d28e2 NOTE: https://github.com/leenooks/phpLDAPadmin/issues/130 - NOTE: unclear whether the issue is completely fixed, cf. https://github.com/leenooks/phpLDAPadmin/issues/130#issuecomment-745152260 + NOTE: Fix is incomplete: https://github.com/leenooks/phpLDAPadmin/issues/130#issuecomment-745152260 + NOTE: https://github.com/leenooks/phpLDAPadmin/issues/137 CVE-2020-35131 (Cockpit before 0.6.1 allows an attacker to inject custom PHP code and ...) NOT-FOR-US: Agentejo Cockpit CVE-2020-35130 @@ -3484,10 +3526,14 @@ CVE-2020-35076 REJECTED CVE-2020-35061 RESERVED +CVE-2020-35037 (The Events Manager WordPress plugin before 5.9.8 does not sanitise and ...) + NOT-FOR-US: WordPress plugin events-manager CVE-2020-35030 RESERVED CVE-2020-35017 RESERVED +CVE-2020-35012 (The Events Manager WordPress plugin before 5.9.8 does not sanitise and ...) + NOT-FOR-US: WordPress plugin events-manager CVE-2020-35001 RESERVED CVE-2020-29670 @@ -3744,7 +3790,8 @@ CVE-2020-29584 CVE-2020-29583 (Firmware version 4.60 of Zyxel USG devices contains an undocumented ac ...) NOT-FOR-US: Zyxel CVE-2020-29582 (In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for ...) - - kotlin <unfixed> + - kotlin <unfixed> (bug #1001037) + NOTE: https://youtrack.jetbrains.com/issue/KT-42181 (not public) CVE-2020-29581 (The official spiped docker images before 1.5-alpine contain a blank pa ...) NOT-FOR-US: spiped Docker images CVE-2020-29580 (The official storm Docker images before 1.2.1 contain a blank password ...) @@ -3847,7 +3894,7 @@ CVE-2020-29548 (An issue was discovered in SmarterTools SmarterMail through 100. NOT-FOR-US: SmarterTools CVE-2020-29547 RESERVED - - citadel <unfixed> + - citadel <removed> [buster] - citadel <ignored> (Minor issue) [stretch] - citadel <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://uncensored.citadel.org/readfwd?go=Citadel Security?view=0?start_reading_at=2099264259#2099264259 @@ -3931,9 +3978,9 @@ CVE-2020-29512 CVE-2020-29511 (The encoding/xml package in Go (all versions) does not correctly prese ...) - golang-1.15 <unfixed> (unimportant) - golang-1.11 <removed> (unimportant) - - golang-1.8 <removed> + - golang-1.8 <removed> (unimportant) [stretch] - golang-1.8 <ignored> (deemed unfixable by upstream who shifts responsibility to saml packages we don't ship) - - golang-1.7 <removed> + - golang-1.7 <removed> (unimportant) [stretch] - golang-1.7 <ignored> (deemed unfixable by upstream who shifts responsibility to saml packages we don't ship) NOTE: https://github.com/golang/go/issues/43168 NOTE: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ @@ -3941,9 +3988,9 @@ CVE-2020-29511 (The encoding/xml package in Go (all versions) does not correctly CVE-2020-29510 (The encoding/xml package in Go versions 1.15 and earlier does not corr ...) - golang-1.15 <unfixed> (unimportant) - golang-1.11 <removed> (unimportant) - - golang-1.8 <removed> + - golang-1.8 <removed> (unimportant) [stretch] - golang-1.8 <ignored> (deemed unfixable by upstream who shifts responsibility to saml packages we don't ship) - - golang-1.7 <removed> + - golang-1.7 <removed> (unimportant) [stretch] - golang-1.7 <ignored> (deemed unfixable by upstream who shifts responsibility to saml packages we don't ship) NOTE: https://github.com/golang/go/issues/43168 NOTE: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ @@ -4474,8 +4521,8 @@ CVE-2020-29294 RESERVED CVE-2020-29293 RESERVED -CVE-2020-29292 - RESERVED +CVE-2020-29292 (iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) at ...) + NOT-FOR-US: iBall WRD12EN CVE-2020-29291 RESERVED CVE-2020-29290 @@ -4704,10 +4751,10 @@ CVE-2020-29179 RESERVED CVE-2020-29178 RESERVED -CVE-2020-29177 - RESERVED -CVE-2020-29176 - RESERVED +CVE-2020-29177 (Z-BlogPHP v1.6.1.2100 was discovered to contain an arbitrary file dele ...) + NOT-FOR-US: Z-BlogPHP +CVE-2020-29176 (An arbitrary file upload vulnerability in Z-BlogPHP v1.6.1.2100 allows ...) + NOT-FOR-US: Z-BlogPHP CVE-2020-29175 RESERVED CVE-2020-29174 @@ -4973,8 +5020,12 @@ CVE-2020-29052 RESERVED CVE-2020-29051 RESERVED -CVE-2020-29050 - RESERVED +CVE-2020-29050 (SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows direct ...) + {DSA-5036-1 DLA-2882-1} + - sphinxsearch 2.2.11-3 + NOTE: Backported for sphinxsearch from: https://github.com/manticoresoftware/manticoresearch/commit/66b5761ad258c60b1866a8e1333f86e74f48035 + NOTE: and https://github.com/manticoresoftware/manticoresearch/commit/6e597ff61e1e910559f6ed541ff32520085af6aa + NOTE: Backported patch: https://salsa.debian.org/debian/sphinxsearch/-/blob/4d6fe40644130308604845db43d3588e715ec85d/debian/patches/06-CVE-2020-29050.patch CVE-2020-29049 RESERVED CVE-2020-29048 @@ -5330,8 +5381,8 @@ CVE-2020-28921 (An issue was discovered in Devid Espenschied PC Analyser through NOT-FOR-US: Devid Espenschied PC Analyser CVE-2020-28920 RESERVED -CVE-2020-28919 - RESERVED +CVE-2020-28919 (A stored cross site scripting (XSS) vulnerability in Checkmk 1.6.0x pr ...) + - check-mk <removed> CVE-2020-28918 (DualShield 5.9.8.0821 allows username enumeration on its login form. A ...) NOT-FOR-US: DualShield CVE-2020-28917 (An issue was discovered in the view_statistics (aka View frontend stat ...) @@ -5418,10 +5469,10 @@ CVE-2020-28887 RESERVED CVE-2020-28886 RESERVED -CVE-2020-28885 - RESERVED -CVE-2020-28884 - RESERVED +CVE-2020-28885 (** DISPUTED ** Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is ...) + NOT-FOR-US: Liferay +CVE-2020-28884 (Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS ...) + NOT-FOR-US: Liferay CVE-2020-28883 RESERVED CVE-2020-28882 @@ -5487,12 +5538,14 @@ CVE-2020-28853 CVE-2020-28852 (In x/text in Go before v0.3.5, a "slice bounds out of range" panic occ ...) - golang-golang-x-text 0.3.5-1 (bug #980002) - golang-x-text <removed> + [buster] - golang-x-text <no-dsa> (Minor issue) [stretch] - golang-x-text <no-dsa> (Minor issue. Golang has limited support in stretch.) NOTE: https://github.com/golang/go/issues/42536 NOTE: https://github.com/golang/text/commit/4482a914f52311356f6f4b7a695d4075ca22c0c6 (v0.3.5) CVE-2020-28851 (In x/text in Go 1.15.4, an "index out of range" panic occurs in langua ...) - golang-golang-x-text 0.3.6-1 (bug #980001) - golang-x-text <removed> + [buster] - golang-x-text <no-dsa> (Minor issue) [stretch] - golang-x-text <no-dsa> (Minor issue. Golang has limited support in stretch.) NOTE: https://github.com/golang/go/issues/42535 CVE-2020-28850 @@ -5839,8 +5892,8 @@ CVE-2020-28681 RESERVED CVE-2020-28680 RESERVED -CVE-2020-28679 - RESERVED +CVE-2020-28679 (A vulnerability in the showReports module of Zoho ManageEngine Applica ...) + NOT-FOR-US: Zoho ManageEngine CVE-2020-28678 RESERVED CVE-2020-28677 @@ -6471,7 +6524,7 @@ CVE-2020-28408 (The server in Dundas BI through 8.0.0.1001 allows XSS via an HTM NOT-FOR-US: Dundas BI CVE-2020-28407 RESERVED - - swtpm <itp> (bug #941199) + - swtpm <not-affected> (Fixed before initial upload to the archive) CVE-2020-28406 (An improper authorization vulnerability exists in Star Practice Manage ...) NOT-FOR-US: Star Practice Management Web CVE-2020-28405 (An improper authorization vulnerability exists in Star Practice Manage ...) @@ -6764,7 +6817,7 @@ CVE-2020-28283 (Prototype pollution vulnerability in 'libnested' versions 0.0.0 NOT-FOR-US: libnested CVE-2020-28282 (Prototype pollution vulnerability in 'getobject' version 0.1.0 allows ...) - node-getobject 1.0.2-1 - [bullseye] - node-getobject <no-dsa> (Minor issue) + [bullseye] - node-getobject 0.1.0-2+deb11u1 [buster] - node-getobject <no-dsa> (Minor issue) [stretch] - node-getobject <no-dsa> (Minor issue) NOTE: https://github.com/cowboy/node-getobject/commit/84071748fa407caa8f824e0d0b9c1cde9ec56633 (v1.0.0) @@ -6849,6 +6902,10 @@ CVE-2020-28243 (An issue was discovered in SaltStack Salt before 3002.5. The min - salt 3002.5+dfsg1-1 (bug #983632) [buster] - salt 2018.3.4+dfsg1-6+deb10u3 NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ + NOTE: Introduced by: https://github.com/saltstack/salt/commit/e02df6fd3ceb605a58e4ac75c06077f52963187a (v2016.3) + NOTE: Fixed by: https://github.com/saltstack/salt/commit/61dd6d178b1dae0a1bf884bcd1149003281f8194 (v3002.3) + NOTE: Follow-up: https://github.com/saltstack/salt/commit/777ffe612e612fb443018c1d7983d4abe4632bb2 (v3002.6) + NOTE: Follow-up doc: https://github.com/saltstack/salt/commit/903cfdcf6863b288fa41549bd991da6049962f54 (next commit) CVE-2020-28242 (An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 1 ...) - asterisk 1:16.15.0~dfsg-1 (bug #974713) [buster] - asterisk <no-dsa> (Minor issue) @@ -6943,6 +7000,7 @@ CVE-2020-28201 RESERVED CVE-2020-28200 (The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource ...) - dovecot 1:2.3.16+dfsg1-1 (bug #990566; bug #991323) + [bullseye] - dovecot <postponed> (Minor issue, fix along with next update) [buster] - dovecot <postponed> (Minor issue, fix along with next update) [stretch] - dovecot <no-dsa> (Minor issue) NOTE: https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html @@ -7026,6 +7084,11 @@ CVE-2020-28164 RESERVED CVE-2020-28163 RESERVED + - dwarfutils 20201201-1 + [buster] - dwarfutils <ignored> (Minor issue) + [stretch] - dwarfutils <ignored> (Minor issue) + NOTE: https://github.com/davea42/libdwarf-code/commit/faf99408e3f9f706fc3809dd400e831f989778d3 + NOTE: https://www.prevanders.net/dwarfbug.html#DW202010-003 CVE-2020-28162 RESERVED CVE-2020-28161 @@ -7144,10 +7207,10 @@ CVE-2020-28105 RESERVED CVE-2020-28104 RESERVED -CVE-2020-28103 - RESERVED -CVE-2020-28102 - RESERVED +CVE-2020-28103 (cscms v4.1 allows for SQL injection via the "page_del" function. ...) + NOT-FOR-US: cscms +CVE-2020-28102 (cscms v4.1 allows for SQL injection via the "js_del" function. ...) + NOT-FOR-US: cscms CVE-2020-28101 RESERVED CVE-2020-28100 @@ -7905,6 +7968,7 @@ CVE-2020-27821 (A flaw was found in the memory management API of QEMU during the NOTE: Introduced by: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=48564041a73adbbff52834f9edbe3806fceefab7 (v3.0) CVE-2020-27820 (A vulnerability was found in Linux kernel, where a use-after-frees in ...) - linux 5.15.5-1 (unimportant) + [bullseye] - linux 5.10.84-1 NOTE: No security impact, requires physical access to the computer CVE-2020-27819 (An issue was discovered in libxls before and including 1.6.1 when read ...) - r-cran-readxl <not-affected> (Embeds libxls, but not affected) @@ -8248,16 +8312,16 @@ CVE-2020-27746 (Slurm before 19.05.8 and 20.x before 20.02.6 exposes Sensitive I {DSA-4841-1} - slurm-wlm <not-affected> (Fixed with first upload to Debian with renamed source package) - slurm-llnl <removed> (bug #974722) - [stretch] - slurm-llnl <no-dsa> (Minor issue) + [stretch] - slurm-llnl <not-affected> (Vulnerable code introduced later) NOTE: https://www.schedmd.com/news.php?id=240 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2020/000045.html NOTE: https://github.com/SchedMD/slurm/commit/07309deb45c33e735e191faf9dd31cca1054a15c NOTE: slurm-wlm/20.02.6-1 changed the source package name and included the fix + NOTE: Introduced by: https://github.com/SchedMD/slurm/commit/e3140b7f8d96ced9dc85089caa65dd7c6be396fd (slurm-17-11-0-0rc1) CVE-2020-27745 (Slurm before 19.05.8 and 20.x before 20.02.6 has an RPC Buffer Overflo ...) - {DSA-4841-1} + {DSA-4841-1 DLA-2886-1} - slurm-wlm <not-affected> (Fixed with first upload to Debian with renamed source package) - slurm-llnl <removed> (bug #974721) - [stretch] - slurm-llnl <no-dsa> (Minor issue) NOTE: https://www.schedmd.com/news.php?id=240 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2020/000045.html NOTE: https://github.com/SchedMD/slurm/commit/c3142dd87e06621ff148791c3d2f298b5c0b3a81 @@ -8287,11 +8351,11 @@ CVE-2020-27739 (A Weak Session Management vulnerability in Citadel WebCit throug - webcit <removed> (bug #973385) [buster] - webcit <ignored> (Minor issue) [stretch] - webcit <ignored> (Minor issue) -CVE-2020-27738 (A vulnerability has been identified in Capital VSTAR (Versions includi ...) +CVE-2020-27738 (A vulnerability has been identified in Nucleus NET (All versions), Nuc ...) NOT-FOR-US: Nucleus (Siemens) -CVE-2020-27737 (A vulnerability has been identified in Capital VSTAR (Versions includi ...) +CVE-2020-27737 (A vulnerability has been identified in Nucleus NET (All versions), Nuc ...) NOT-FOR-US: Nucleus (Siemens) -CVE-2020-27736 (A vulnerability has been identified in Capital VSTAR (Versions includi ...) +CVE-2020-27736 (A vulnerability has been identified in Nucleus NET (All versions), Nuc ...) NOT-FOR-US: Nucleus (Siemens) CVE-2020-27735 (An XSS issue was discovered in Wing FTP 6.4.4. An arbitrary IFRAME ele ...) NOT-FOR-US: Wing FTP @@ -8431,10 +8495,11 @@ CVE-2020-27662 (In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct O - glpi <removed> CVE-2020-27661 (A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-d ...) - qemu 1:5.2+dfsg-1 (bug #972864) - [buster] - qemu <postponed> (Fix along in future DSA) + [buster] - qemu <not-affected> (Vulnerable code not present) [stretch] - qemu <not-affected> (Vulnerable code introduced later) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg04263.html NOTE: Fixed by: https://git.qemu.org/?p=qemu.git;a=commit;h=bea2a9e3e00b275dc40cfa09c760c715b8753e03 (v5.2.0-rc0) + NOTE: Introduced in v5.1.0-rc0 CVE-2020-27660 (SQL injection vulnerability in request.cgi in Synology SafeAccess befo ...) NOT-FOR-US: Synology CVE-2020-27659 (Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAc ...) @@ -8729,6 +8794,11 @@ CVE-2020-27546 RESERVED CVE-2020-27545 RESERVED + - dwarfutils 20201201-1 + [buster] - dwarfutils <ignored> (Minor issue) + [stretch] - dwarfutils <ignored> (Minor issue) + NOTE: https://www.prevanders.net/dwarfbug.html#DW202010-001 + NOTE: https://github.com/davea42/libdwarf-code/commit/95f634808c01f1c61bbec56ed2395af997f397ea CVE-2020-27544 RESERVED CVE-2020-27543 (The restify-paginate package 0.0.5 for Node.js allows remote attackers ...) @@ -8798,6 +8868,7 @@ CVE-2020-27512 CVE-2020-27511 (An issue was discovered in the stripTags and unescapeHTML components i ...) - prototypejs <unfixed> (bug #991898) [bullseye] - prototypejs <no-dsa> (Minor issue) + [buster] - prototypejs <no-dsa> (Minor issue) [stretch] - prototypejs <no-dsa> (Minor issue) NOTE: https://github.com/prototypejs/prototype/blame/dee2f7d8611248abce81287e1be4156011953c90/src/prototype/lang/string.js#L283 NOTE: https://github.com/yetingli/PoCs/blob/main/CVE-2020-27511/Prototype.md @@ -8967,8 +9038,8 @@ CVE-2020-27430 RESERVED CVE-2020-27429 RESERVED -CVE-2020-27428 - RESERVED +CVE-2020-27428 (A DOM-based cross-site scripting (XSS) vulnerability in Scratch-Svg-Re ...) + NOT-FOR-US: Scratch-Svg-Renderer CVE-2020-27427 RESERVED CVE-2020-27426 @@ -8991,14 +9062,14 @@ CVE-2020-27418 RESERVED CVE-2020-27417 RESERVED -CVE-2020-27416 - RESERVED +CVE-2020-27416 (Mahavitaran android application 7.50 and prior are affected by account ...) + NOT-FOR-US: Mahavitaran android application CVE-2020-27415 RESERVED -CVE-2020-27414 - RESERVED -CVE-2020-27413 - RESERVED +CVE-2020-27414 (Mahavitaran android application 7.50 and prior transmit sensitive info ...) + NOT-FOR-US: Mahavitaran android application +CVE-2020-27413 (An issue was discovered in Mahavitaran android application 7.50 and be ...) + NOT-FOR-US: Mahavitaran android application CVE-2020-27412 RESERVED CVE-2020-27411 @@ -9113,8 +9184,8 @@ CVE-2020-27358 (An issue was discovered in REDCap 8.11.6 through 9.x before 10. NOT-FOR-US: REDCap CVE-2020-27357 RESERVED -CVE-2020-27356 - RESERVED +CVE-2020-27356 (The debug-meta-data plugin 1.1.2 for WordPress allows XSS. ...) + NOT-FOR-US: debug-meta-data plugin for WordPress CVE-2020-27355 RESERVED CVE-2020-27354 @@ -9874,7 +9945,7 @@ CVE-2020-27011 RESERVED CVE-2020-27010 (A cross-site scripting (XSS) vulnerability in Trend Micro InterScan We ...) NOT-FOR-US: Trend Micro -CVE-2020-27009 (A vulnerability has been identified in Capital VSTAR (Versions includi ...) +CVE-2020-27009 (A vulnerability has been identified in Nucleus NET (All versions < ...) NOT-FOR-US: Nucleus (Siemens) CVE-2020-27008 (A vulnerability has been identified in JT2Go (All versions < V13.1. ...) NOT-FOR-US: JT2Go @@ -10574,8 +10645,8 @@ CVE-2020-26730 RESERVED CVE-2020-26729 RESERVED -CVE-2020-26728 - RESERVED +CVE-2020-26728 (A vulnerability was discovered in Tenda AC9 v3.0 V15.03.06.42_multi an ...) + NOT-FOR-US: Tenda AC9 Router CVE-2020-26727 RESERVED CVE-2020-26726 @@ -10904,21 +10975,21 @@ CVE-2020-26574 (** UNSUPPORTED WHEN ASSIGNED ** Leostream Connection Broker 8.2. CVE-2020-26573 RESERVED CVE-2020-26572 (The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a ...) + {DLA-2832-1} - opensc 0.21.0-1 (bug #972035) [buster] - opensc <no-dsa> (Minor issue) - [stretch] - opensc <no-dsa> (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22967 NOTE: https://github.com/OpenSC/OpenSC/commit/9d294de90d1cc66956389856e60b6944b27b4817 (0.21.0-rc1) CVE-2020-26571 (The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 ...) + {DLA-2832-1} - opensc 0.21.0-1 (bug #972036) [buster] - opensc <no-dsa> (Minor issue) - [stretch] - opensc <no-dsa> (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20612 NOTE: https://github.com/OpenSC/OpenSC/commit/ed55fcd2996930bf58b9bb57e9ba7b1f3a753c43 (0.21.0-rc1) CVE-2020-26570 (The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 ha ...) + {DLA-2832-1} - opensc 0.21.0-1 (bug #972037) [buster] - opensc <no-dsa> (Minor issue) - [stretch] - opensc <no-dsa> (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24316 NOTE: https://github.com/OpenSC/OpenSC/commit/6903aebfddc466d966c7b865fae34572bf3ed23e (0.21.0-rc1) CVE-2020-26569 (In EVPN VxLAN setups in Arista EOS, specific malformed packets can lea ...) @@ -11761,8 +11832,12 @@ CVE-2020-26210 (In BookStack before version 0.30.4, a user with permissions to e NOT-FOR-US: BookStack app CVE-2020-26209 RESERVED -CVE-2020-26208 - RESERVED +CVE-2020-26208 (JHEAD is a simple command line tool for displaying and some manipulati ...) + - jhead 1:3.04-6 (bug #972617; unimportant) + NOTE: https://github.com/Matthias-Wandel/jhead/commit/5186ddcf9e35a7aa0ff0539489a930434a1325f4 + NOTE: https://github.com/Matthias-Wandel/jhead/issues/7 + NOTE: https://sources.debian.org/src/jhead/1%3A3.04-6/debian/patches/allocate-extra.patch/ + NOTE: Crash in CLI tool, no security impact CVE-2020-26207 (DatabaseSchemaViewer before version 2.7.4.3 is vulnerable to arbitrary ...) NOT-FOR-US: DatabaseSchemaViewer CVE-2020-26206 @@ -12449,8 +12524,8 @@ CVE-2020-25907 RESERVED CVE-2020-25906 RESERVED -CVE-2020-25905 - RESERVED +CVE-2020-25905 (An SQL Injection vulnerabilty exists in Sourcecodester Mobile Shop Sys ...) + NOT-FOR-US: Sourcecodester CVE-2020-25904 RESERVED CVE-2020-25903 @@ -12851,6 +12926,7 @@ CVE-2020-25743 (hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer der [stretch] - qemu <postponed> (Fix along in future DLA) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01568.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fide_nullptr1 + NOTE: No upstream patch as of 2022-01-28 CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL p ...) - qemu <unfixed> (bug #971390) [bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream) @@ -12858,6 +12934,7 @@ CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a [stretch] - qemu <postponed> (Fix along in future DLA) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05294.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Flsi_nullptr1 + NOTE: No upstream patch as of 2022-01-28 CVE-2020-25741 (fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer d ...) - qemu <unfixed> (bug #970939) [bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream) @@ -12865,6 +12942,7 @@ CVE-2020-25741 (fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL poi [stretch] - qemu <postponed> (Fix along in future DLA) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg07779.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Ffdc_nullptr1 + NOTE: No upstream patch as of 2022-01-28 CVE-2020-25740 RESERVED CVE-2020-25739 (An issue was discovered in the gon gem before gon-6.4.0 for Ruby. Mult ...) @@ -12914,8 +12992,7 @@ CVE-2020-25723 (A reachable assertion issue was found in the USB EHCI emulation - qemu 1:5.2+dfsg-1 (bug #975276) [buster] - qemu <postponed> (Fix along in future DSA) NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6 (v5.2.0-rc0) -CVE-2020-25722 [AD DC UPN vs samAccountName not checked] - RESERVED +CVE-2020-25722 (Multiple flaws were found in the way samba AD DC implemented access an ...) {DSA-5003-1} - samba 2:4.13.14+dfsg-1 [buster] - samba <ignored> (Intrusive backport; affects Samba as AD DC) @@ -12932,27 +13009,23 @@ CVE-2020-25721 [[Kerberos acceptors need easy access to stable AD identifiers (e NOTE: https://www.samba.org/samba/security/CVE-2020-25721.html CVE-2020-25720 RESERVED -CVE-2020-25719 [AD DC Username based races when no PAC is given] - RESERVED +CVE-2020-25719 (A flaw was found in the way Samba, as an Active Directory Domain Contr ...) {DSA-5003-1} - samba 2:4.13.14+dfsg-1 [buster] - samba <ignored> (Intrusive backport; affects Samba as AD DC) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14561 NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14725 NOTE: https://www.samba.org/samba/security/CVE-2020-25719.html -CVE-2020-25718 [An RODC can issue (forge) administrator tickets to other servers] - RESERVED +CVE-2020-25718 (A flaw was found in the way samba, as an Active Directory Domain Contr ...) {DSA-5003-1} - samba 2:4.13.14+dfsg-1 [buster] - samba <ignored> (Intrusive backport; affects Samba as AD DC) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14558 NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14725 NOTE: https://www.samba.org/samba/security/CVE-2020-25718.html -CVE-2020-25717 [A user on the domain can become root on domain members] - RESERVED - {DSA-5003-1} +CVE-2020-25717 (A flaw was found in the way Samba maps domain users to local users. An ...) + {DSA-5015-1 DSA-5003-1} - samba 2:4.13.14+dfsg-1 - [buster] - samba <ignored> (Intrusive backport; backport only 'min domain uid' parameter) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14556 NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14725 NOTE: https://www.samba.org/samba/security/CVE-2020-25717.html @@ -12968,10 +13041,10 @@ CVE-2020-25715 (A flaw was found in pki-core 10.9.0. A specially crafted POST re CVE-2020-25714 RESERVED CVE-2020-25713 (A malformed input file can lead to a segfault due to an out of bounds ...) + {DLA-2846-1} - raptor <removed> - raptor2 2.0.14-1.2 (bug #974664) [buster] - raptor2 <no-dsa> (Minor issue) - [stretch] - raptor2 <postponed> (Minor issue; reconsider when fixed upstream.) NOTE: https://bugs.librdf.org/mantis/view.php?id=650 CVE-2020-25712 (A flaw was found in xorg-x11-server before 1.20.10. A heap-buffer over ...) {DSA-4803-1 DLA-2486-1} @@ -13505,8 +13578,7 @@ CVE-2020-25592 (In SaltStack Salt through 3002, salt-netapi improperly validates {DSA-4837-1 DLA-2480-1} - salt 3002.1+dfsg1-1 NOTE: https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/ - NOTE: https://gitlab.com/saltstack/open/salt-patches/-/raw/master/patches/2020/09/25/2018.3.5.patch (2018.3.5) - NOTE: https://gitlab.com/saltstack/open/salt-patches/-/raw/master/patches/2020/09/25/2016.11.3.patch (2016.11.3) + NOTE: https://gitlab.com/saltstack/open/salt-patches/-/tree/master/patches/2020/09/25 CVE-2020-25591 RESERVED CVE-2020-25590 @@ -13833,8 +13905,10 @@ CVE-2020-25429 RESERVED CVE-2020-25428 RESERVED -CVE-2020-25427 - RESERVED +CVE-2020-25427 (A Null pointer dereference vulnerability exits in MP4Box - GPAC versio ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1406 + NOTE: https://github.com/gpac/gpac/commit/8e585e623b1d666b4ef736ed609264639cb27701 CVE-2020-25426 RESERVED CVE-2020-25425 @@ -14322,7 +14396,7 @@ CVE-2020-25203 (The Framer Preview application 12 for Android exposes com.framer CVE-2020-25576 (An issue was discovered in the rand_core crate before 0.4.2 for Rust. ...) - rust-rand-core 0.5.0-1 (bug #969911; low) [buster] - rust-rand-core <ignored> (Minor issue) - - rust-rand-core-0.3 <unfixed> (bug #970186; low) + - rust-rand-core-0.3 <removed> (bug #970186; low) - rust-rand-core-0.2 <removed> (bug #970185; low) [buster] - rust-rand-core-0.2 <ignored> (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0035.html @@ -14696,9 +14770,11 @@ CVE-2020-25042 (An arbitrary file upload issue exists in Mara CMS 7.5. In order CVE-2020-25041 RESERVED CVE-2020-25040 (Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary ...) + [experimental] - singularity-container 3.9.4+ds2-1 - singularity-container <unfixed> (bug #970465) NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762 CVE-2020-25039 (Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on tem ...) + [experimental] - singularity-container 3.9.4+ds2-1 - singularity-container <unfixed> (bug #970465) NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-w6v2-qchm-grj7 CVE-2020-25038 @@ -14931,9 +15007,11 @@ CVE-2020-24943 CVE-2020-24942 RESERVED CVE-2020-24941 (An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24. ...) - NOT-FOR-US: Laravel + - php-laravel-framework <not-affected> (Fixed before initial upload to Debian) + NOTE: https://blog.laravel.com/security-release-laravel-61835-7240 CVE-2020-24940 (An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23. ...) - NOT-FOR-US: Laravel + - php-laravel-framework <not-affected> (Fixed before initial upload to Debian) + NOTE: https://blog.laravel.com/security-release-laravel-61834-7232 CVE-2020-24939 (Prototype pollution in Stampit supermixer 1.0.3 allows an attacker to ...) NOT-FOR-US: Stampit supermixer CVE-2020-24938 @@ -15042,7 +15120,7 @@ CVE-2020-24890 (** DISPUTED ** libraw 20.0 has a null pointer dereference vulner CVE-2020-24889 (A buffer overflow vulnerability in LibRaw version < 20.0 LibRaw::Ge ...) - libraw 0.20.2-1 [buster] - libraw <no-dsa> (Minor issue) - [stretch] - libraw <no-dsa> (Minor issue) + [stretch] - libraw <not-affected> (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/334 NOTE: https://github.com/LibRaw/LibRaw/commit/78d323ecbe6a9752aee6e97118a76d40704d73ee CVE-2020-24888 @@ -17134,8 +17212,8 @@ CVE-2020-23988 RESERVED CVE-2020-23987 RESERVED -CVE-2020-23986 - RESERVED +CVE-2020-23986 (Github Read Me Stats commit 3c7220e4f7144f6cb068fd433c774f6db47ccb95 w ...) + NOT-FOR-US: Github Read Me Stats CVE-2020-23985 RESERVED CVE-2020-23984 (Online Hotel Booking System Pro PHP Version 1.3 has Persistent Cross-s ...) @@ -17329,7 +17407,7 @@ CVE-2020-23906 (FFmpeg N-98388-g76a3ee996b allows attackers to cause a denial of NOTE: Fixed by: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=be84216c53a4ed81573c82320e9c4a20e9b349d9 (n4.3.1) CVE-2020-23905 RESERVED -CVE-2020-23904 (A stack buffer overflow in speexenc.c of Speex v1.2 allows attackers t ...) +CVE-2020-23904 (** DISPUTED ** A stack buffer overflow in speexenc.c of Speex v1.2 all ...) - speex <unfixed> [bullseye] - speex <no-dsa> (Minor issue) [buster] - speex <no-dsa> (Minor issue) @@ -17379,6 +17457,7 @@ CVE-2020-23885 RESERVED CVE-2020-23884 (A buffer overflow in Nomacs v3.15.0 allows attackers to cause a denial ...) - nomacs <unfixed> + [buster] - nomacs <no-dsa> (Minor issue) [stretch] - nomacs <no-dsa> (Minor issue) NOTE: https://github.com/nomacs/nomacs/issues/516 CVE-2020-23883 @@ -17440,8 +17519,9 @@ CVE-2020-23858 CVE-2020-23857 RESERVED CVE-2020-23856 (Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, ...) - - cflow <unfixed> (unimportant; bug #988985) + - cflow 1:1.6-6 (unimportant; bug #988985) NOTE: https://lists.gnu.org/archive/html/bug-cflow/2020-07/msg00000.html + NOTE: https://git.savannah.gnu.org/cgit/cflow.git/commit/?id=b9a7cd5e9d4efb54141dd0d11c319bb97a4600c6 NOTE: Crash in CLI tool, no security impact CVE-2020-23855 RESERVED @@ -18063,8 +18143,8 @@ CVE-2020-23547 RESERVED CVE-2020-23546 (IrfanView 4.54 allows attackers to cause a denial of service or possib ...) NOT-FOR-US: IrfanView -CVE-2020-23545 - RESERVED +CVE-2020-23545 (IrfanView 4.54 allows a user-mode write access violation starting at F ...) + NOT-FOR-US: IrfanView CVE-2020-23544 RESERVED CVE-2020-23543 @@ -18538,8 +18618,8 @@ CVE-2020-23317 RESERVED CVE-2020-23316 RESERVED -CVE-2020-23315 - RESERVED +CVE-2020-23315 (There is an ASSERTION (pFuncBody->GetYieldRegister() == oldYieldReg ...) + NOT-FOR-US: Microsoft CVE-2020-23314 (There is an Assertion 'block_found' failed at js-parser-statm.c:2003 p ...) - iotjs <unfixed> (bug #989991) [bullseye] - iotjs <no-dsa> (Minor issue) @@ -19009,6 +19089,8 @@ CVE-2020-23110 RESERVED CVE-2020-23109 (Buffer overflow vulnerability in function convert_colorspace in heif_c ...) - libheif <unfixed> + [bullseye] - libheif <no-dsa> (Minor issue) + [buster] - libheif <no-dsa> (Minor issue) NOTE: https://github.com/strukturag/libheif/issues/207 CVE-2020-23108 RESERVED @@ -19174,8 +19256,9 @@ CVE-2020-23028 RESERVED CVE-2020-23027 RESERVED -CVE-2020-23026 - RESERVED +CVE-2020-23026 (A NULL pointer dereference in the main() function dhry_1.c of dhryston ...) + - dhrystone <itp> (bug #693342) + NOTE: https://github.com/sifive/benchmark-dhrystone CVE-2020-23025 RESERVED CVE-2020-23024 @@ -19894,7 +19977,7 @@ CVE-2020-22675 (An issue was discovered in gpac 0.8.0. The GetGhostNum function NOTE: https://github.com/gpac/gpac/commit/5aa8c4bbd970a3a77517b00528a596063efca1a9 CVE-2020-22674 (An issue was discovered in gpac 0.8.0. An invalid memory dereference e ...) - gpac 1.0.1+dfsg1-2 - [buster] - gpac <ignored> (Minor issue) + [buster] - gpac <not-affected> (Vulnerable code introduced later, in version 0.7.0) [stretch] - gpac <not-affected> (Vulnerable code introduced later, in version 0.7.0) NOTE: https://github.com/gpac/gpac/issues/1346 NOTE: https://github.com/gpac/gpac/commit/6040a5981a9f51410bd18af8820afbd2748c2d76 @@ -20067,8 +20150,6 @@ CVE-2020-22594 RESERVED CVE-2020-22593 RESERVED -CVE-2020-22592 - RESERVED CVE-2020-22591 RESERVED CVE-2020-22590 @@ -20409,8 +20490,8 @@ CVE-2020-22423 RESERVED CVE-2020-22422 RESERVED -CVE-2020-22421 - RESERVED +CVE-2020-22421 (74CMS v6.0.4 was discovered to contain a cross-site scripting (XSS) vu ...) + NOT-FOR-US: 74CMS CVE-2020-22420 RESERVED CVE-2020-22419 @@ -21146,16 +21227,16 @@ CVE-2020-22063 RESERVED CVE-2020-22062 RESERVED -CVE-2020-22061 - RESERVED +CVE-2020-22061 (SUPERAntispyware v8.0.0.1050 was discovered to contain an issue in the ...) + NOT-FOR-US: SUPERAntispyware CVE-2020-22060 RESERVED CVE-2020-22059 RESERVED CVE-2020-22058 RESERVED -CVE-2020-22057 - RESERVED +CVE-2020-22057 (The WinRin0x64.sys and WinRing0.sys low-level drivers in EVGA Precisio ...) + NOT-FOR-US: EVGA Precision XOC CVE-2020-22056 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory ...) - ffmpeg 7:4.3-2 (unimportant) [stretch] - ffmpeg <not-affected> (vulnerable code is not present) @@ -22266,7 +22347,7 @@ CVE-2020-21603 (libde265 v1.0.4 contains a heap buffer overflow in the put_qpel_ [stretch] - libde265 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/240 CVE-2020-21602 (libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bi ...) - - libde265 <unfixed> + - libde265 <unfixed> (bug #1004963) [bullseye] - libde265 <postponed> (Minor issue, revisit when fixed upstream) [buster] - libde265 <postponed> (Minor issue, revisit when fixed upstream) [stretch] - libde265 <postponed> (Minor issue, revisit when fixed upstream) @@ -22278,7 +22359,7 @@ CVE-2020-21601 (libde265 v1.0.4 contains a stack buffer overflow in the put_qpel [stretch] - libde265 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/241 CVE-2020-21600 (libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_pr ...) - - libde265 <unfixed> + - libde265 <unfixed> (bug #1004963) [bullseye] - libde265 <postponed> (Minor issue, revisit when fixed upstream) [buster] - libde265 <postponed> (Minor issue, revisit when fixed upstream) [stretch] - libde265 <postponed> (Minor issue, revisit when fixed upstream) @@ -22290,7 +22371,7 @@ CVE-2020-21599 (libde265 v1.0.4 contains a heap buffer overflow in the de265_ima [stretch] - libde265 <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/235 CVE-2020-21598 (libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unw ...) - - libde265 <unfixed> + - libde265 <unfixed> (bug #1004963) [bullseye] - libde265 <postponed> (Minor issue, revisit when fixed upstream) [buster] - libde265 <postponed> (Minor issue, revisit when fixed upstream) [stretch] - libde265 <postponed> (Minor issue, revisit when fixed upstream) @@ -23076,12 +23157,12 @@ CVE-2020-21240 RESERVED CVE-2020-21239 RESERVED -CVE-2020-21238 - RESERVED -CVE-2020-21237 - RESERVED -CVE-2020-21236 - RESERVED +CVE-2020-21238 (An issue in the user login box of CSCMS v4.0 allows attackers to hijac ...) + NOT-FOR-US: CSCMS +CVE-2020-21237 (An issue in the user login box of LJCMS v1.11 allows attackers to hija ...) + NOT-FOR-US: LJCMS +CVE-2020-21236 (A vulnerability in /damicms-master/admin.php?s=/Article/doedit of Dami ...) + NOT-FOR-US: DamiCMS CVE-2020-21235 RESERVED CVE-2020-21234 @@ -23674,18 +23755,18 @@ CVE-2020-20950 (Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in Micro NOT-FOR-US: Microchip Libraries for Applications CVE-2020-20949 (Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in STM32 crypt ...) NOT-FOR-US: STM32 cryptographic firmware library -CVE-2020-20948 - RESERVED +CVE-2020-20948 (An arbitrary file download vulnerability in jeecg v3.8 allows attacker ...) + NOT-FOR-US: jeecg CVE-2020-20947 RESERVED -CVE-2020-20946 - RESERVED -CVE-2020-20945 - RESERVED -CVE-2020-20944 - RESERVED -CVE-2020-20943 - RESERVED +CVE-2020-20946 (Qibosoft v7 contains a stored cross-site scripting (XSS) vulnerability ...) + NOT-FOR-US: Qibosoft +CVE-2020-20945 (A Cross-Site Request Forgery (CSRF) in /admin/index.php?lfj=member& ...) + NOT-FOR-US: Qibosoft +CVE-2020-20944 (An issue in /admin/index.php?lfj=mysql&action=del of Qibosoft v7 a ...) + NOT-FOR-US: Qibosoft +CVE-2020-20943 (A Cross-Site Request Forgery (CSRF) in /member/post.php?job=postnew&am ...) + NOT-FOR-US: Qibosoft CVE-2020-20942 RESERVED CVE-2020-20941 @@ -24391,32 +24472,33 @@ CVE-2020-20607 RESERVED CVE-2020-20606 RESERVED -CVE-2020-20605 - RESERVED +CVE-2020-20605 (Blog CMS v1.0 contains a cross-site scripting (XSS) vulnerability in t ...) + NOT-FOR-US: Blog CMS CVE-2020-20604 RESERVED CVE-2020-20603 RESERVED CVE-2020-20602 RESERVED -CVE-2020-20601 - RESERVED -CVE-2020-20600 - RESERVED +CVE-2020-20601 (An issue in ThinkCMF X2.2.2 and below allows attackers to execute arbi ...) + NOT-FOR-US: ThinkCMF +CVE-2020-20600 (MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerab ...) + NOT-FOR-US: MetInfo CVE-2020-20599 RESERVED -CVE-2020-20598 - RESERVED -CVE-2020-20597 - RESERVED +CVE-2020-20598 (A cross-site scripting (XSS) vulnerability in the Editing component of ...) + NOT-FOR-US: com.mossle.lemon +CVE-2020-20597 (A cross-site scripting (XSS) vulnerability in the potrtalItemName para ...) + NOT-FOR-US: com.mossle.lemon + NOTE: https://github.com/xuhuisheng/lemon CVE-2020-20596 RESERVED -CVE-2020-20595 - RESERVED +CVE-2020-20595 (A cross-site request forgery (CSRF) in OPMS v1.3 and below allows atta ...) + NOT-FOR-US: OPMS CVE-2020-20594 RESERVED -CVE-2020-20593 - RESERVED +CVE-2020-20593 (A cross-site request forgery (CSRF) in Rockoa v1.9.8 allows an authent ...) + NOT-FOR-US: Rockoa CVE-2020-20592 RESERVED CVE-2020-20591 @@ -24782,10 +24864,10 @@ CVE-2020-20428 RESERVED CVE-2020-20427 RESERVED -CVE-2020-20426 - RESERVED -CVE-2020-20425 - RESERVED +CVE-2020-20426 (S-CMS Government Station Building System v5.0 contains a cross-site sc ...) + NOT-FOR-US: S-CMS Government Station Building System +CVE-2020-20425 (S-CMS Government Station Building System v5.0 contains a cross-site sc ...) + NOT-FOR-US: S-CMS Government Station Building System CVE-2020-20424 RESERVED CVE-2020-20423 @@ -25912,14 +25994,25 @@ CVE-2020-19863 RESERVED CVE-2020-19862 RESERVED -CVE-2020-19861 - RESERVED -CVE-2020-19860 - RESERVED +CVE-2020-19861 (When a zone file in ldns 1.7.1 is parsed, the function ldns_nsec3_salt ...) + {DLA-2910-1} + - ldns <unfixed> + [bullseye] - ldns <no-dsa> (Minor issue) + [buster] - ldns <no-dsa> (Minor issue) + NOTE: https://github.com/NLnetLabs/ldns/issues/51 + NOTE: https://github.com/NLnetLabs/ldns/commit/136ec420437041fe13f344a2053e774f9050cc38 (1.8.0-rc.1) +CVE-2020-19860 (When ldns version 1.7.1 verifies a zone file, the ldns_rr_new_frm_str_ ...) + {DLA-2910-1} + - ldns <unfixed> + [bullseye] - ldns <no-dsa> (Minor issue) + [buster] - ldns <no-dsa> (Minor issue) + NOTE: https://github.com/NLnetLabs/ldns/issues/50 + NOTE: https://github.com/NLnetLabs/ldns/commit/15d96206996bea969fbc918eb0a4a346f514b9f3 (1.8.0-rc.1) + NOTE: https://github.com/NLnetLabs/ldns/commit/4e9861576a600a5ecfa16ec2de853c90dd9ce276 (1.8.0-rc.1) CVE-2020-19859 RESERVED -CVE-2020-19858 - RESERVED +CVE-2020-19858 (Platinum Upnp SDK through 1.2.0 has a directory traversal vulnerabilit ...) + NOT-FOR-US: Platinum Upnp SDK CVE-2020-19857 RESERVED CVE-2020-19856 @@ -26094,8 +26187,8 @@ CVE-2020-19772 RESERVED CVE-2020-19771 RESERVED -CVE-2020-19770 - RESERVED +CVE-2020-19770 (A cross-site scripting (XSS) vulnerability in the system bulletin comp ...) + NOT-FOR-US: WUZHI CMS CVE-2020-19769 (A lack of target address verification in the BurnMe() function of Rob ...) NOT-FOR-US: Rob The Bank CVE-2020-19768 (A lack of target address verification in the selfdestructs() function ...) @@ -26285,10 +26378,10 @@ CVE-2020-19685 RESERVED CVE-2020-19684 RESERVED -CVE-2020-19683 - RESERVED -CVE-2020-19682 - RESERVED +CVE-2020-19683 (A Cross Site Scripting (XSS) exists in ZZZCMS V1.7.1 via an editfile a ...) + NOT-FOR-US: zzzcms +CVE-2020-19682 (A Cross Site Request Forgery (CSRF) vulnerability exits in ZZZCMS V1.7 ...) + NOT-FOR-US: zzzcms CVE-2020-19681 RESERVED CVE-2020-19680 @@ -26316,11 +26409,15 @@ CVE-2020-19670 (In Niushop B2B2C Multi-Business Basic Edition V1.11, authenticat CVE-2020-19669 (Cross Site Request Forgery (CSRF) vulnerability exists in Eyoucms 1.3. ...) NOT-FOR-US: Eyoucms CVE-2020-19668 (Unverified indexs into the array lead to out of bound access in the gi ...) - - libsixel <unfixed> (bug #990799) + - libsixel 1.10.3-1 (bug #990799) [bullseye] - libsixel <no-dsa> (Minor issue) [buster] - libsixel <no-dsa> (Minor issue) [stretch] - libsixel <no-dsa> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/136 + NOTE: https://github.com/libsixel/libsixel/issues/7 + NOTE: https://github.com/libsixel/libsixel/pull/8 + NOTE: https://github.com/libsixel/libsixel/commit/05e5d21d065c663ec7a83d185974f4c252314968 (v1.9.0) + NOTE: Since 1.10.3-1 the Debian package moved from https://github.com/saitoha/libsixel to https://github.com/libsixel/libsixel fork CVE-2020-19667 (Stack-based buffer overflow and unconditional jump in ReadXPMImage in ...) {DLA-2523-1} - imagemagick 8:6.9.11.24+dfsg-1 @@ -26438,8 +26535,8 @@ CVE-2020-19613 (Server Side Request Forgery (SSRF) vulnerability in saveUrlAs fu NOT-FOR-US: sunkaifei FlyCMS CVE-2020-19612 RESERVED -CVE-2020-19611 - RESERVED +CVE-2020-19611 (Cross Site Scripting (XSS) in redirect module of Racktables version 0. ...) + - racktables <itp> (bug #629531) CVE-2020-19610 RESERVED CVE-2020-19609 (Artifex MuPDF before 1.18.0 has a heap based buffer over-write in tiff ...) @@ -26708,8 +26805,11 @@ CVE-2020-19489 RESERVED CVE-2020-19488 (An issue was discovered in box_code_apple.c:119 in Gpac MP4Box 0.8.0, ...) - gpac 1.0.1+dfsg1-2 - NOTE: https://github.com/gpac/gpac/commit/6170024568f4dda310e98ef7508477b425c58d09 + [buster] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0) + [stretch] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0) NOTE: https://github.com/gpac/gpac/issues/1263 + NOTE: Introduced by: https://github.com/gpac/gpac/commit/86d072b6a13baa1a4a90168098a0f8354c24d8cf (v0.8.0) + NOTE: Fixed by: https://github.com/gpac/gpac/commit/6170024568f4dda310e98ef7508477b425c58d09 (v0.9.0-preview) CVE-2020-19487 RESERVED CVE-2020-19486 @@ -26724,12 +26824,13 @@ CVE-2020-19482 RESERVED CVE-2020-19481 (An issue was discovered in GPAC before 0.8.0, as demonstrated by MP4Bo ...) - gpac 1.0.1+dfsg1-2 - [buster] - gpac <ignored> (Minor issue) - [stretch] - gpac <ignored> (Minor issue) - NOTE: https://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7 + [buster] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0) + [stretch] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0) NOTE: https://github.com/gpac/gpac/issues/1265 NOTE: https://github.com/gpac/gpac/issues/1266 NOTE: https://github.com/gpac/gpac/issues/1267 + NOTE: Introduced by: https://github.com/gpac/gpac/commit/bb002ad4f92d216f8ab7c8466102279ef8af6f88 (v0.8.0) + NOTE: Fixed by: https://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7 (v0.9.0-preview) CVE-2020-19480 RESERVED CVE-2020-19479 @@ -27084,8 +27185,10 @@ CVE-2020-19318 RESERVED CVE-2020-19317 RESERVED -CVE-2020-19316 - RESERVED +CVE-2020-19316 (OS Command injection vulnerability in function link in Filesystem.php ...) + - php-laravel-framework <not-affected> (Fixed before initial upload to Debian) + NOTE: http://www.netbytesec.com/advisories/OSCommandInjectionInLaravelFramework/ + NOTE: https://github.com/laravel/framework/commit/44c3feb604944599ad1c782a9942981c3991fa31 (5.8.17) CVE-2020-19315 RESERVED CVE-2020-19314 @@ -27646,8 +27749,8 @@ CVE-2020-19044 RESERVED CVE-2020-19043 RESERVED -CVE-2020-19042 - RESERVED +CVE-2020-19042 (Cross Site Scripting (XSS) vulnerability exists in zzcms 2019 XSS via ...) + NOT-FOR-US: zzcms CVE-2020-19041 RESERVED CVE-2020-19040 @@ -27760,10 +27863,10 @@ CVE-2020-18987 RESERVED CVE-2020-18986 RESERVED -CVE-2020-18985 - RESERVED -CVE-2020-18984 - RESERVED +CVE-2020-18985 (An issue in /domain/service/.ewell-known/caldav of Zimbra Collaboratio ...) + NOT-FOR-US: Zimbra +CVE-2020-18984 (A reflected cross-site scripting (XSS) vulnerability in the zimbraAdmi ...) + NOT-FOR-US: Zimbra CVE-2020-18983 RESERVED CVE-2020-18982 (Cross Sie Scripting (XSS) vulnerability in Halo 0.4.3 via CommentAutho ...) @@ -28423,13 +28526,13 @@ CVE-2020-18672 CVE-2020-18671 (Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 ...) - roundcube 1.4.5+dfsg.1-1 [buster] - roundcube 1.3.13+dfsg.1-1~deb10u1 - [stretch] - roundcube <postponed> (Minor issue, XSS in installer which is not exposed in Debian) + [stretch] - roundcube <ignored> (Minor issue, XSS in installer which is not exposed in Debian) NOTE: https://github.com/roundcube/roundcubemail/issues/7406 NOTE: https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12 CVE-2020-18670 (Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via d ...) - roundcube 1.4.5+dfsg.1-1 [buster] - roundcube 1.3.13+dfsg.1-1~deb10u1 - [stretch] - roundcube <postponed> (Minor issue, XSS in installer which is not exposed in Debian) + [stretch] - roundcube <ignored> (Minor issue, XSS in installer which is not exposed in Debian) NOTE: https://github.com/roundcube/roundcubemail/issues/7406 NOTE: https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12 CVE-2020-18669 @@ -28887,10 +28990,10 @@ CVE-2020-18444 CVE-2020-18443 RESERVED CVE-2020-18442 (Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a d ...) + {DLA-2859-1} - zziplib 0.13.72+dfsg.1-1 [bullseye] - zziplib <no-dsa> (Minor issue) [buster] - zziplib <no-dsa> (Minor issue) - [stretch] - zziplib <postponed> (Minor issue, fix along with next DLA) NOTE: https://github.com/gdraheim/zziplib/issues/68 NOTE: https://github.com/gdraheim/zziplib/commit/ac9ae39ef419e9f0f83da1e583314d8c7cda34a6 NOTE: https://github.com/gdraheim/zziplib/commit/7e786544084548da7fcfcd9090d3c4e7f5777f7e @@ -29630,16 +29733,16 @@ CVE-2020-18083 RESERVED CVE-2020-18082 RESERVED -CVE-2020-18081 - RESERVED +CVE-2020-18081 (The checkuser function of SEMCMS 3.8 was discovered to contain a vulne ...) + NOT-FOR-US: SEMCMS CVE-2020-18080 RESERVED CVE-2020-18079 RESERVED -CVE-2020-18078 - RESERVED -CVE-2020-18077 - RESERVED +CVE-2020-18078 (A vulnerability in /include/web_check.php of SEMCMS v3.8 allows attack ...) + NOT-FOR-US: SEMCMS +CVE-2020-18077 (A buffer overflow vulnerability in the Virtual Path Mapping component ...) + NOT-FOR-US: FTPShell Server CVE-2020-18076 RESERVED CVE-2020-18075 @@ -30855,10 +30958,12 @@ CVE-2020-17497 (eapol.c in iNet wireless daemon (IWD) through 1.8 allows attacke CVE-2020-17496 (vBulletin 5.5.4 through 5.6.2 allows remote command execution via craf ...) NOT-FOR-US: vBulletin CVE-2020-17495 (django-celery-results through 1.2.1 stores task results in the databas ...) - - python-django-celery-results <unfixed> (bug #968305) - [bullseye] - python-django-celery-results <no-dsa> (Minor issue) - [buster] - python-django-celery-results <no-dsa> (Minor issue) + - python-django-celery-results <unfixed> (unimportant; bug #968305) NOTE: https://github.com/celery/django-celery-results/issues/142 + NOTE: Disputed upstream as security vulnerablity, as it is up to the developers who uses + NOTE: sensitive information when calling celery tasks to provide suitable replacement argument + NOTE: through argsrepr and kwargsrepr as described in: + NOTE: https://github.com/celery/django-celery-results/issues/154#issuecomment-734706270 CVE-2020-17494 (Untangle Firewall NG before 16.0 uses MD5 for passwords. ...) NOT-FOR-US: Untangle Firewall NG CVE-2020-17493 @@ -31104,8 +31209,8 @@ CVE-2020-17385 (Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL i NOT-FOR-US: Cellopoint Cellos CVE-2020-17384 (Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputte ...) NOT-FOR-US: Cellopoint Cellos -CVE-2020-17383 - RESERVED +CVE-2020-17383 (A directory traversal vulnerability on Telos Z/IP One devices through ...) + NOT-FOR-US: Telos Z/IP ONE Broadcast CVE-2020-17382 (The MSI AmbientLink MsIo64 driver 1.0.0.8 has a Buffer Overflow (0x801 ...) NOT-FOR-US: MSI AmbientLink MsIo64 driver CVE-2020-17381 (An issue was discovered in Ghisler Total Commander 9.51. Due to insuff ...) @@ -32211,8 +32316,9 @@ CVE-2020-16846 (An issue was discovered in SaltStack Salt through 3002. Sending {DSA-4837-1 DLA-2480-1} - salt 3002.1+dfsg1-1 NOTE: https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/ - NOTE: https://gitlab.com/saltstack/open/salt-patches/-/raw/master/patches/2020/09/02/2018.3.x.patch (2018.3.x) - NOTE: https://gitlab.com/saltstack/open/salt-patches/-/raw/master/patches/2020/09/02/2016.11.x.patch (2016.11.x) + NOTE: https://gitlab.com/saltstack/open/salt-patches/tree/master/patches/2020/09/02/ + NOTE: Regression: https://github.com/saltstack/salt/issues/58970 + NOTE: Regression fix: https://github.com/saltstack/salt/commit/84d91931865626a9b53558f88d6c8919a270df3a (v3000.6) CVE-2020-16845 (Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loo ...) {DSA-4848-1 DLA-2460-1 DLA-2459-1} - golang-1.15 1.15~rc2-1 @@ -32240,405 +32346,405 @@ CVE-2020-16838 CVE-2020-16837 RESERVED CVE-2020-16836 - RESERVED + REJECTED CVE-2020-16835 - RESERVED + REJECTED CVE-2020-16834 - RESERVED + REJECTED CVE-2020-16833 - RESERVED + REJECTED CVE-2020-16832 - RESERVED + REJECTED CVE-2020-16831 - RESERVED + REJECTED CVE-2020-16830 - RESERVED + REJECTED CVE-2020-16829 - RESERVED + REJECTED CVE-2020-16828 - RESERVED + REJECTED CVE-2020-16827 - RESERVED + REJECTED CVE-2020-16826 - RESERVED + REJECTED CVE-2020-16825 - RESERVED + REJECTED CVE-2020-16824 - RESERVED + REJECTED CVE-2020-16823 - RESERVED + REJECTED CVE-2020-16822 - RESERVED + REJECTED CVE-2020-16821 - RESERVED + REJECTED CVE-2020-16820 - RESERVED + REJECTED CVE-2020-16819 - RESERVED + REJECTED CVE-2020-16818 - RESERVED + REJECTED CVE-2020-16817 - RESERVED + REJECTED CVE-2020-16816 - RESERVED + REJECTED CVE-2020-16815 - RESERVED + REJECTED CVE-2020-16814 - RESERVED + REJECTED CVE-2020-16813 - RESERVED + REJECTED CVE-2020-16812 - RESERVED + REJECTED CVE-2020-16811 - RESERVED + REJECTED CVE-2020-16810 - RESERVED + REJECTED CVE-2020-16809 - RESERVED + REJECTED CVE-2020-16808 - RESERVED + REJECTED CVE-2020-16807 - RESERVED + REJECTED CVE-2020-16806 - RESERVED + REJECTED CVE-2020-16805 - RESERVED + REJECTED CVE-2020-16804 - RESERVED + REJECTED CVE-2020-16803 - RESERVED + REJECTED CVE-2020-16802 - RESERVED + REJECTED CVE-2020-16801 - RESERVED + REJECTED CVE-2020-16800 - RESERVED + REJECTED CVE-2020-16799 - RESERVED + REJECTED CVE-2020-16798 - RESERVED + REJECTED CVE-2020-16797 - RESERVED + REJECTED CVE-2020-16796 - RESERVED + REJECTED CVE-2020-16795 - RESERVED + REJECTED CVE-2020-16794 - RESERVED + REJECTED CVE-2020-16793 - RESERVED + REJECTED CVE-2020-16792 - RESERVED + REJECTED CVE-2020-16791 - RESERVED + REJECTED CVE-2020-16790 - RESERVED + REJECTED CVE-2020-16789 - RESERVED + REJECTED CVE-2020-16788 - RESERVED + REJECTED CVE-2020-16787 - RESERVED + REJECTED CVE-2020-16786 - RESERVED + REJECTED CVE-2020-16785 - RESERVED + REJECTED CVE-2020-16784 - RESERVED + REJECTED CVE-2020-16783 - RESERVED + REJECTED CVE-2020-16782 - RESERVED + REJECTED CVE-2020-16781 - RESERVED + REJECTED CVE-2020-16780 - RESERVED + REJECTED CVE-2020-16779 - RESERVED + REJECTED CVE-2020-16778 - RESERVED + REJECTED CVE-2020-16777 - RESERVED + REJECTED CVE-2020-16776 - RESERVED + REJECTED CVE-2020-16775 - RESERVED + REJECTED CVE-2020-16774 - RESERVED + REJECTED CVE-2020-16773 - RESERVED + REJECTED CVE-2020-16772 - RESERVED + REJECTED CVE-2020-16771 - RESERVED + REJECTED CVE-2020-16770 - RESERVED + REJECTED CVE-2020-16769 - RESERVED + REJECTED CVE-2020-16768 - RESERVED + REJECTED CVE-2020-16767 - RESERVED + REJECTED CVE-2020-16766 - RESERVED + REJECTED CVE-2020-16765 - RESERVED + REJECTED CVE-2020-16764 - RESERVED + REJECTED CVE-2020-16763 - RESERVED + REJECTED CVE-2020-16762 - RESERVED + REJECTED CVE-2020-16761 - RESERVED + REJECTED CVE-2020-16760 - RESERVED + REJECTED CVE-2020-16759 - RESERVED + REJECTED CVE-2020-16758 - RESERVED + REJECTED CVE-2020-16757 - RESERVED + REJECTED CVE-2020-16756 - RESERVED + REJECTED CVE-2020-16755 - RESERVED + REJECTED CVE-2020-16754 - RESERVED + REJECTED CVE-2020-16753 - RESERVED + REJECTED CVE-2020-16752 - RESERVED + REJECTED CVE-2020-16751 - RESERVED + REJECTED CVE-2020-16750 - RESERVED + REJECTED CVE-2020-16749 - RESERVED + REJECTED CVE-2020-16748 - RESERVED + REJECTED CVE-2020-16747 - RESERVED + REJECTED CVE-2020-16746 - RESERVED + REJECTED CVE-2020-16745 - RESERVED + REJECTED CVE-2020-16744 - RESERVED + REJECTED CVE-2020-16743 - RESERVED + REJECTED CVE-2020-16742 - RESERVED + REJECTED CVE-2020-16741 - RESERVED + REJECTED CVE-2020-16740 - RESERVED + REJECTED CVE-2020-16739 - RESERVED + REJECTED CVE-2020-16738 - RESERVED + REJECTED CVE-2020-16737 - RESERVED + REJECTED CVE-2020-16736 - RESERVED + REJECTED CVE-2020-16735 - RESERVED + REJECTED CVE-2020-16734 - RESERVED + REJECTED CVE-2020-16733 - RESERVED + REJECTED CVE-2020-16732 - RESERVED + REJECTED CVE-2020-16731 - RESERVED + REJECTED CVE-2020-16730 - RESERVED + REJECTED CVE-2020-16729 - RESERVED + REJECTED CVE-2020-16728 - RESERVED + REJECTED CVE-2020-16727 - RESERVED + REJECTED CVE-2020-16726 - RESERVED + REJECTED CVE-2020-16725 - RESERVED + REJECTED CVE-2020-16724 - RESERVED + REJECTED CVE-2020-16723 - RESERVED + REJECTED CVE-2020-16722 - RESERVED + REJECTED CVE-2020-16721 - RESERVED + REJECTED CVE-2020-16720 - RESERVED + REJECTED CVE-2020-16719 - RESERVED + REJECTED CVE-2020-16718 - RESERVED + REJECTED CVE-2020-16717 - RESERVED + REJECTED CVE-2020-16716 - RESERVED + REJECTED CVE-2020-16715 - RESERVED + REJECTED CVE-2020-16714 - RESERVED + REJECTED CVE-2020-16713 - RESERVED + REJECTED CVE-2020-16712 - RESERVED + REJECTED CVE-2020-16711 - RESERVED + REJECTED CVE-2020-16710 - RESERVED + REJECTED CVE-2020-16709 - RESERVED + REJECTED CVE-2020-16708 - RESERVED + REJECTED CVE-2020-16707 - RESERVED + REJECTED CVE-2020-16706 - RESERVED + REJECTED CVE-2020-16705 - RESERVED + REJECTED CVE-2020-16704 - RESERVED + REJECTED CVE-2020-16703 - RESERVED + REJECTED CVE-2020-16702 - RESERVED + REJECTED CVE-2020-16701 - RESERVED + REJECTED CVE-2020-16700 - RESERVED + REJECTED CVE-2020-16699 - RESERVED + REJECTED CVE-2020-16698 - RESERVED + REJECTED CVE-2020-16697 - RESERVED + REJECTED CVE-2020-16696 - RESERVED + REJECTED CVE-2020-16695 - RESERVED + REJECTED CVE-2020-16694 - RESERVED + REJECTED CVE-2020-16693 - RESERVED + REJECTED CVE-2020-16692 - RESERVED + REJECTED CVE-2020-16691 - RESERVED + REJECTED CVE-2020-16690 - RESERVED + REJECTED CVE-2020-16689 - RESERVED + REJECTED CVE-2020-16688 - RESERVED + REJECTED CVE-2020-16687 - RESERVED + REJECTED CVE-2020-16686 - RESERVED + REJECTED CVE-2020-16685 - RESERVED + REJECTED CVE-2020-16684 - RESERVED + REJECTED CVE-2020-16683 - RESERVED + REJECTED CVE-2020-16682 - RESERVED + REJECTED CVE-2020-16681 - RESERVED + REJECTED CVE-2020-16680 - RESERVED + REJECTED CVE-2020-16679 - RESERVED + REJECTED CVE-2020-16678 - RESERVED + REJECTED CVE-2020-16677 - RESERVED + REJECTED CVE-2020-16676 - RESERVED + REJECTED CVE-2020-16675 - RESERVED + REJECTED CVE-2020-16674 - RESERVED + REJECTED CVE-2020-16673 - RESERVED + REJECTED CVE-2020-16672 - RESERVED + REJECTED CVE-2020-16671 - RESERVED + REJECTED CVE-2020-16670 - RESERVED + REJECTED CVE-2020-16669 - RESERVED + REJECTED CVE-2020-16668 - RESERVED + REJECTED CVE-2020-16667 - RESERVED + REJECTED CVE-2020-16666 - RESERVED + REJECTED CVE-2020-16665 - RESERVED + REJECTED CVE-2020-16664 - RESERVED + REJECTED CVE-2020-16663 - RESERVED + REJECTED CVE-2020-16662 - RESERVED + REJECTED CVE-2020-16661 - RESERVED + REJECTED CVE-2020-16660 - RESERVED + REJECTED CVE-2020-16659 - RESERVED + REJECTED CVE-2020-16658 - RESERVED + REJECTED CVE-2020-16657 - RESERVED + REJECTED CVE-2020-16656 - RESERVED + REJECTED CVE-2020-16655 - RESERVED + REJECTED CVE-2020-16654 - RESERVED + REJECTED CVE-2020-16653 - RESERVED + REJECTED CVE-2020-16652 - RESERVED + REJECTED CVE-2020-16651 - RESERVED + REJECTED CVE-2020-16650 - RESERVED + REJECTED CVE-2020-16649 - RESERVED + REJECTED CVE-2020-16648 - RESERVED + REJECTED CVE-2020-16647 - RESERVED + REJECTED CVE-2020-16646 - RESERVED + REJECTED CVE-2020-16645 - RESERVED + REJECTED CVE-2020-16644 - RESERVED + REJECTED CVE-2020-16643 - RESERVED + REJECTED CVE-2020-16642 - RESERVED + REJECTED CVE-2020-16641 - RESERVED + REJECTED CVE-2020-16640 - RESERVED + REJECTED CVE-2020-16639 - RESERVED + REJECTED CVE-2020-16638 - RESERVED + REJECTED CVE-2020-16637 - RESERVED + REJECTED CVE-2020-16636 REJECTED CVE-2020-16635 @@ -33715,25 +33821,22 @@ CVE-2020-16158 (GoPro gpmf-parser through 1.5 has a stack out-of-bounds write vu NOT-FOR-US: GoPro CVE-2020-16157 (A Stored XSS vulnerability exists in Nagios Log Server before 2.1.7 vi ...) NOT-FOR-US: Nagios Log Server -CVE-2020-16156 [Signature Verification Bypass] - RESERVED +CVE-2020-16156 (CPAN 2.28 allows Signature Verification Bypass. ...) - perl <unfixed> [bullseye] - perl <no-dsa> (Minor issue) [buster] - perl <no-dsa> (Minor issue) [stretch] - perl <no-dsa> (Minor issue) NOTE: https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ NOTE: http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html -CVE-2020-16155 [does not uniquely define signed data] - RESERVED +CVE-2020-16155 (The CPAN::Checksums package 2.12 for Perl does not uniquely define sig ...) - libcpan-checksums-perl <unfixed> [bullseye] - libcpan-checksums-perl <no-dsa> (Minor issue) [buster] - libcpan-checksums-perl <no-dsa> (Minor issue) [stretch] - libcpan-checksums-perl <no-dsa> (Minor issue) NOTE: https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ NOTE: http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html -CVE-2020-16154 [Signature Verification Bypass] - RESERVED - - cpanminus <unfixed> +CVE-2020-16154 (The App::cpanminus package 1.7044 for Perl allows Signature Verificati ...) + - cpanminus 1.7045-1 [bullseye] - cpanminus <no-dsa> (Minor issue) [buster] - cpanminus <no-dsa> (Minor issue) [stretch] - cpanminus <no-dsa> (Minor issue) @@ -33836,7 +33939,7 @@ CVE-2020-16120 (Overlayfs did not properly perform permission checking when copy [stretch] - linux <not-affected> (Vulnerable configuration combination not possible) NOTE: https://www.openwall.com/lists/oss-security/2020/10/13/6 CVE-2020-16119 (Use-after-free vulnerability in the Linux kernel exploitable by a loca ...) - {DSA-4978-1 DLA-2785-1} + {DSA-4978-1 DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 [buster] - linux 4.19.208-1 NOTE: https://www.openwall.com/lists/oss-security/2020/10/13/7 @@ -34381,9 +34484,14 @@ CVE-2020-15954 (KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 commu [buster] - kdepim-runtime <no-dsa> (Minor issue) - kmail-account-wizard 4:20.04.1-2 (bug #966667) [buster] - kmail-account-wizard <no-dsa> (Minor issue) + - ksmtp <unfixed> + [bullseye] - ksmtp <no-dsa> (Minor issue; Upstream changes change API) + [buster] - ksmtp <no-dsa> (Minor issue; Upstream changes change API) NOTE: https://bugs.kde.org/show_bug.cgi?id=423426 NOTE: kdepim-runtime: https://invent.kde.org/pim/kdepim-runtime/commit/bd64ab29116aa7318fdee7f95878ff97580162f2 NOTE: kmail-account-wizard: https://invent.kde.org/pim/kmail-account-wizard/commit/a64d80e523edce7d3d59c26834973418fae042f6 + NOTE: https://kde.org/info/security/advisory-20211118-1.txt + NOTE: https://bugs.kde.org/show_bug.cgi?id=423423 CVE-2020-15953 (LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other ...) {DLA-2329-1} - libetpan 1.9.4-3 (bug #966647) @@ -34439,8 +34547,8 @@ CVE-2020-15935 (A cleartext storage of sensitive information in GUI in FortiADC NOT-FOR-US: Fortiguard CVE-2020-15934 RESERVED -CVE-2020-15933 - RESERVED +CVE-2020-15933 (A exposure of sensitive information to an unauthorized actor in Fortin ...) + NOT-FOR-US: FortiGuard CVE-2020-15932 (Overwolf before 0.149.2.30 mishandles Symbolic Links during updates, c ...) NOT-FOR-US: Overwolf CVE-2020-15931 (Netwrix Account Lockout Examiner before 5.1 allows remote attackers to ...) @@ -34535,7 +34643,7 @@ CVE-2020-15891 RESERVED CVE-2020-15890 (LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc hand ...) {DLA-2296-1} - - luajit <unfixed> (unimportant; bug #966148) + - luajit 2.1.0~beta3+git20210112+dfsg-2 (unimportant; bug #966148) NOTE: https://github.com/LuaJIT/LuaJIT/issues/601 NOTE: https://github.com/LuaJIT/LuaJIT/commit/53f82e6e2e858a0a62fd1a2ff47e9866693382e6 NOTE: No security impact, only "exploitable" with untrusted Lua code @@ -34794,7 +34902,7 @@ CVE-2020-15797 (A vulnerability has been identified in DCA Vantage Analyzer (All NOT-FOR-US: DCA Vantage Analyzer CVE-2020-15796 (A vulnerability has been identified in SIMATIC ET 200SP Open Controlle ...) NOT-FOR-US: Siemens -CVE-2020-15795 (A vulnerability has been identified in Capital VSTAR (Versions includi ...) +CVE-2020-15795 (A vulnerability has been identified in Nucleus NET (All versions < ...) NOT-FOR-US: Nucleus (Siemens) CVE-2020-15794 (A vulnerability has been identified in Desigo Insight (All versions). ...) NOT-FOR-US: Desigo Insight @@ -35184,7 +35292,7 @@ CVE-2020-15661 (A rogue webpage could override the injected WKUserScript used by - firefox <not-affected> (Specific to Firefox for iOS) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-34/#CVE-2020-15661 CVE-2020-15660 (Missing checks on Content-Type headers in geckodriver before 0.27.0 co ...) - NOT-FOR-US: geckodriver + - geckodriver <itp> (bug #989456) CVE-2020-15659 (Mozilla developers and community members reported memory safety bugs p ...) {DSA-4740-1 DSA-4736-1 DLA-2310-1 DLA-2297-1} - firefox 79.0-1 @@ -35590,7 +35698,7 @@ CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check. This [experimental] - libraw 0.20.0-1 - libraw 0.20.0-4 (bug #964747) [buster] - libraw <no-dsa> (Minor issue) - [stretch] - libraw <no-dsa> (Minor issue) + [stretch] - libraw <not-affected> (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477 NOTE: https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for Android, ...) @@ -36262,6 +36370,7 @@ CVE-2020-15231 (In mapfish-print before version 3.24, a user can use the JSONP s CVE-2020-15230 (Vapor is a web framework for Swift. In Vapor before version 4.29.4, At ...) NOT-FOR-US: Vapor CVE-2020-15229 (Singularity (an open source container platform) from version 3.1.1 thr ...) + [experimental] - singularity-container 3.9.4+ds2-1 - singularity-container <unfixed> (bug #972212) NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-7gcp-w6ww-2xv9 CVE-2020-15228 (In the `@actions/core` npm module before version 1.2.6,`addPath` and ` ...) @@ -37924,12 +38033,12 @@ CVE-2020-14525 (Philips Clinical Collaboration Platform, Versions 12.2.1 and pri NOT-FOR-US: Philips CVE-2020-14524 (Softing Industrial Automation all versions prior to the latest build o ...) NOT-FOR-US: Softing Industrial Automation -CVE-2020-14523 - RESERVED +CVE-2020-14523 (Multiple Mitsubishi Electric Factory Automation products have a vulner ...) + NOT-FOR-US: Mitsubishi CVE-2020-14522 (Softing Industrial Automation all versions prior to the latest build o ...) NOT-FOR-US: Softing Industrial Automation -CVE-2020-14521 - RESERVED +CVE-2020-14521 (Multiple Mitsubishi Electric Factory Automation engineering software p ...) + NOT-FOR-US: Mitsubishi CVE-2020-14520 (The affected product is vulnerable to an information leak, which may a ...) NOT-FOR-US: Inductive Automation Ignition CVE-2020-14519 (This vulnerability allows an attacker to use the internal WebSockets A ...) @@ -38132,6 +38241,8 @@ CVE-2020-14425 (Foxit Reader before 10.0 allows Remote Command Execution via the NOT-FOR-US: Foxit Reader CVE-2020-14424 (Cacti before 1.2.18 allows remote attackers to trigger XSS via templat ...) - cacti 1.2.19+ds1-1 + [bullseye] - cacti <no-dsa> (Minor issue) + [buster] - cacti <no-dsa> (Minor issue) [stretch] - cacti <not-affected> (Vulnerable code not present) NOTE: https://github.com/Cacti/cacti/pull/4261 NOTE: https://github.com/Cacti/cacti/commit/d12800ab479ad95a091bc577f28fd99ec95eb64c (release/1.2.18) @@ -38265,6 +38376,8 @@ CVE-2020-14394 [infinite loop in xhci_ring_chain_length() in hw/usb/hcd-xhci.c] [buster] - qemu <postponed> (Minor issue) [stretch] - qemu <postponed> (Minor issue, privileged local DoS, low CVSS, no patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1908004 + NOTE: https://gitlab.com/qemu-project/qemu/-/issues/646 + NOTE: No upstream patch as of 2022-01-28 CVE-2020-14393 (A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local ...) {DLA-2386-1} - libdbi-perl 1.643-1 @@ -38574,10 +38687,12 @@ CVE-2020-14328 (A flaw was found in Ansible Tower in versions before 3.7.2. A Se CVE-2020-14327 (A Server-side request forgery (SSRF) flaw was found in Ansible Tower i ...) NOT-FOR-US: Ansible Tower CVE-2020-14326 (A vulnerability was found in RESTEasy, where RootNode incorrectly cach ...) - - resteasy <undetermined> - - resteasy3.0 <undetermined> + - resteasy <not-affected> (Vulnerable code introduced later) + - resteasy3.0 <not-affected> (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1855826 NOTE: https://issues.redhat.com/browse/RESTEASY-2643 + NOTE: https://issues.redhat.com/browse/RESTEASY-2646 + NOTE: Introduced by: https://github.com/resteasy/Resteasy/commit/f948c45f4ebe00531f858e289d17664bc2edd496 (4.2.0.Final) CVE-2020-14325 (Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Imperson ...) NOT-FOR-US: Red Hat CloudForm CVE-2020-14324 (A high severity vulnerability was found in all active versions of Red ...) @@ -39115,14 +39230,14 @@ CVE-2020-14112 RESERVED CVE-2020-14111 RESERVED -CVE-2020-14110 - RESERVED +CVE-2020-14110 (AX3600 router sensitive information leaked.There is an unauthorized in ...) + NOT-FOR-US: AX3600 router CVE-2020-14109 (There is command injection in the meshd program in the routing system, ...) NOT-FOR-US: Xiaomi CVE-2020-14108 RESERVED -CVE-2020-14107 - RESERVED +CVE-2020-14107 (A stack overflow in the HTTP server of Cast can be exploited to make t ...) + NOT-FOR-US: Xiaomi CVE-2020-14106 (The application in the mobile phone can unauthorized access to the lis ...) NOT-FOR-US: Xiaomi CVE-2020-14105 (The application in the mobile phone can read the SNO information of th ...) @@ -39695,7 +39810,7 @@ CVE-2020-13911 (Your Online Shop 1.8.0 allows authenticated users to trigger XSS CVE-2020-13910 (Pengutronix Barebox through v2020.05.0 has an out-of-bounds read in nf ...) NOT-FOR-US: Pengutronix Barebox CVE-2020-13909 (The Ignition component before 2.0.5 for Laravel mishandles globals, _g ...) - NOT-FOR-US: Laravel + NOT-FOR-US: Laravel Ignition component CVE-2020-13908 RESERVED CVE-2020-13907 @@ -39864,12 +39979,15 @@ CVE-2020-13848 (Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote NOTE: https://github.com/pupnp/pupnp/issues/177 NOTE: https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0 CVE-2020-13847 (Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Chec ...) + [experimental] - singularity-container 3.9.4+ds2-1 - singularity-container <unfixed> (bug #965040) NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-m7j2-9565-4h9v CVE-2020-13846 (Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a S ...) + [experimental] - singularity-container 3.9.4+ds2-1 - singularity-container <unfixed> (bug #965040) NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-6w7g-p4jh-rf92 CVE-2020-13845 (Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integ ...) + [experimental] - singularity-container 3.9.4+ds2-1 - singularity-container <unfixed> (bug #965040) NOTE: https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c CVE-2020-13844 (Arm Armv8-A core implementations utilizing speculative execution past ...) @@ -39974,7 +40092,7 @@ CVE-2020-13804 (An issue was discovered in Foxit Reader and PhantomPDF before 9. CVE-2020-13803 (An issue was discovered in Foxit PhantomPDF Mac and Foxit Reader for M ...) NOT-FOR-US: Foxit Reader CVE-2020-13802 (Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command in ...) - - rebar3 <itp> (bug #824773) + - rebar3 <not-affected> (Fixed before initial upload to Debian) NOTE: https://github.com/erlang/rebar3/pull/2302 NOTE: https://github.com/erlang/rebar3/commit/2e2d1a6bb141a969b6483e082a2afd361fc2ece2 CVE-2020-13801 @@ -40133,85 +40251,85 @@ CVE-2020-13753 (The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.2 - wpewebkit 2.28.3-1 NOTE: https://webkitgtk.org/security/WSA-2020-0006.html CVE-2020-13752 - RESERVED + REJECTED CVE-2020-13751 - RESERVED + REJECTED CVE-2020-13750 - RESERVED + REJECTED CVE-2020-13749 - RESERVED + REJECTED CVE-2020-13748 - RESERVED + REJECTED CVE-2020-13747 - RESERVED + REJECTED CVE-2020-13746 - RESERVED + REJECTED CVE-2020-13745 - RESERVED + REJECTED CVE-2020-13744 - RESERVED + REJECTED CVE-2020-13743 - RESERVED + REJECTED CVE-2020-13742 - RESERVED + REJECTED CVE-2020-13741 - RESERVED + REJECTED CVE-2020-13740 - RESERVED + REJECTED CVE-2020-13739 - RESERVED + REJECTED CVE-2020-13738 - RESERVED + REJECTED CVE-2020-13737 - RESERVED + REJECTED CVE-2020-13736 - RESERVED + REJECTED CVE-2020-13735 - RESERVED + REJECTED CVE-2020-13734 - RESERVED + REJECTED CVE-2020-13733 - RESERVED + REJECTED CVE-2020-13732 - RESERVED + REJECTED CVE-2020-13731 - RESERVED + REJECTED CVE-2020-13730 - RESERVED + REJECTED CVE-2020-13729 - RESERVED + REJECTED CVE-2020-13728 - RESERVED + REJECTED CVE-2020-13727 - RESERVED + REJECTED CVE-2020-13726 - RESERVED + REJECTED CVE-2020-13725 - RESERVED + REJECTED CVE-2020-13724 - RESERVED + REJECTED CVE-2020-13723 - RESERVED + REJECTED CVE-2020-13722 - RESERVED + REJECTED CVE-2020-13721 - RESERVED + REJECTED CVE-2020-13720 - RESERVED + REJECTED CVE-2020-13719 - RESERVED + REJECTED CVE-2020-13718 - RESERVED + REJECTED CVE-2020-13717 - RESERVED + REJECTED CVE-2020-13716 - RESERVED + REJECTED CVE-2020-13715 - RESERVED + REJECTED CVE-2020-13714 - RESERVED + REJECTED CVE-2020-13713 - RESERVED + REJECTED CVE-2020-13712 RESERVED CVE-2020-13711 @@ -40301,27 +40419,27 @@ CVE-2020-13679 RESERVED CVE-2020-13678 RESERVED -CVE-2020-13677 - RESERVED -CVE-2020-13676 - RESERVED -CVE-2020-13675 - RESERVED -CVE-2020-13674 - RESERVED -CVE-2020-13673 - RESERVED +CVE-2020-13677 (Under some circumstances, the Drupal core JSON:API module does not pro ...) + NOT-FOR-US: Drupal 8.x +CVE-2020-13676 (The QuickEdit module does not properly check access to fields in some ...) + NOT-FOR-US: Drupal 8.x +CVE-2020-13675 (Drupal's JSON:API and REST/File modules allow file uploads through the ...) + NOT-FOR-US: Drupal 8.x +CVE-2020-13674 (The QuickEdit module does not properly validate access to routes, whic ...) + NOT-FOR-US: Drupal 8.x +CVE-2020-13673 (The Entity Embed module provides a filter to allow embedding entities ...) + NOT-FOR-US: Drupal Entity Embed module CVE-2020-13671 (Drupal core does not properly sanitize certain filenames on uploaded f ...) {DLA-2458-1} - drupal7 <removed> NOTE: https://www.drupal.org/sa-core-2020-012 NOTE: https://github.com/drupal/drupal/commit/0263ea89cfff630262b8c0bc6d9c629c42aa7a84 -CVE-2020-13670 - RESERVED -CVE-2020-13669 - RESERVED -CVE-2020-13668 - RESERVED +CVE-2020-13670 (Information Disclosure vulnerability in file module of Drupal Core all ...) + NOT-FOR-US: Drupal 8.x +CVE-2020-13669 (Cross-site Scripting (XSS) vulnerability in ckeditor of Drupal Core al ...) + NOT-FOR-US: Drupal 8.x +CVE-2020-13668 (Access Bypass vulnerability in Drupal Core allows for an attacker to l ...) + NOT-FOR-US: Drupal 8.x CVE-2020-13667 (Access bypass vulnerability in of Drupal Core Workspaces allows an att ...) NOT-FOR-US: Drupal 8.x CVE-2020-13666 (Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API doe ...) @@ -41741,165 +41859,165 @@ CVE-2020-13091 (** DISPUTED ** pandas through 1.0.3 can unserialize and execute CVE-2020-13090 RESERVED CVE-2020-13089 - RESERVED + REJECTED CVE-2020-13088 - RESERVED + REJECTED CVE-2020-13087 - RESERVED + REJECTED CVE-2020-13086 - RESERVED + REJECTED CVE-2020-13085 - RESERVED + REJECTED CVE-2020-13084 - RESERVED + REJECTED CVE-2020-13083 - RESERVED + REJECTED CVE-2020-13082 - RESERVED + REJECTED CVE-2020-13081 - RESERVED + REJECTED CVE-2020-13080 - RESERVED + REJECTED CVE-2020-13079 - RESERVED + REJECTED CVE-2020-13078 - RESERVED + REJECTED CVE-2020-13077 - RESERVED + REJECTED CVE-2020-13076 - RESERVED + REJECTED CVE-2020-13075 - RESERVED + REJECTED CVE-2020-13074 - RESERVED + REJECTED CVE-2020-13073 - RESERVED + REJECTED CVE-2020-13072 - RESERVED + REJECTED CVE-2020-13071 - RESERVED + REJECTED CVE-2020-13070 - RESERVED + REJECTED CVE-2020-13069 - RESERVED + REJECTED CVE-2020-13068 - RESERVED + REJECTED CVE-2020-13067 - RESERVED + REJECTED CVE-2020-13066 - RESERVED + REJECTED CVE-2020-13065 - RESERVED + REJECTED CVE-2020-13064 - RESERVED + REJECTED CVE-2020-13063 - RESERVED + REJECTED CVE-2020-13062 - RESERVED + REJECTED CVE-2020-13061 - RESERVED + REJECTED CVE-2020-13060 - RESERVED + REJECTED CVE-2020-13059 - RESERVED + REJECTED CVE-2020-13058 - RESERVED + REJECTED CVE-2020-13057 - RESERVED + REJECTED CVE-2020-13056 - RESERVED + REJECTED CVE-2020-13055 - RESERVED + REJECTED CVE-2020-13054 - RESERVED + REJECTED CVE-2020-13053 - RESERVED + REJECTED CVE-2020-13052 - RESERVED + REJECTED CVE-2020-13051 - RESERVED + REJECTED CVE-2020-13050 - RESERVED + REJECTED CVE-2020-13049 - RESERVED + REJECTED CVE-2020-13048 - RESERVED + REJECTED CVE-2020-13047 - RESERVED + REJECTED CVE-2020-13046 - RESERVED + REJECTED CVE-2020-13045 - RESERVED + REJECTED CVE-2020-13044 - RESERVED + REJECTED CVE-2020-13043 - RESERVED + REJECTED CVE-2020-13042 - RESERVED + REJECTED CVE-2020-13041 - RESERVED + REJECTED CVE-2020-13040 - RESERVED + REJECTED CVE-2020-13039 - RESERVED + REJECTED CVE-2020-13038 - RESERVED + REJECTED CVE-2020-13037 - RESERVED + REJECTED CVE-2020-13036 - RESERVED + REJECTED CVE-2020-13035 - RESERVED + REJECTED CVE-2020-13034 - RESERVED + REJECTED CVE-2020-13033 - RESERVED + REJECTED CVE-2020-13032 - RESERVED + REJECTED CVE-2020-13031 - RESERVED + REJECTED CVE-2020-13030 - RESERVED + REJECTED CVE-2020-13029 - RESERVED + REJECTED CVE-2020-13028 - RESERVED + REJECTED CVE-2020-13027 - RESERVED + REJECTED CVE-2020-13026 - RESERVED + REJECTED CVE-2020-13025 - RESERVED + REJECTED CVE-2020-13024 - RESERVED + REJECTED CVE-2020-13023 - RESERVED + REJECTED CVE-2020-13022 - RESERVED + REJECTED CVE-2020-13021 - RESERVED + REJECTED CVE-2020-13020 - RESERVED + REJECTED CVE-2020-13019 - RESERVED + REJECTED CVE-2020-13018 - RESERVED + REJECTED CVE-2020-13017 - RESERVED + REJECTED CVE-2020-13016 - RESERVED + REJECTED CVE-2020-13015 - RESERVED + REJECTED CVE-2020-13014 - RESERVED + REJECTED CVE-2020-13013 - RESERVED + REJECTED CVE-2020-13012 - RESERVED + REJECTED CVE-2020-13011 - RESERVED + REJECTED CVE-2020-13010 - RESERVED + REJECTED CVE-2020-13009 REJECTED CVE-2020-13008 @@ -41942,24 +42060,24 @@ CVE-2020-12990 REJECTED CVE-2020-12989 REJECTED -CVE-2020-12988 - REJECTED -CVE-2020-12987 - REJECTED -CVE-2020-12986 - REJECTED -CVE-2020-12985 - REJECTED +CVE-2020-12988 (A potential denial of service (DoS) vulnerability exists in the integr ...) + NOT-FOR-US: AMD +CVE-2020-12987 (A heap information leak/kernel pool address disclosure vulnerability i ...) + NOT-FOR-US: AMD +CVE-2020-12986 (An insufficient pointer validation vulnerability in the AMD Graphics D ...) + NOT-FOR-US: AMD +CVE-2020-12985 (An insufficient pointer validation vulnerability in the AMD Graphics D ...) + NOT-FOR-US: AMD CVE-2020-12984 REJECTED -CVE-2020-12983 - REJECTED -CVE-2020-12982 - REJECTED -CVE-2020-12981 - REJECTED -CVE-2020-12980 - REJECTED +CVE-2020-12983 (An out of bounds write vulnerability in the AMD Graphics Driver for Wi ...) + NOT-FOR-US: AMD +CVE-2020-12982 (An invalid object pointer free vulnerability in the AMD Graphics Drive ...) + NOT-FOR-US: AMD +CVE-2020-12981 (An insufficient input validation in the AMD Graphics Driver for Window ...) + NOT-FOR-US: AMD +CVE-2020-12980 (An out of bounds write and read vulnerability in the AMD Graphics Driv ...) + NOT-FOR-US: AMD CVE-2020-12979 REJECTED CVE-2020-12978 @@ -41986,10 +42104,10 @@ CVE-2020-12968 REJECTED CVE-2020-12967 (The lack of nested page table protection in the AMD SEV/SEV-ES feature ...) NOT-FOR-US: AMD -CVE-2020-12966 - RESERVED -CVE-2020-12965 - RESERVED +CVE-2020-12966 (AMD EPYC™ Processors contain an information disclosure vulnerabi ...) + NOT-FOR-US: AMD +CVE-2020-12965 (When combined with specific software sequences, AMD CPUs may transient ...) + NOT-FOR-US: AMD CVE-2020-12964 (A potential privilege escalation/denial of service issue exists in the ...) NOT-FOR-US: Intel / AMD CVE-2020-12963 (An insufficient pointer validation vulnerability in the AMD Graphics D ...) @@ -42003,55 +42121,55 @@ CVE-2020-12960 (AMD Graphics Driver for Windows 10, amdfender.sys may improperly CVE-2020-12959 REJECTED CVE-2020-12958 - RESERVED + REJECTED CVE-2020-12957 REJECTED CVE-2020-12956 - RESERVED + REJECTED CVE-2020-12955 - RESERVED + REJECTED CVE-2020-12954 (A side effect of an integrated chipset option may be able to be used b ...) NOT-FOR-US: AMD CVE-2020-12953 - RESERVED + REJECTED CVE-2020-12952 - RESERVED + REJECTED CVE-2020-12951 (Race condition in PSP FW could allow less privileged x86 code to perfo ...) NOT-FOR-US: AMD CVE-2020-12950 - RESERVED + REJECTED CVE-2020-12949 - RESERVED + REJECTED CVE-2020-12948 - RESERVED + REJECTED CVE-2020-12947 - RESERVED + REJECTED CVE-2020-12946 (Insufficient input validation in PSP firmware for discrete TPM command ...) NOT-FOR-US: AMD CVE-2020-12945 - RESERVED + REJECTED CVE-2020-12944 (Insufficient validation of BIOS image length by PSP Firmware could lea ...) NOT-FOR-US: AMD CVE-2020-12943 - RESERVED + REJECTED CVE-2020-12942 - RESERVED + REJECTED CVE-2020-12941 REJECTED CVE-2020-12940 RESERVED CVE-2020-12939 - RESERVED + REJECTED CVE-2020-12938 - RESERVED + REJECTED CVE-2020-12937 - RESERVED + REJECTED CVE-2020-12936 REJECTED CVE-2020-12935 REJECTED CVE-2020-12934 - RESERVED + REJECTED CVE-2020-12933 (A denial of service vulnerability exists in the D3DKMTEscape handler f ...) NOT-FOR-US: AMD ATIKMDAG.SYS CVE-2020-12932 @@ -42083,7 +42201,7 @@ CVE-2020-12920 (A potential denial of service issue exists in the AMD Display dr CVE-2020-12919 REJECTED CVE-2020-12918 - RESERVED + REJECTED CVE-2020-12917 REJECTED CVE-2020-12916 @@ -42109,9 +42227,9 @@ CVE-2020-12910 CVE-2020-12909 REJECTED CVE-2020-12908 - RESERVED + REJECTED CVE-2020-12907 - RESERVED + REJECTED CVE-2020-12906 REJECTED CVE-2020-12905 (Out of Bounds Read in AMD Graphics Driver for Windows 10 in Escape 0x3 ...) @@ -42142,11 +42260,10 @@ CVE-2020-12893 (Stack Buffer Overflow in AMD Graphics Driver for Windows 10 in E NOT-FOR-US: Intel / AMD CVE-2020-12892 (An untrusted search path in AMD Radeon settings Installer may lead to ...) NOT-FOR-US: Intel / AMD -CVE-2020-12891 - RESERVED +CVE-2020-12891 (AMD Radeon Software may be vulnerable to DLL Hijacking through path va ...) + NOT-FOR-US: AMD +CVE-2020-12890 (Improper handling of pointers in the System Management Mode (SMM) hand ...) NOT-FOR-US: AMD -CVE-2020-12890 - RESERVED CVE-2020-12889 (MISP MISP-maltego 1.4.4 incorrectly shares a MISP connection across us ...) NOT-FOR-US: MISP CVE-2020-12888 (The VFIO PCI driver in the Linux kernel through 5.6.13 mishandles atte ...) @@ -42550,7 +42667,7 @@ CVE-2020-12761 (modules/loaders/loader_ico.c in imlib2 1.6.0 has an integer over [jessie] - imlib2 <not-affected> (Vulnerable code introduced later) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c95f938ff1effaf91729c050a0f1c8684da4dd63 CVE-2020-12760 (An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2020-12759 (Zulip Server before 2.1.5 allows reflected XSS via the Dropbox webhook ...) - zulip-server <itp> (bug #800052) CVE-2020-12758 (HashiCorp Consul and Consul Enterprise could crash when configured wit ...) @@ -42715,10 +42832,9 @@ CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before 2020- CVE-2020-12694 RESERVED CVE-2020-12693 (Slurm 19.05.x before 19.05.7 and 20.02.x before 20.02.3, in the rare c ...) - {DSA-4841-1} + {DSA-4841-1 DLA-2886-1} - slurm-wlm <not-affected> (Fixed with first upload to Debian with renamed source package) - slurm-llnl <removed> (bug #961406) - [stretch] - slurm-llnl <no-dsa> (Minor issue) [jessie] - slurm-llnl <not-affected> (Message Aggregation added in 14.11) NOTE: https://www.schedmd.com/news.php?id=236 NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2020/000036.html @@ -42791,10 +42907,9 @@ CVE-2020-12689 (An issue was discovered in OpenStack Keystone before 15.0.1, and NOTE: https://bugs.launchpad.net/keystone/+bug/1872735 NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/5 CVE-2020-12672 (GraphicsMagick through 1.3.35 has a heap-based buffer overflow in Read ...) - {DLA-2236-1} + {DLA-2902-1 DLA-2236-1} - graphicsmagick 1.4+really1.3.35-2 (bug #960000) [buster] - graphicsmagick <postponed> (Minor issue; can be fixed along in future DSA) - [stretch] - graphicsmagick <postponed> (Minor issue; can be fixed along in future DSA) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19025 NOTE: Fixed by: https://sourceforge.net/p/graphicsmagick/code/ci/50395430a37188d0d197e71bd85ed6dd0f649ee3/ CVE-2020-12671 @@ -44190,8 +44305,8 @@ CVE-2020-12142 (1. IPSec UDP key material can be retrieved from machine-to-machi NOT-FOR-US: EdgeConnect CVE-2020-12141 (An out-of-bounds read in the SNMP stack in Contiki-NG 4.4 and earlier ...) NOT-FOR-US: SNMP stack in Contiki-NG -CVE-2020-12140 - RESERVED +CVE-2020-12140 (A buffer overflow in os/net/mac/ble/ble-l2cap.c in the BLE stack in Co ...) + NOT-FOR-US: Contiki-NG CVE-2020-12139 RESERVED CVE-2020-12138 (AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to interact ...) @@ -44581,7 +44696,7 @@ CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring d NOTE: The original CVE-2020-1957 adressed in 1.5.2 introduced an encoding issue NOTE: which can (security wise) be exploited, resulting in a 1.5.3 release. This NOTE: CVE is closely related to CVE-2020-1957. -CVE-2020-11988 (Apache XmlGraphics Commons 2.4 is vulnerable to server-side request fo ...) +CVE-2020-11988 (Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-sid ...) - xmlgraphics-commons 2.4-2 (bug #984949) [bullseye] - xmlgraphics-commons 2.4-2~deb11u1 [buster] - xmlgraphics-commons 2.3-1+deb10u1 @@ -44856,7 +44971,7 @@ CVE-2020-11888 (python-markdown2 through 2.3.8 allows XSS because element names CVE-2020-11887 (svg2png 4.1.1 allows XSS with resultant SSRF via JavaScript inside an ...) NOT-FOR-US: svg2png CVE-2020-11886 (OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList. ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2020-11885 (WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability wher ...) NOT-FOR-US: WSO2 Enterprise Integrator CVE-2020-11884 (In the Linux kernel 4.19 through 5.6.7 on the s390 platform, code exec ...) @@ -45330,12 +45445,16 @@ CVE-2020-11722 (Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows NOTE: https://github.com/crawl/crawl/commit/768f60da87a3fa0b5561da5ade9309577c176d04 NOTE: https://github.com/crawl/crawl/commit/fc522ff6eb1bbb85e3de60c60a45762571e48c28 CVE-2020-11721 (load_png in loader.c in libsixel.a in libsixel 1.8.6 has an uninitiali ...) - - libsixel <unfixed> (low; bug #972641) + - libsixel 1.10.3-1 (low; bug #972641) [bullseye] - libsixel <no-dsa> (Minor issue) [buster] - libsixel <no-dsa> (Minor issue) [stretch] - libsixel <no-dsa> (Minor issue) [jessie] - libsixel <no-dsa> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/134 + NOTE: https://github.com/libsixel/libsixel/issues/9 + NOTE: https://github.com/libsixel/libsixel/pull/10 + NOTE: https://github.com/libsixel/libsixel/commit/e71aacc97b5f756948b13c1228877d29395c7b55 (v1.9.0) + NOTE: Since 1.10.3-1 the Debian package moved from https://github.com/saitoha/libsixel to https://github.com/libsixel/libsixel fork CVE-2020-11720 (An issue was discovered in Programi Bilanc build 007 release 014 31.01 ...) NOT-FOR-US: Programi Bilanc CVE-2020-11719 (An issue was discovered in Programi Bilanc build 007 release 014 31.01 ...) @@ -45508,12 +45627,10 @@ CVE-2020-11651 (An issue was discovered in SaltStack Salt before 2019.2.4 and 30 {DSA-4676-2 DSA-4676-1 DLA-2223-1} - salt 3000.2+dfsg1-1 (bug #959684) NOTE: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst - NOTE: Fixed by: https://github.com/saltstack/salt/commit/a67d76b15615983d467ed81371b38b4a17e4f3b7 - NOTE: Followup needed: https://github.com/saltstack/salt/commit/78172bf647473d5c1c2720e72fc12d6f2314d583 - NOTE: There is a typo in the whitelisted methods on AESFuncs: - NOTE: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst#known-issue - NOTE: Regression bugreport: https://github.com/saltstack/salt/issues/57016 - NOTE: https://github.com/saltstack/salt/issues/57027 + NOTE: Fixed by: https://github.com/saltstack/salt/commit/a67d76b15615983d467ed81371b38b4a17e4f3b7 (v3000.2) + NOTE: Regression: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst#known-issue + NOTE: Regression fix: https://github.com/saltstack/salt/commit/cea28c850f7562fd3b869a1bbcc95050ab19e0f1 (v3000.3) + NOTE: See also https://gitlab.com/saltstack/open/salt-patches/-/tree/master/patches/2020/04/14/ CVE-2020-11650 (An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before ...) NOT-FOR-US: FreeNAS CVE-2020-11649 (An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Membe ...) @@ -45733,11 +45850,13 @@ CVE-2020-11559 RESERVED CVE-2020-11558 (An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by ...) - gpac 1.0.1+dfsg1-2 (bug #972053) - [buster] - gpac <no-dsa> (Minor issue) - [stretch] - gpac <no-dsa> (Minor issue) + [buster] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0) + [stretch] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0) [jessie] - gpac <not-affected> (Vulnerable code not present and not reproducible) - NOTE: https://github.com/gpac/gpac/commit/6063b1a011c3f80cee25daade18154e15e4c058c NOTE: https://github.com/gpac/gpac/issues/1440 + NOTE: Introduced by: https://github.com/gpac/gpac/commit/3f1564c43825e052a5d53cbb4c8a242abdf603b4 (v0.9.0-preview) + NOTE: and https://github.com/gpac/gpac/commit/526bc968451e1ec83386c93f2c1f5a74ac65e649 (v0.9.0-preview) + NOTE: Fixed by: https://github.com/gpac/gpac/commit/6063b1a011c3f80cee25daade18154e15e4c058c (v0.9.0-preview~20) CVE-2020-11557 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...) NOT-FOR-US: Castle Rock SNMPc CVE-2020-11556 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...) @@ -46079,213 +46198,213 @@ CVE-2020-11415 (An issue was discovered in Sonatype Nexus Repository Manager 2.x CVE-2020-11414 (An issue was discovered in Progress Telerik UI for Silverlight before ...) NOT-FOR-US: Progress Telerik UI CVE-2020-11413 - RESERVED + REJECTED CVE-2020-11412 - RESERVED + REJECTED CVE-2020-11411 - RESERVED + REJECTED CVE-2020-11410 - RESERVED + REJECTED CVE-2020-11409 - RESERVED + REJECTED CVE-2020-11408 - RESERVED + REJECTED CVE-2020-11407 - RESERVED + REJECTED CVE-2020-11406 - RESERVED + REJECTED CVE-2020-11405 - RESERVED + REJECTED CVE-2020-11404 - RESERVED + REJECTED CVE-2020-11403 - RESERVED + REJECTED CVE-2020-11402 - RESERVED + REJECTED CVE-2020-11401 - RESERVED + REJECTED CVE-2020-11400 - RESERVED + REJECTED CVE-2020-11399 - RESERVED + REJECTED CVE-2020-11398 - RESERVED + REJECTED CVE-2020-11397 - RESERVED + REJECTED CVE-2020-11396 - RESERVED + REJECTED CVE-2020-11395 - RESERVED + REJECTED CVE-2020-11394 - RESERVED + REJECTED CVE-2020-11393 - RESERVED + REJECTED CVE-2020-11392 - RESERVED + REJECTED CVE-2020-11391 - RESERVED + REJECTED CVE-2020-11390 - RESERVED + REJECTED CVE-2020-11389 - RESERVED + REJECTED CVE-2020-11388 - RESERVED + REJECTED CVE-2020-11387 - RESERVED + REJECTED CVE-2020-11386 - RESERVED + REJECTED CVE-2020-11385 - RESERVED + REJECTED CVE-2020-11384 - RESERVED + REJECTED CVE-2020-11383 - RESERVED + REJECTED CVE-2020-11382 - RESERVED + REJECTED CVE-2020-11381 - RESERVED + REJECTED CVE-2020-11380 - RESERVED + REJECTED CVE-2020-11379 - RESERVED + REJECTED CVE-2020-11378 - RESERVED + REJECTED CVE-2020-11377 - RESERVED + REJECTED CVE-2020-11376 - RESERVED + REJECTED CVE-2020-11375 - RESERVED + REJECTED CVE-2020-11374 - RESERVED + REJECTED CVE-2020-11373 - RESERVED + REJECTED CVE-2020-11372 - RESERVED + REJECTED CVE-2020-11371 - RESERVED + REJECTED CVE-2020-11370 - RESERVED + REJECTED CVE-2020-11369 - RESERVED + REJECTED CVE-2020-11368 - RESERVED + REJECTED CVE-2020-11367 - RESERVED + REJECTED CVE-2020-11366 - RESERVED + REJECTED CVE-2020-11365 - RESERVED + REJECTED CVE-2020-11364 - RESERVED + REJECTED CVE-2020-11363 - RESERVED + REJECTED CVE-2020-11362 - RESERVED + REJECTED CVE-2020-11361 - RESERVED + REJECTED CVE-2020-11360 - RESERVED + REJECTED CVE-2020-11359 - RESERVED + REJECTED CVE-2020-11358 - RESERVED + REJECTED CVE-2020-11357 - RESERVED + REJECTED CVE-2020-11356 - RESERVED + REJECTED CVE-2020-11355 - RESERVED + REJECTED CVE-2020-11354 - RESERVED + REJECTED CVE-2020-11353 - RESERVED + REJECTED CVE-2020-11352 - RESERVED + REJECTED CVE-2020-11351 - RESERVED + REJECTED CVE-2020-11350 - RESERVED + REJECTED CVE-2020-11349 - RESERVED + REJECTED CVE-2020-11348 - RESERVED + REJECTED CVE-2020-11347 - RESERVED + REJECTED CVE-2020-11346 - RESERVED + REJECTED CVE-2020-11345 - RESERVED + REJECTED CVE-2020-11344 - RESERVED + REJECTED CVE-2020-11343 - RESERVED + REJECTED CVE-2020-11342 - RESERVED + REJECTED CVE-2020-11341 - RESERVED + REJECTED CVE-2020-11340 - RESERVED + REJECTED CVE-2020-11339 - RESERVED + REJECTED CVE-2020-11338 - RESERVED + REJECTED CVE-2020-11337 - RESERVED + REJECTED CVE-2020-11336 - RESERVED + REJECTED CVE-2020-11335 - RESERVED + REJECTED CVE-2020-11334 - RESERVED + REJECTED CVE-2020-11333 - RESERVED + REJECTED CVE-2020-11332 - RESERVED + REJECTED CVE-2020-11331 - RESERVED + REJECTED CVE-2020-11330 - RESERVED + REJECTED CVE-2020-11329 - RESERVED + REJECTED CVE-2020-11328 - RESERVED + REJECTED CVE-2020-11327 - RESERVED + REJECTED CVE-2020-11326 - RESERVED + REJECTED CVE-2020-11325 - RESERVED + REJECTED CVE-2020-11324 - RESERVED + REJECTED CVE-2020-11323 - RESERVED + REJECTED CVE-2020-11322 - RESERVED + REJECTED CVE-2020-11321 - RESERVED + REJECTED CVE-2020-11320 - RESERVED + REJECTED CVE-2020-11319 - RESERVED + REJECTED CVE-2020-11318 - RESERVED + REJECTED CVE-2020-11317 - RESERVED + REJECTED CVE-2020-11316 - RESERVED + REJECTED CVE-2020-11315 - RESERVED + REJECTED CVE-2020-11314 - RESERVED + REJECTED CVE-2020-11313 - RESERVED + REJECTED CVE-2020-11312 - RESERVED + REJECTED CVE-2020-11311 RESERVED CVE-2020-11310 - RESERVED + REJECTED CVE-2020-11309 (Use after free in GPU driver while mapping the user memory to GPU memo ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-11308 (Buffer overflow occurs when trying to convert ASCII string to Unicode ...) @@ -46301,11 +46420,11 @@ CVE-2020-11304 (Possible out of bound read in DRM due to improper buffer length CVE-2020-11303 (Accepting AMSDU frames with mismatched destination and source address ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-11302 - RESERVED + REJECTED CVE-2020-11301 (Improper authentication of un-encrypted plaintext Wi-Fi frames in an e ...) NOT-FOR-US: Qualcomm WIGIG chipsets CVE-2020-11300 - RESERVED + REJECTED CVE-2020-11299 (Buffer overflow can occur in video while playing the non-standard clip ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-11298 (While waiting for a response to a callback or listener request, non-se ...) @@ -46378,8 +46497,8 @@ CVE-2020-11265 (Information disclosure issue due to lack of validation of pointe NOT-FOR-US: Qualcomm components for Android CVE-2020-11264 (Improper authentication of Non-EAPOL/WAPI plaintext frames during four ...) NOT-FOR-US: Qualcomm WLAN Windows Host -CVE-2020-11263 - RESERVED +CVE-2020-11263 (An integer overflow due to improper check performed after the address ...) + NOT-FOR-US: Qualcomm components for Android CVE-2020-11262 (A race between command submission and destroying the context can cause ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-11261 (Memory corruption due to improper check to return error when user appl ...) @@ -46888,7 +47007,7 @@ CVE-2020-11061 (In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8 {DLA-2353-1} - bacula 9.6.5-1 [buster] - bacula 9.4.2-2+deb10u1 - - bareos <unfixed> (bug #968957) + - bareos <removed> (bug #968957) [buster] - bareos <no-dsa> (Minor issue; can be fixed via point release) [stretch] - bareos <no-dsa> (minor issue, low priority) NOTE: https://github.com/bareos/bareos/security/advisories/GHSA-mm45-cg35-54j4 @@ -48060,6 +48179,7 @@ CVE-2020-10711 (A NULL pointer dereference flaw was found in the Linux kernel's NOTE: https://www.openwall.com/lists/oss-security/2020/05/12/2 CVE-2020-10710 RESERVED + NOT-FOR-US: foreman-installer CVE-2020-10709 (A security flaw was found in Ansible Tower when requesting an OAuth2 t ...) - ansible-awx <itp> (bug #908763) NOTE: https://github.com/ansible/awx/issues/6630 @@ -48157,6 +48277,8 @@ CVE-2020-10688 (A cross-site scripting (XSS) flaw was found in RESTEasy in versi NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1814974 NOTE: https://github.com/quarkusio/quarkus/issues/7248 NOTE: https://issues.redhat.com/browse/RESTEASY-2519 (restricted) + NOTE: https://github.com/resteasy/Resteasy/pull/2320 + NOTE: https://github.com/resteasy/Resteasy/commit/3fe881cf945c06bdb16895fbc73bc620694d2ba7 (4.6.0.Final) CVE-2020-10687 (A flaw was discovered in all versions of Undertow before Undertow 2.2. ...) - undertow 2.2.0-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1785049 @@ -48176,8 +48298,6 @@ CVE-2020-10685 (A flaw was found in Ansible Engine affecting Ansible Engine vers CVE-2020-10684 (A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9. ...) {DSA-4950-1} - ansible 2.9.7+dfsg-1 - [stretch] - ansible <not-affected> (Vulnerable code introduced later, 'ansible_facts' variable not exposed) - [jessie] - ansible <not-affected> (Vulnerable code introduced later, 'ansible_facts' variable not exposed) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1815519 NOTE: https://github.com/ansible/ansible/pull/68431 NOTE: https://github.com/ansible/ansible/commit/a9d2ceafe429171c0e2ad007058b88bae57c74ce @@ -48333,8 +48453,8 @@ CVE-2020-10629 (WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML in NOT-FOR-US: WebAccess/NMS CVE-2020-10628 (ControlEdge PLC (R130.2, R140, R150, and R151) and RTU (R101, R110, R1 ...) NOT-FOR-US: ControlEdge PLC -CVE-2020-10627 - RESERVED +CVE-2020-10627 (Insulet Omnipod Insulin Management System insulin pump product ID 1919 ...) + NOT-FOR-US: Insulet Omnipod Insulin Management System CVE-2020-10626 (In Fazecast jSerialComm, Version 2.2.2 and prior, an uncontrolled sear ...) NOT-FOR-US: Fazecast jSerialComm CVE-2020-10625 (WebAccess/NMS (versions prior to 3.0.2) allows an unauthenticated remo ...) @@ -49407,8 +49527,8 @@ CVE-2020-10139 (Acronis True Image 2021 includes an OpenSSL component that speci NOT-FOR-US: Acronis CVE-2020-10138 (Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL comp ...) NOT-FOR-US: Acronis -CVE-2020-10137 - RESERVED +CVE-2020-10137 (Z-Wave devices based on Silicon Labs 700 series chipsets using S2 do n ...) + NOT-FOR-US: Z-Wave devices CVE-2020-10136 (Multiple products that implement the IP Encapsulation within IP standa ...) NOT-FOR-US: Cisco CVE-2020-10135 (Legacy pairing and secure-connections pairing authentication in Blueto ...) @@ -49464,17 +49584,15 @@ CVE-2020-10111 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 has an Incons CVE-2020-10110 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 allows Information ...) NOT-FOR-US: Citrix CVE-2020-10109 (In Twisted Web through 19.10.0, there was an HTTP request splitting vu ...) - {DLA-2145-1} + {DLA-2927-1 DLA-2145-1} - twisted 18.9.0-7 (bug #953950) [buster] - twisted <no-dsa> (Minor issue) - [stretch] - twisted <no-dsa> (Minor issue) NOTE: https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR NOTE: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281 CVE-2020-10108 (In Twisted Web through 19.10.0, there was an HTTP request splitting vu ...) - {DLA-2145-1} + {DLA-2927-1 DLA-2145-1} - twisted 18.9.0-7 (bug #953950) [buster] - twisted <no-dsa> (Minor issue) - [stretch] - twisted <no-dsa> (Minor issue) NOTE: https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR NOTE: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281 CVE-2020-10107 (PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XS ...) @@ -50906,9 +51024,9 @@ CVE-2020-9489 (A carefully crafted or corrupt file may trigger a System.exit in [jessie] - tika <ignored> (the fix is too invasive to backport) NOTE: https://www.openwall.com/lists/oss-security/2020/04/24/1 CVE-2020-9488 (Improper validation of certificate with host mismatch in Apache Log4j ...) + {DLA-2852-1} - apache-log4j2 2.13.3-1 (bug #959450) - [buster] - apache-log4j2 <no-dsa> (Minor issue) - [stretch] - apache-log4j2 <no-dsa> (Minor issue; set mail.smtp.ssl.checkserveridentity to true to enable hostname verification) + [buster] - apache-log4j2 2.15.0-1~deb10u1 [jessie] - apache-log4j2 <no-dsa> (Minor issue; set mail.smtp.ssl.checkserveridentity to true to enable hostname verification) NOTE: https://www.openwall.com/lists/oss-security/2020/04/25/1 NOTE: https://issues.apache.org/jira/browse/LOG4J2-2819 @@ -51241,10 +51359,9 @@ CVE-2020-9361 (CryptoPro CSP through 5.0.0.10004 on 64-bit platforms allows loca CVE-2020-9360 RESERVED CVE-2020-9359 (KDE Okular before 1.10.0 allows code execution via an action link in a ...) - {DLA-2159-1} + {DLA-2856-1 DLA-2159-1} - okular 4:19.12.3-2 (bug #954891) [buster] - okular 4:17.12.2-2.2+deb10u1 - [stretch] - okular <no-dsa> (Minor issue) NOTE: https://invent.kde.org/kde/okular/-/commit/6a93a033b4f9248b3cd4d04689b8391df754e244 NOTE: https://kde.org/info/security/advisory-20200312-1.txt NOTE: https://sysdream.com/news/lab/2020-03-24-cve-2020-9359-okular-command-execution/ (PoC) @@ -51891,16 +52008,16 @@ CVE-2020-9063 (NCR SelfServ ATMs running APTRA XFS 05.01.00 or earlier do not au NOT-FOR-US: NCR SelfServ ATMs CVE-2020-9062 (Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version ...) NOT-FOR-US: Diebold Nixdorf ProCash 2100xe USB ATMs -CVE-2020-9061 - RESERVED -CVE-2020-9060 - RESERVED -CVE-2020-9059 - RESERVED -CVE-2020-9058 - RESERVED -CVE-2020-9057 - RESERVED +CVE-2020-9061 (Z-Wave devices using Silicon Labs 500 and 700 series chipsets, includi ...) + NOT-FOR-US: Z-Wave devices +CVE-2020-9060 (Z-Wave devices based on Silicon Labs 500 series chipsets using S2, inc ...) + NOT-FOR-US: Z-Wave devices +CVE-2020-9059 (Z-Wave devices based on Silicon Labs 500 series chipsets using S0 auth ...) + NOT-FOR-US: Z-Wave devices +CVE-2020-9058 (Z-Wave devices based on Silicon Labs 500 series chipsets using CRC-16 ...) + NOT-FOR-US: Z-Wave devices +CVE-2020-9057 (Z-Wave devices based on Silicon Labs 100, 200, and 300 series chipsets ...) + NOT-FOR-US: Z-Wave devices CVE-2020-9056 (Periscope BuySpeed version 14.5 is vulnerable to stored cross-site scr ...) NOT-FOR-US: Periscope BuySpeed CVE-2020-9055 (Versiant LYNX Customer Service Portal (CSP), version 3.5.2, is vulnera ...) @@ -52091,8 +52208,8 @@ CVE-2020-8970 RESERVED CVE-2020-8969 RESERVED -CVE-2020-8968 - RESERVED +CVE-2020-8968 (Parallels Remote Application Server (RAS) allows a local attacker to r ...) + NOT-FOR-US: Parallels Remote Application Server (RAS) CVE-2020-8967 (There is an improper Neutralization of Special Elements used in an SQL ...) NOT-FOR-US: GESIO CVE-2020-8966 (There is an Improper Neutralization of Script-Related HTML Tags in a W ...) @@ -52167,8 +52284,8 @@ CVE-2020-8935 (An arbitrary memory overwrite vulnerability in Asylo versions up CVE-2020-8934 RESERVED CVE-2020-8933 (A vulnerability in Google Cloud Platform's guest-oslogin versions betw ...) - - google-compute-image-packages <unfixed> (bug #987353) - [buster] - google-compute-image-packages <no-dsa> (Minor issue) + - google-compute-image-packages <removed> (bug #987353) + [buster] - google-compute-image-packages <ignored> (Minor issue) NOTE: https://cloud.google.com/compute/docs/security-bulletins#2020619 NOTE: https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29 CVE-2020-8932 @@ -52224,8 +52341,8 @@ CVE-2020-8909 CVE-2020-8908 (A temp directory creation vulnerability exists in all versions of Guav ...) NOT-FOR-US: Google Guava CVE-2020-8907 (A vulnerability in Google Cloud Platform's guest-oslogin versions betw ...) - - google-compute-image-packages <unfixed> (bug #987353) - [buster] - google-compute-image-packages <no-dsa> (Minor issue) + - google-compute-image-packages <removed> (bug #987353) + [buster] - google-compute-image-packages <ignored> (Minor issue) NOTE: https://cloud.google.com/compute/docs/security-bulletins#2020619 NOTE: https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29 CVE-2020-8906 @@ -52235,8 +52352,8 @@ CVE-2020-8905 (A buffer length validation vulnerability in Asylo versions prior CVE-2020-8904 (An arbitrary memory overwrite vulnerability in the trusted memory of A ...) NOT-FOR-US: Asylo CVE-2020-8903 (A vulnerability in Google Cloud Platform's guest-oslogin versions betw ...) - - google-compute-image-packages <unfixed> (bug #987353) - [buster] - google-compute-image-packages <no-dsa> (Minor issue) + - google-compute-image-packages <removed> (bug #987353) + [buster] - google-compute-image-packages <ignored> (Minor issue) NOTE: https://cloud.google.com/compute/docs/security-bulletins#2020619 NOTE: https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29 CVE-2020-8902 (Rendertron versions prior to 3.0.0 are are susceptible to a Server-Sid ...) @@ -53085,8 +53202,7 @@ CVE-2020-8563 (In Kubernetes clusters using VSphere as a cloud provider, with a NOTE: https://github.com/kubernetes/kubernetes/pull/95236 NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk NOTE: https://github.com/kubernetes/kubernetes/issues/95621 -CVE-2020-8562 - RESERVED +CVE-2020-8562 (As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes att ...) - kubernetes <unfixed> (bug #990793) [bullseye] - kubernetes <not-affected> (Kubernetes in Bullseye only ships the client) NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/8 @@ -53268,7 +53384,7 @@ CVE-2020-8492 (Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, [jessie] - python3.4 <postponed> (Minor issue) - python2.7 2.7.18-2 (low; bug #970099) [buster] - python2.7 <no-dsa> (Minor issue) - [stretch] - python2.7 <no-dsa> (Minor issue) + [stretch] - python2.7 <ignored> (Too destructive to backport. Though the patch is partly ready. https://salsa.debian.org/lts-team/packages/python2.7/-/blob/master/debian/patches/CVE-2020-8492.patch) [jessie] - python2.7 <no-dsa> (Minor issue) NOTE: https://bugs.python.org/issue39503 NOTE: https://github.com/python/cpython/pull/18284 @@ -53838,8 +53954,8 @@ CVE-2020-8244 (A buffer over-read vulnerability exists in bl <4.0.3, <3.0. NOTE: https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190 CVE-2020-8243 (A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web int ...) NOT-FOR-US: Pulse Connect Secure -CVE-2020-8242 - RESERVED +CVE-2020-8242 (Unsanitized user input in ExpressionEngine <= 5.4.0 control panel m ...) + NOT-FOR-US: ExpressionEngine CVE-2020-8241 (A vulnerability in the Pulse Secure Desktop Client < 9.1R9 could al ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure Desktop Client CVE-2020-8240 (A vulnerability in the Pulse Secure Desktop Client < 9.1R9 allows a ...) @@ -54222,12 +54338,12 @@ CVE-2020-8109 (A vulnerability has been discovered in the ace.xmd parser that re NOT-FOR-US: Bitdefender CVE-2020-8108 (Improper Authentication vulnerability in Bitdefender Endpoint Security ...) NOT-FOR-US: Bitdefender -CVE-2020-8107 - RESERVED +CVE-2020-8107 (A Process Control vulnerability in ProductAgentUI.exe as used in Bitde ...) + NOT-FOR-US: Bitdefender CVE-2020-8106 REJECTED -CVE-2020-8105 - RESERVED +CVE-2020-8105 (OS Command Injection vulnerability in the wirelessConnect handler of A ...) + NOT-FOR-US: Abode iota All-In-One Security Kit CVE-2020-8104 RESERVED CVE-2020-8103 (A vulnerability in the improper handling of symbolic links in Bitdefen ...) @@ -54759,18 +54875,18 @@ CVE-2020-7885 RESERVED CVE-2020-7884 RESERVED -CVE-2020-7883 - RESERVED +CVE-2020-7883 (Printchaser v2.2021.804.1 and earlier versions contain a vulnerability ...) + NOT-FOR-US: Printchaser CVE-2020-7882 (Using the parameter of getPFXFolderList function, attackers can see th ...) NOT-FOR-US: anySign CVE-2020-7881 (The vulnerability function is enabled when the streamer service relate ...) NOT-FOR-US: AfreecaTV -CVE-2020-7880 - RESERVED -CVE-2020-7879 - RESERVED -CVE-2020-7878 - RESERVED +CVE-2020-7880 (The vulnerabilty was discovered in ActiveX module related to NeoRS rem ...) + NOT-FOR-US: duozone NeoRS remote support +CVE-2020-7879 (This issue was discovered when the ipTIME C200 IP Camera was synchroni ...) + NOT-FOR-US: ipTIME C200 IP Camera +CVE-2020-7878 (An arbitrary file download and execution vulnerability was found in th ...) + NOT-FOR-US: VideoOffice CVE-2020-7877 (A buffer overflow issue was discovered in ZOOK solution(remote adminis ...) NOT-FOR-US: ZOOK CVE-2020-7876 @@ -55139,10 +55255,11 @@ CVE-2020-7713 (All versions of package arr-flatten-unflatten are vulnerable to P CVE-2020-7712 (This affects the package json before 10.0.0. It is possible to inject ...) NOT-FOR-US: Node json CVE-2020-7711 (This affects all versions of package github.com/russellhaering/goxmlds ...) - - golang-github-russellhaering-goxmldsig <unfixed> (bug #968928) + - golang-github-russellhaering-goxmldsig 1.1.1-1 (bug #968928) [bullseye] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue) [buster] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue) NOTE: https://github.com/russellhaering/goxmldsig/issues/48 + NOTE: https://github.com/russellhaering/goxmldsig/commit/fb23e0af61c023e3a6dae8ad30dbd0f04d8a4d8f CVE-2020-7710 (This affects all versions of package safe-eval. It is possible for an ...) NOT-FOR-US: Node safe-eval CVE-2020-7709 (This affects the package json-pointer before 0.6.1. Multiple reference ...) @@ -55540,8 +55657,8 @@ CVE-2020-7536 (A CWE-754:Improper Check for Unusual or Exceptional Conditions vu NOT-FOR-US: Modicon CVE-2020-7535 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) NOT-FOR-US: Modicon -CVE-2020-7534 - RESERVED +CVE-2020-7534 (A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists on t ...) + NOT-FOR-US: Schneider Electric CVE-2020-7533 (A CWE-255: Credentials Management vulnerability exists in Web Server o ...) NOT-FOR-US: Modicon CVE-2020-7532 (A CWE-502 Deserialization of Untrusted Data vulnerability exists in SC ...) @@ -56953,18 +57070,18 @@ CVE-2020-6924 RESERVED CVE-2020-6923 RESERVED -CVE-2020-6922 - RESERVED -CVE-2020-6921 - RESERVED -CVE-2020-6920 - RESERVED -CVE-2020-6919 - RESERVED -CVE-2020-6918 - RESERVED -CVE-2020-6917 - RESERVED +CVE-2020-6922 (Potential security vulnerabilities including compromise of integrity, ...) + NOT-FOR-US: HP +CVE-2020-6921 (Potential security vulnerabilities including compromise of integrity, ...) + NOT-FOR-US: HP +CVE-2020-6920 (Potential security vulnerabilities including compromise of integrity, ...) + NOT-FOR-US: HP +CVE-2020-6919 (Potential security vulnerabilities including compromise of integrity, ...) + NOT-FOR-US: HP +CVE-2020-6918 (Potential security vulnerabilities including compromise of integrity, ...) + NOT-FOR-US: HP +CVE-2020-6917 (Potential security vulnerabilities including compromise of integrity, ...) + NOT-FOR-US: HP CVE-2020-6916 RESERVED CVE-2020-6915 @@ -59381,7 +59498,7 @@ CVE-2020-6062 (An exploitable denial-of-service vulnerability exists in the way [jessie] - coturn <not-affected> (Vulnerable code introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0985 NOTE: https://github.com/coturn/coturn/commit/e09bcd9f7af5b32c81b37f51835b384b5a7d03a8 -CVE-2020-6061 (An exploitable heap overflow vulnerability exists in the way CoTURN 4. ...) +CVE-2020-6061 (An exploitable heap out-of-bounds read vulnerability exists in the way ...) {DSA-4711-1} - coturn 4.5.1.1-1.2 (bug #951876) [jessie] - coturn <not-affected> (Vulnerable code introduced later) @@ -59627,14 +59744,14 @@ CVE-2020-5958 (NVIDIA Windows GPU Display Driver, all versions, contains a vulne NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2020-5957 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) NOT-FOR-US: Nvidia driver for Windows -CVE-2020-5956 - RESERVED +CVE-2020-5956 (An issue was discovered in SdLegacySmm in Insyde InsydeH2O with kernel ...) + NOT-FOR-US: Insyde CVE-2020-5955 (An issue was discovered in Int15MicrocodeSmm in Insyde InsydeH2O befor ...) NOT-FOR-US: Int15MicrocodeSmm CVE-2020-5954 RESERVED -CVE-2020-5953 - RESERVED +CVE-2020-5953 (A vulnerability exists in System Management Interrupt (SWSMI) handler ...) + NOT-FOR-US: Insyde CVE-2020-5952 RESERVED CVE-2020-5951 @@ -60189,7 +60306,7 @@ CVE-2020-5677 (Reflected cross-site scripting vulnerability in GROWI v4.0.0 and NOT-FOR-US: GROWI CVE-2020-5676 (GROWI v4.1.3 and earlier allow remote attackers to obtain information ...) NOT-FOR-US: GROWI -CVE-2020-5675 (Out-of-bounds read issue in GT21 model of GOT2000 series (GT2107-WTBD ...) +CVE-2020-5675 (Out-of-bounds read vulnerability in GT21 model of GOT2000 series (GT21 ...) NOT-FOR-US: Mitsubishi CVE-2020-5674 (Untrusted search path vulnerability in the installers of multiple SEIK ...) NOT-FOR-US: SEIKO EPSON products @@ -61180,7 +61297,7 @@ CVE-2020-5240 (In wagtail-2fa before 1.4.1, any user with access to the CMS can CVE-2020-5239 (In Mailu before version 1.7, an authenticated user can exploit a vulne ...) NOT-FOR-US: Mailu CVE-2020-5238 (The table extension in GitHub Flavored Markdown before version 0.29.0. ...) - - cmark-gfm <unfixed> (bug #965984) + - cmark-gfm 0.29.0.gfm.2-1 (bug #965984) [bullseye] - cmark-gfm <no-dsa> (Minor issue) [buster] - cmark-gfm <no-dsa> (Minor issue) - python-cmarkgfm <unfixed> (bug #965983) @@ -61966,16 +62083,16 @@ CVE-2020-4881 (IBM Planning Analytics 2.0 could allow a remote attacker to obtai NOT-FOR-US: IBM CVE-2020-4880 RESERVED -CVE-2020-4879 - RESERVED +CVE-2020-4879 (IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could allow a remote ...) + NOT-FOR-US: IBM CVE-2020-4878 RESERVED -CVE-2020-4877 - RESERVED -CVE-2020-4876 - RESERVED -CVE-2020-4875 - RESERVED +CVE-2020-4877 (IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could be vulnerable t ...) + NOT-FOR-US: IBM +CVE-2020-4876 (IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an X ...) + NOT-FOR-US: IBM +CVE-2020-4875 (IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an X ...) + NOT-FOR-US: IBM CVE-2020-4874 RESERVED CVE-2020-4873 (IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive ...) @@ -62735,8 +62852,8 @@ CVE-2020-4498 (IBM MQ Appliance 9.1 LTS and 9.1 CD could allow a local privilege NOT-FOR-US: IBM CVE-2020-4497 RESERVED -CVE-2020-4496 - RESERVED +CVE-2020-4496 (The IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x server connect ...) + NOT-FOR-US: IBM CVE-2020-4495 (IBM Jazz Foundation and IBM Engineering products could allow a remote ...) NOT-FOR-US: IBM CVE-2020-4494 (IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Windows ...) @@ -63650,7 +63767,7 @@ CVE-2020-4044 (The xrdp-sesman service before version 0.9.13.1 can be crashed by CVE-2020-4043 (phpMussel from versions 1.0.0 and less than 1.6.0 has an unserializati ...) NOT-FOR-US: phpMussel CVE-2020-4042 (Bareos before version 19.2.8 and earlier allows a malicious client to ...) - - bareos <unfixed> (bug #965985) + - bareos <removed> (bug #965985) [buster] - bareos <ignored> (Minor issue; workaround exists; intrusive to backport to older versions) [stretch] - bareos <no-dsa> (minor issue, low priority) NOTE: https://github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752 @@ -63997,8 +64114,8 @@ CVE-2020-3897 (A type confusion issue was addressed with improved memory handlin [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) - wpewebkit 2.28.0-1 NOTE: https://webkitgtk.org/security/WSA-2020-0005.html -CVE-2020-3896 - RESERVED +CVE-2020-3896 (This issue was addressed by removing the vulnerable code. This issue i ...) + NOT-FOR-US: Apple CVE-2020-3895 (A memory corruption issue was addressed with improved memory handling. ...) {DSA-4681-1} - webkit2gtk 2.28.0-2 @@ -64027,8 +64144,8 @@ CVE-2020-3888 (A logic issue was addressed with improved restrictions. This issu NOT-FOR-US: Apple CVE-2020-3887 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple -CVE-2020-3886 - RESERVED +CVE-2020-3886 (A use after free issue was addressed with improved memory management. ...) + NOT-FOR-US: Apple CVE-2020-3885 (A logic issue was addressed with improved restrictions. This issue is ...) {DSA-4681-1} - webkit2gtk 2.28.0-2 @@ -64420,21 +64537,21 @@ CVE-2020-3711 (Adobe Illustrator CC versions 24.0 and earlier have a memory corr CVE-2020-3710 (Adobe Illustrator CC versions 24.0 and earlier have a memory corruptio ...) NOT-FOR-US: Adobe CVE-2020-3709 - RESERVED + REJECTED CVE-2020-3708 - RESERVED + REJECTED CVE-2020-3707 - RESERVED + REJECTED CVE-2020-3706 - RESERVED + REJECTED CVE-2020-3705 - RESERVED + REJECTED CVE-2020-3704 (u'While processing invalid connection request PDU which is nonstandard ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3703 (u'Buffer over-read issue in Bluetooth peripheral firmware due to lack ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3702 (u'Specifically timed and handcrafted traffic can cause internal errors ...) - {DSA-4978-1 DLA-2785-1} + {DSA-4978-1 DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 [buster] - linux 4.19.208-1 NOTE: https://lore.kernel.org/linux-wireless/CABvG-CVvPF++0vuGzCrBj8+s=Bcx1GwWfiW1_Somu_GVncTAcQ@mail.gmail.com/ @@ -64448,11 +64565,11 @@ CVE-2020-3699 (Possible out of bound access while processing assoc response from CVE-2020-3698 (Out of bound write while QoS DSCP mapping due to improper input valida ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3697 - RESERVED + REJECTED CVE-2020-3696 (u'Use after free while installing new security rule in ipcrtr as old o ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3695 - RESERVED + REJECTED CVE-2020-3694 (u'Use out of range pointer issue can occur due to incorrect buffer ran ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3693 (u'Use out of range pointer issue can occur due to incorrect buffer ran ...) @@ -64478,7 +64595,7 @@ CVE-2020-3684 (u'QSEE reads the access permission policy for the SMEM TOC partit CVE-2020-3683 RESERVED CVE-2020-3682 - RESERVED + REJECTED CVE-2020-3681 (Authenticated and encrypted payload MMEs can be forged and remotely se ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3680 (A race condition can occur when using the fastrpc memory mapping API. ...) @@ -64580,7 +64697,7 @@ CVE-2020-3633 (Array out of bound may occur while playing mp3 file as no check i CVE-2020-3632 (u'Incorrect validation of ring context fetched from host memory can le ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3631 - RESERVED + REJECTED CVE-2020-3630 (Possibility of out of bound access while processing the responses from ...) NOT-FOR-US: Qualcomm components for Android CVE-2020-3629 (u'Stack out of bound issue occurs when making query to DSP capabilitie ...) @@ -64588,7 +64705,7 @@ CVE-2020-3629 (u'Stack out of bound issue occurs when making query to DSP capabi CVE-2020-3628 (Improper access due to socket opened by the logging application withou ...) NOT-FOR-US: Snapdragon CVE-2020-3627 - RESERVED + REJECTED CVE-2020-3626 (Any application can bind to it and exercise the APIs due to no protect ...) NOT-FOR-US: Snapdragon CVE-2020-3625 (When making query to DSP capabilities, Stack out of bounds occurs due ...) @@ -69093,7 +69210,7 @@ CVE-2020-1654 (On Juniper Networks SRX Series with ICAP (Internet Content Adapta CVE-2020-1653 (On Juniper Networks Junos OS devices, a stream of TCP packets sent to ...) NOT-FOR-US: Juniper CVE-2020-1652 (OpenNMS is accessible via port 9443 ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2020-1651 (On Juniper Networks MX series, receipt of a stream of specific Layer 2 ...) NOT-FOR-US: Juniper CVE-2020-1650 (On Juniper Networks Junos MX Series with service card configured, rece ...) @@ -71819,7 +71936,7 @@ CVE-2020-0340 (In libcodec2_soft_mp3dec, there is a possible information disclos NOT-FOR-US: Android Media Framework CVE-2020-0339 (There is a possible out of bounds read due to a missing bounds check.P ...) NOT-FOR-US: MediaTek components for Android -CVE-2020-0338 (In AccountManager, there is a possible bypass of a permissions check d ...) +CVE-2020-0338 (In checkKeyIntent of AccountManagerService.java, there is a possible p ...) NOT-FOR-US: Android CVE-2020-0337 (In MediaProvider, there is a possible bypass of a permissions check du ...) NOT-FOR-US: Android diff --git a/data/CVE/2021.list b/data/CVE/2021.list index df53fd88b2..06406baf29 100644 --- a/data/CVE/2021.list +++ b/data/CVE/2021.list @@ -1,32 +1,6577 @@ -CVE-2021-4027 +CVE-2021-46701 (PreMiD 2.2.0 allows unintended access via the websocket transport. An ...) + NOT-FOR-US: PreMiD +CVE-2021-46700 (In libsixel 1.8.6, sixel_encoder_output_without_macro (called from six ...) + - libsixel <unfixed> + [bullseye] - libsixel <no-dsa> (Minor issue) + [buster] - libsixel <no-dsa> (Minor issue) + NOTE: https://github.com/saitoha/libsixel/issues/158 +CVE-2021-4222 RESERVED -CVE-2021-4026 +CVE-2021-4221 RESERVED -CVE-2021-4025 +CVE-2021-46699 RESERVED -CVE-2021-44235 +CVE-2021-4220 + REJECTED +CVE-2021-4219 RESERVED -CVE-2021-44234 +CVE-2021-46687 RESERVED -CVE-2021-44233 +CVE-2021-46270 RESERVED -CVE-2021-44232 +CVE-2021-45730 RESERVED -CVE-2021-44231 +CVE-2021-45721 RESERVED -CVE-2021-44230 +CVE-2021-45074 RESERVED -CVE-2021-44229 +CVE-2021-41834 + RESERVED +CVE-2021-23163 + RESERVED +CVE-2021-22590 + RESERVED +CVE-2021-46681 + RESERVED +CVE-2021-46680 + RESERVED +CVE-2021-46679 + RESERVED +CVE-2021-46678 + RESERVED +CVE-2021-46677 + RESERVED +CVE-2021-46676 + RESERVED +CVE-2021-46675 + RESERVED +CVE-2021-46674 + RESERVED +CVE-2021-46673 + RESERVED +CVE-2021-46672 + RESERVED +CVE-2021-46671 (options.c in atftp before 0.7.5 reads past the end of an array, and co ...) + - atftp 0.7.git20210915-1 (bug #1004974) + [bullseye] - atftp <no-dsa> (Minor issue) + [buster] - atftp <no-dsa> (Minor issue) + [stretch] - atftp <no-dsa> (Minor issue) + NOTE: https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5 (v0.7.5) +CVE-2021-46670 + RESERVED +CVE-2021-46669 (MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_ ...) + - mariadb-10.6 1:10.6.7-1 + - mariadb-10.5 <removed> + - mariadb-10.3 <removed> + NOTE: https://jira.mariadb.org/browse/MDEV-25638 +CVE-2021-46668 (MariaDB through 10.5.9 allows an application crash via certain long SE ...) + - mariadb-10.6 1:10.6.7-1 + - mariadb-10.5 <removed> + - mariadb-10.3 <removed> + NOTE: https://jira.mariadb.org/browse/MDEV-25787 + NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 +CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an ...) + - mariadb-10.6 1:10.6.5-1 + - mariadb-10.5 <removed> + - mariadb-10.3 <removed> + NOTE: https://jira.mariadb.org/browse/MDEV-26350 + NOTE: Fixed in MariaDB: 10.2.41, 10.3.32, 10.4.22, 10.5.13, 10.6.5 +CVE-2021-46666 (MariaDB before 10.6.2 allows an application crash because of mishandli ...) + - mariadb-10.6 <not-affected> (Fixed before initial upload to Debian) + - mariadb-10.5 1:10.5.11-1 + - mariadb-10.3 <removed> + [buster] - mariadb-10.3 1:10.3.31-0+deb10u1 + NOTE: https://jira.mariadb.org/browse/MDEV-25635 + NOTE: Fixed in MariaDB: 10.2.39, 10.3.30, 10.4.20, 10.5.11, 10.6.2 +CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash because ...) + - mariadb-10.6 1:10.6.7-1 + - mariadb-10.5 <removed> + - mariadb-10.3 <removed> + NOTE: https://jira.mariadb.org/browse/MDEV-25636 + NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 +CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select_postj ...) + - mariadb-10.6 1:10.6.7-1 + - mariadb-10.5 <removed> + - mariadb-10.3 <removed> + NOTE: https://jira.mariadb.org/browse/MDEV-25761 + NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 +CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application crash via ...) + - mariadb-10.6 1:10.6.7-1 + - mariadb-10.5 <removed> + - mariadb-10.3 <removed> + NOTE: https://jira.mariadb.org/browse/MDEV-26351 + NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 +CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via certa ...) + - mariadb-10.6 1:10.6.5-1 + - mariadb-10.5 <removed> + - mariadb-10.3 <removed> + NOTE: https://jira.mariadb.org/browse/MDEV-25637 + NOTE: https://jira.mariadb.org/browse/MDEV-22464 + NOTE: Fixed in MariaDB: 10.3.32, 10.4.22, 10.5.13, 10.6.5 +CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field_in_ta ...) + - mariadb-10.6 1:10.6.7-1 + - mariadb-10.5 <removed> + - mariadb-10.3 <removed> + NOTE: https://jira.mariadb.org/browse/MDEV-25766 + NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 +CVE-2021-4218 + RESERVED + - linux 5.8.7-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2048359 + NOTE: Fixed by: https://git.kernel.org/linus/32927393dc1ccd60fb2bdc05b9e8e88753761469 (5.8-rc1) +CVE-2021-46660 (Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) a ...) + NOT-FOR-US: Signiant Manager+Agents +CVE-2021-46659 (MariaDB before 10.7.2 allows an application crash because it does not ...) + - mariadb-10.6 1:10.6.7-1 + - mariadb-10.5 <removed> + - mariadb-10.3 <removed> + NOTE: https://jira.mariadb.org/browse/MDEV-25631 + NOTE: Fixed in MariaDB: 10.2.42, 10.3.33, 10.4.23, 10.5.14, 10.6.6, 10.7.2 +CVE-2021-46658 (save_window_function_values in MariaDB before 10.6.3 allows an applica ...) + - mariadb-10.6 <not-affected> (Fixed before initial upload to Debian) + - mariadb-10.5 1:10.5.11-1 + - mariadb-10.3 <removed> + [buster] - mariadb-10.3 1:10.3.31-0+deb10u1 + NOTE: https://jira.mariadb.org/browse/MDEV-25630 + NOTE: Fixed in MariaDB: 10.2.40, 10.3.31, 10.4.21, 10.5.12, 10.6.3 +CVE-2021-46657 (get_sort_by_table in MariaDB before 10.6.2 allows an application crash ...) + - mariadb-10.6 <not-affected> (Fixed before initial upload to Debian) + - mariadb-10.5 1:10.5.11-1 + - mariadb-10.3 <removed> + [buster] - mariadb-10.3 1:10.3.31-0+deb10u1 + NOTE: https://jira.mariadb.org/browse/MDEV-25629 + NOTE: Fixed in MariaDB: 10.2.39, 10.3.30, 10.4.20, 10.5.11, 10.6.2 +CVE-2021-4217 [Null pointer dereference in Unicode strings code] + RESERVED + - unzip <unfixed> (unimportant) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044583 + NOTE: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 + NOTE: Crash in CLI tool, no security impact +CVE-2021-4216 + RESERVED +CVE-2021-46656 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-46655 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-46654 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-46653 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-46652 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-46651 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46650 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46649 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46648 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46647 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46646 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46645 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46644 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46643 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46642 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46641 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46640 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46639 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46638 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46637 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46636 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46635 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46634 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46633 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46632 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46631 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46630 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46629 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46628 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46627 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46626 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46625 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46624 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46623 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46622 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46621 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46620 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46619 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46618 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46617 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46616 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46615 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46614 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46613 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46612 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46611 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46610 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46609 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46608 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46607 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46606 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46605 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46604 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46603 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46602 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46601 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46600 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46599 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46598 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46597 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46596 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46595 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46594 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46593 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46592 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46591 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46590 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46589 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46588 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46587 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46586 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46585 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46584 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46583 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46582 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46581 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46580 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46579 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46578 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46577 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46576 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46575 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46574 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46573 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46572 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46571 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46570 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley +CVE-2021-46569 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46568 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46567 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46566 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46565 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46564 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46563 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46562 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley +CVE-2021-46561 (controller/org.controller/org.controller.js in the CVE Services API 1. ...) + NOT-FOR-US: controller/org.controller/org.controller.js in the CVE Services API +CVE-2021-46560 (The firmware on Moxa TN-5900 devices through 3.1 allows command inject ...) + NOT-FOR-US: Moxa +CVE-2021-46559 (The firmware on Moxa TN-5900 devices through 3.1 has a weak algorithm ...) + NOT-FOR-US: Moxa +CVE-2021-4215 + RESERVED +CVE-2021-4214 + RESERVED + - libpng1.6 <unfixed> (unimportant) + NOTE: https://github.com/glennrp/libpng/issues/302 + NOTE: Crash in CLI package, not shipped in binary packages +CVE-2021-4213 + RESERVED + - jss <unfixed> + [bullseye] - jss <no-dsa> (Minor issue) + [buster] - jss <no-dsa> (Minor issue) + [stretch] - jss <postponed> (revisit when/if fix is complete) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2042900 + NOTE: https://github.com/dogtagpki/jss/commit/5922560a78d0dee61af8a33cc9cfbf4cfa291448 +CVE-2021-4212 + RESERVED +CVE-2021-4211 + RESERVED +CVE-2021-4210 + RESERVED +CVE-2021-46558 (Multiple cross-site scripting (XSS) vulnerabilities in the Add User mo ...) + NOT-FOR-US: Issabel +CVE-2021-46557 (Vicidial 2.14-783a was discovered to contain a cross-site scripting (X ...) + NOT-FOR-US: Vicidial +CVE-2021-46556 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46555 + RESERVED +CVE-2021-46554 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46553 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46552 + RESERVED +CVE-2021-46551 + RESERVED +CVE-2021-46550 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46549 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46548 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46547 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46546 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46545 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46544 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46543 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46542 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46541 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46540 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46539 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46538 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46537 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46536 + RESERVED +CVE-2021-46535 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46534 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46533 + RESERVED +CVE-2021-46532 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46531 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46530 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46529 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46528 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46527 (Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow v ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46526 (Cesanta MJS v2.20.0 was discovered to contain a global buffer overflow ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46525 (Cesanta MJS v2.20.0 was discovered to contain a heap-use-after-free vi ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46524 (Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow v ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46523 (Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow v ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46522 (Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow v ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46521 (Cesanta MJS v2.20.0 was discovered to contain a global buffer overflow ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46520 (Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow v ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46519 (Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow v ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46518 (Cesanta MJS v2.20.0 was discovered to contain a heap buffer overflow v ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46517 (There is an Assertion `mjs_stack_size(&mjs->scopes) > 0' fai ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46516 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46515 (There is an Assertion `mjs_stack_size(&mjs->scopes) >= scope ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46514 (There is an Assertion 'ppos != NULL && mjs_is_number(*ppos)' f ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46513 (Cesanta MJS v2.20.0 was discovered to contain a global buffer overflow ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46512 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46511 (There is an Assertion `m->len >= sizeof(v)' failed at src/mjs_co ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46510 (There is an Assertion `s < mjs->owned_strings.buf + mjs->owne ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46509 (Cesanta MJS v2.20.0 was discovered to contain a stack overflow via snq ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46508 (There is an Assertion `i < parts_cnt' failed at src/mjs_bcode.c in ...) + NOT-FOR-US: Cesanta MJS +CVE-2021-46507 (Jsish v3.5.0 was discovered to contain a stack overflow via Jsi_LogMsg ...) + NOT-FOR-US: Jsish +CVE-2021-46506 (There is an Assertion 'v->d.lval != v' failed at src/jsiValue.c in ...) + NOT-FOR-US: Jsish +CVE-2021-46505 (Jsish v3.5.0 was discovered to contain a stack overflow via /usr/lib/x ...) + NOT-FOR-US: Jsish +CVE-2021-46504 (There is an Assertion 'vp != resPtr' failed at jsiEval.c in Jsish v3.5 ...) + NOT-FOR-US: Jsish +CVE-2021-46503 (Jsish v3.5.0 was discovered to contain a heap-use-after-free via /usr/ ...) + NOT-FOR-US: Jsish +CVE-2021-46502 (Jsish v3.5.0 was discovered to contain a heap-use-after-free via /usr/ ...) + NOT-FOR-US: Jsish +CVE-2021-46501 (Jsish v3.5.0 was discovered to contain a heap-use-after-free via SortS ...) + NOT-FOR-US: Jsish +CVE-2021-46500 (Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_A ...) + NOT-FOR-US: Jsish +CVE-2021-46499 (Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_V ...) + NOT-FOR-US: Jsish +CVE-2021-46498 (Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_w ...) + NOT-FOR-US: Jsish +CVE-2021-46497 (Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_U ...) + NOT-FOR-US: Jsish +CVE-2021-46496 (Jsish v3.5.0 was discovered to contain a heap-use-after-free via Jsi_O ...) + NOT-FOR-US: Jsish +CVE-2021-46495 (Jsish v3.5.0 was discovered to contain a heap-use-after-free via Delet ...) + NOT-FOR-US: Jsish +CVE-2021-46494 (Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_V ...) + NOT-FOR-US: Jsish +CVE-2021-46493 + RESERVED +CVE-2021-46492 (Jsish v3.5.0 was discovered to contain a SEGV vulnerability via Jsi_Fu ...) + NOT-FOR-US: Jsish +CVE-2021-46491 (Jsish v3.5.0 was discovered to contain a SEGV vulnerability via Jsi_Co ...) + NOT-FOR-US: Jsish +CVE-2021-46490 (Jsish v3.5.0 was discovered to contain a SEGV vulnerability via Number ...) + NOT-FOR-US: Jsish +CVE-2021-46489 (Jsish v3.5.0 was discovered to contain a heap-use-after-free via Jsi_D ...) + NOT-FOR-US: Jsish +CVE-2021-46488 (Jsish v3.5.0 was discovered to contain a SEGV vulnerability via jsi_Ar ...) + NOT-FOR-US: Jsish +CVE-2021-46487 (Jsish v3.5.0 was discovered to contain a SEGV vulnerability via /lib/x ...) + NOT-FOR-US: Jsish +CVE-2021-46486 (Jsish v3.5.0 was discovered to contain a SEGV vulnerability via jsi_Ar ...) + NOT-FOR-US: Jsish +CVE-2021-46485 (Jsish v3.5.0 was discovered to contain a SEGV vulnerability via Jsi_Va ...) + NOT-FOR-US: Jsish +CVE-2021-46484 (Jsish v3.5.0 was discovered to contain a heap-use-after-free via Jsi_I ...) + NOT-FOR-US: Jsish +CVE-2021-46483 (Jsish v3.5.0 was discovered to contain a heap buffer overflow via Bool ...) + NOT-FOR-US: Jsish +CVE-2021-46482 (Jsish v3.5.0 was discovered to contain a heap buffer overflow via Numb ...) + NOT-FOR-US: Jsish +CVE-2021-46481 (Jsish v3.5.0 was discovered to contain a memory leak via linenoise at ...) + NOT-FOR-US: Jsish +CVE-2021-46480 (Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsiV ...) + NOT-FOR-US: Jsish +CVE-2021-46479 + RESERVED +CVE-2021-46478 (Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsiC ...) + NOT-FOR-US: Jsish +CVE-2021-46477 (Jsish v3.5.0 was discovered to contain a heap buffer overflow via RegE ...) + NOT-FOR-US: Jsish +CVE-2021-46476 + RESERVED +CVE-2021-46475 (Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsi_ ...) + NOT-FOR-US: Jsish +CVE-2021-46474 (Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsiE ...) + NOT-FOR-US: Jsish +CVE-2021-46473 + RESERVED +CVE-2021-46472 + RESERVED +CVE-2021-46471 + RESERVED +CVE-2021-46470 + RESERVED +CVE-2021-46469 + RESERVED +CVE-2021-46468 + RESERVED +CVE-2021-46467 + RESERVED +CVE-2021-46466 + RESERVED +CVE-2021-46465 + RESERVED +CVE-2021-46464 + RESERVED +CVE-2021-46463 (njs through 0.7.1, used in NGINX, was discovered to contain a control ...) + NOT-FOR-US: njs +CVE-2021-46462 (njs through 0.7.1, used in NGINX, was discovered to contain a segmenta ...) + NOT-FOR-US: njs +CVE-2021-46461 (njs through 0.7.0, used in NGINX, was discovered to contain an out-of- ...) + NOT-FOR-US: njs +CVE-2021-46460 + RESERVED +CVE-2021-46459 (Victor CMS v1.0 was discovered to contain multiple SQL injection vulne ...) + NOT-FOR-US: Victor CMS +CVE-2021-46458 (Victor CMS v1.0 was discovered to contain a SQL injection vulnerabilit ...) + NOT-FOR-US: Victor CMS +CVE-2021-46457 (D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46456 (D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46455 (D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46454 (D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46453 (D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46452 (D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46451 (An SQL Injection vulnerabilty exists in Sourcecodester Online Project ...) + NOT-FOR-US: Sourcecodester +CVE-2021-46450 + RESERVED +CVE-2021-46449 + RESERVED +CVE-2021-46448 (H.H.G Multistore v5.1.0 and below was discovered to contain a SQL inje ...) + NOT-FOR-US: H.H.G Multistore +CVE-2021-46447 (A cross-site scripting (XSS) vulnerability in H.H.G Multistore v5.1.0 ...) + NOT-FOR-US: H.H.G Multistore +CVE-2021-46446 (H.H.G Multistore v5.1.0 and below was discovered to contain a SQL inje ...) + NOT-FOR-US: H.H.G Multistore +CVE-2021-46445 (H.H.G Multistore v5.1.0 and below was discovered to contain a SQL inje ...) + NOT-FOR-US: H.H.G Multistore +CVE-2021-46444 (H.H.G Multistore v5.1.0 and below was discovered to contain a SQL inje ...) + NOT-FOR-US: H.H.G Multistore +CVE-2021-46443 + RESERVED +CVE-2021-46442 + RESERVED +CVE-2021-46441 + RESERVED +CVE-2021-46440 + RESERVED +CVE-2021-46439 + RESERVED +CVE-2021-46438 + RESERVED +CVE-2021-46437 + RESERVED +CVE-2021-46436 + RESERVED +CVE-2021-46435 + RESERVED +CVE-2021-46434 + RESERVED +CVE-2021-46433 + RESERVED +CVE-2021-46432 + RESERVED +CVE-2021-46431 + RESERVED +CVE-2021-46430 + RESERVED +CVE-2021-46429 + RESERVED +CVE-2021-46428 (A Remote Code Execution (RCE) vulnerability exists in Sourcecodester S ...) + NOT-FOR-US: Sourcecodester +CVE-2021-46427 (An SQL Injection vulnerability exists in Sourcecodester Simple Chatbot ...) + NOT-FOR-US: Sourcecodester +CVE-2021-46426 + RESERVED +CVE-2021-46425 + RESERVED +CVE-2021-46424 + RESERVED +CVE-2021-46423 + RESERVED +CVE-2021-46422 + RESERVED +CVE-2021-46421 + RESERVED +CVE-2021-46420 + RESERVED +CVE-2021-46419 + RESERVED +CVE-2021-46418 + RESERVED +CVE-2021-46417 + RESERVED +CVE-2021-46416 + RESERVED +CVE-2021-46415 + RESERVED +CVE-2021-46414 + RESERVED +CVE-2021-46413 + RESERVED +CVE-2021-46412 + RESERVED +CVE-2021-46411 + RESERVED +CVE-2021-46410 + RESERVED +CVE-2021-46409 + RESERVED +CVE-2021-46408 + RESERVED +CVE-2021-46407 + RESERVED +CVE-2021-46406 + RESERVED +CVE-2021-46405 + RESERVED +CVE-2021-46404 + RESERVED +CVE-2021-4209 + RESERVED +CVE-2021-46403 + RESERVED +CVE-2021-4208 (The ExportFeed WordPress plugin through 2.0.1.0 does not sanitise and ...) + NOT-FOR-US: WordPress plugin +CVE-2021-46402 + RESERVED +CVE-2021-46401 + RESERVED +CVE-2021-46400 + RESERVED +CVE-2021-46399 + RESERVED +CVE-2021-46398 (A Cross-Site Request Forgery vulnerability exists in Filebrowser < ...) + NOT-FOR-US: FileBrowser +CVE-2021-46397 + RESERVED +CVE-2021-46396 + RESERVED +CVE-2021-46395 + RESERVED +CVE-2021-46394 + RESERVED +CVE-2021-46393 + RESERVED +CVE-2021-46392 + RESERVED +CVE-2021-46391 + RESERVED +CVE-2021-46390 + RESERVED +CVE-2021-46389 (IIPImage High Resolution Streaming Image Server prior to commit 882925 ...) + NOT-FOR-US: IIPImage High Resolution Streaming Image Server +CVE-2021-46388 (WAGO 750-8212 PFC200 G2 2ETH RS Firmware version 03.05.10(17) is affec ...) + NOT-FOR-US: WAGO +CVE-2021-46387 + RESERVED +CVE-2021-46386 (https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: File U ...) + NOT-FOR-US: MCMS +CVE-2021-46385 (https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL In ...) + NOT-FOR-US: MCMS +CVE-2021-46384 + RESERVED +CVE-2021-46383 (https://gitee.com/mingSoft/MCMS MCMS <=5.2.5 is affected by: SQL In ...) + NOT-FOR-US: MCMS +CVE-2021-46382 + RESERVED +CVE-2021-46381 + RESERVED +CVE-2021-46380 + RESERVED +CVE-2021-46379 + RESERVED +CVE-2021-46378 + RESERVED +CVE-2021-46377 (There is a front-end sql injection vulnerability in cszcms 1.2.9 via c ...) + NOT-FOR-US: cszcms +CVE-2021-46376 + RESERVED +CVE-2021-46375 + RESERVED +CVE-2021-46374 + RESERVED +CVE-2021-46373 + RESERVED +CVE-2021-46372 (Scoold 1.47.2 is a Q&A/knowledge base platform written in Java. Wh ...) + NOT-FOR-US: Scoold +CVE-2021-46371 (antd-admin 5.5.0 is affected by an incorrect access control vulnerabil ...) + NOT-FOR-US: antd-admin +CVE-2021-46370 + RESERVED +CVE-2021-46369 + RESERVED +CVE-2021-46368 (TRIGONE Remote System Monitor 3.61 is vulnerable to an unquoted path s ...) + NOT-FOR-US: TRIGONE Remote System Monitor +CVE-2021-46367 + RESERVED +CVE-2021-46366 (An issue in the Login page of Magnolia CMS v6.2.3 and below allows att ...) + NOT-FOR-US: Magnolia CMS +CVE-2021-46365 (An issue in the Export function of Magnolia v6.2.3 and below allows at ...) + NOT-FOR-US: Magnolia CMS +CVE-2021-46364 (A vulnerability in the Snake YAML parser of Magnolia CMS v6.2.3 and be ...) + NOT-FOR-US: Magnolia CMS +CVE-2021-46363 (An issue in the Export function of Magnolia v6.2.3 and below allows at ...) + NOT-FOR-US: Magnolia CMS +CVE-2021-46362 (A Server-Side Template Injection (SSTI) vulnerability in the Registrat ...) + NOT-FOR-US: Magnolia CMS +CVE-2021-46361 (An issue in the Freemark Filter of Magnolia CMS v6.2.11 and below allo ...) + NOT-FOR-US: Magnolia CMS +CVE-2021-46360 (Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and e ...) + NOT-FOR-US: Composr-CMS +CVE-2021-46359 (FISCO-BCOS release-3.0.0-rc2 contains a denial of service vulnerabilit ...) + NOT-FOR-US: FISCO-BCOS +CVE-2021-46358 + RESERVED +CVE-2021-46357 + RESERVED +CVE-2021-46356 + RESERVED +CVE-2021-46355 (OCS Inventory 2.9.1 is affected by Cross Site Scripting (XSS). To expl ...) + NOT-FOR-US: OCS Inventory (not the same as ocsinventory-server) +CVE-2021-46354 (Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version ...) + NOT-FOR-US: Thinfinity VirtualUI +CVE-2021-46353 + RESERVED +CVE-2021-46352 + RESERVED +CVE-2021-46351 (There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustme ...) + - iotjs <not-affected> (Vulnerable code not yet introduced) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4955 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4940 +CVE-2021-46350 (There is an Assertion 'ecma_is_value_object (value)' failed at jerrysc ...) + - iotjs <not-affected> (Vulnerable code not yet introduced) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4953 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4936 +CVE-2021-46349 (There is an Assertion 'type == ECMA_OBJECT_TYPE_GENERAL || type == ECM ...) + - iotjs <unfixed> (bug #1004288) + [bullseye] - iotjs <no-dsa> (Minor issue) + [buster] - iotjs <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4954 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4937 +CVE-2021-46348 (There is an Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' fa ...) + - iotjs <unfixed> (bug #1004288) + [bullseye] - iotjs <no-dsa> (Minor issue) + [buster] - iotjs <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4961 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4941 +CVE-2021-46347 (There is an Assertion 'ecma_object_check_class_name_is_object (obj_p)' ...) + - iotjs <not-affected> (Vulnerable code not yet introduced) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4954 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4938 +CVE-2021-46346 (There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustme ...) + - iotjs <unfixed> (bug #1004288) + [bullseye] - iotjs <no-dsa> (Minor issue) + [buster] - iotjs <no-dsa> (Minor issue) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4955 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4939 +CVE-2021-46345 (There is an Assertion 'cesu8_cursor_p == cesu8_end_p' failed at /jerry ...) + - iotjs <not-affected> (Vulnerable code not yet introduced) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4946 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4920 +CVE-2021-46344 (There is an Assertion 'flags & PARSER_PATTERN_HAS_REST_ELEMENT' fa ...) + - iotjs <not-affected> (Vulnerable code not yet introduced) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4950 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4928 +CVE-2021-46343 (There is an Assertion 'context_p->token.type == LEXER_LITERAL' fail ...) + - iotjs <not-affected> (Vulnerable code not yet introduced) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4947 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4921 +CVE-2021-46342 (There is an Assertion 'ecma_is_lexical_environment (obj_p) || !ecma_op ...) + - iotjs <not-affected> (Vulnerable code not yet introduced) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4952 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4934 +CVE-2021-46341 + RESERVED +CVE-2021-46340 (There is an Assertion 'context_p->stack_top_uint8 == SCAN_STACK_TRY ...) + - iotjs <unfixed> (bug #1004288) + [bullseye] - iotjs <no-dsa> (Minor issue) + [buster] - iotjs <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4964 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4924 +CVE-2021-46339 (There is an Assertion 'lit_is_valid_cesu8_string (string_p, string_siz ...) + - iotjs <undetermined> + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4935 +CVE-2021-46338 (There is an Assertion 'ecma_is_lexical_environment (object_p)' failed ...) + - iotjs <unfixed> (bug #1004288) + [bullseye] - iotjs <no-dsa> (Minor issue) + [buster] - iotjs <no-dsa> (Minor issue) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4943 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4933 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4900 +CVE-2021-46337 (There is an Assertion 'page_p != NULL' failed at /parser/js/js-parser- ...) + - iotjs <not-affected> (Vulnerable code not yet introduced) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4951 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4930 +CVE-2021-46336 (There is an Assertion 'opts & PARSER_CLASS_LITERAL_CTOR_PRESENT' f ...) + - iotjs <not-affected> (Vulnerable code not yet introduced) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4949 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4927 +CVE-2021-46335 (Moddable SDK v11.5.0 was discovered to contain a NULL pointer derefere ...) + NOT-FOR-US: Moddable SDK +CVE-2021-46334 (Moddable SDK v11.5.0 was discovered to contain a stack buffer overflow ...) + NOT-FOR-US: Moddable SDK +CVE-2021-46333 (Moddable SDK v11.5.0 was discovered to contain an invalid memory acces ...) + NOT-FOR-US: Moddable SDK +CVE-2021-46332 (Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow ...) + NOT-FOR-US: Moddable SDK +CVE-2021-46331 (Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability vi ...) + NOT-FOR-US: Moddable SDK +CVE-2021-46330 (Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability vi ...) + NOT-FOR-US: Moddable SDK +CVE-2021-46329 (Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability vi ...) + NOT-FOR-US: Moddable SDK +CVE-2021-46328 (Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow ...) + NOT-FOR-US: Moddable SDK +CVE-2021-46327 (Moddable SDK v11.5.0 was discovered to contain a SEGV vulnerability vi ...) + NOT-FOR-US: Moddable SDK +CVE-2021-46326 (Moddable SDK v11.5.0 was discovered to contain a heap-buffer-overflow ...) + NOT-FOR-US: Moddable SDK +CVE-2021-46325 (Espruino 2v10.246 was discovered to contain a stack buffer overflow vi ...) + NOT-FOR-US: Espruino +CVE-2021-46324 (Espruino 2v11.251 was discovered to contain a stack buffer overflow vi ...) + NOT-FOR-US: Espruino +CVE-2021-46323 (Espruino 2v11.251 was discovered to contain a SEGV vulnerability via s ...) + NOT-FOR-US: Espruino +CVE-2021-46322 (Duktape v2.99.99 was discovered to contain a SEGV vulnerability via th ...) + NOT-FOR-US: Duktape +CVE-2021-46321 (Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain ...) + NOT-FOR-US: Tenda +CVE-2021-46320 (In OpenZeppelin <=v4.4.0, initializer functions that are invoked se ...) + NOT-FOR-US: OpenZeppelin +CVE-2021-46319 (Remote Code Execution (RCE) vulnerability exists in D-Link Router DIR- ...) + NOT-FOR-US: Dlink DIR-846 Router +CVE-2021-46318 + RESERVED +CVE-2021-46317 + RESERVED +CVE-2021-46316 + RESERVED +CVE-2021-46315 (Remote Command Execution (RCE) vulnerability exists in HNAP1/control/S ...) + NOT-FOR-US: D-Link +CVE-2021-46314 (A Remote Command Execution (RCE) vulnerability exists in HNAP1/control ...) + NOT-FOR-US: D-Link +CVE-2021-46313 (The binary MP4Box in GPAC v1.0.1 was discovered to contain a segmentat ...) + - gpac <unfixed> + [bullseye] - gpac <ignored> (Minor issue) + [buster] - gpac <ignored> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2039 + NOTE: https://github.com/gpac/gpac/commit/ee969d3c4c425ecb25999eb68ada616925b58eba +CVE-2021-46312 + RESERVED +CVE-2021-46311 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the ...) + - gpac <unfixed> + [bullseye] - gpac <ignored> (Minor issue) + [buster] - gpac <ignored> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2038 + NOTE: https://github.com/gpac/gpac/commit/ad19e0c4504a89ca273442b1b1483ae7adfb9491 +CVE-2021-46310 + RESERVED +CVE-2021-46309 (An SQL Injection vulnerability exists in Sourcecodester Employee and V ...) + NOT-FOR-US: Sourcecodester +CVE-2021-46308 (An SQL Injection vulnerability exists in Sourcecodester Online Railway ...) + NOT-FOR-US: Sourcecodester +CVE-2021-46307 (An SQL Injection vulnerability exists in Projectworlds Online Examinat ...) + NOT-FOR-US: Projectworlds Online Examination System +CVE-2021-46306 + RESERVED +CVE-2021-46305 + RESERVED +CVE-2021-46304 + RESERVED +CVE-2021-46303 + RESERVED +CVE-2021-46302 + RESERVED +CVE-2021-46301 + RESERVED +CVE-2021-46300 + RESERVED +CVE-2021-46299 + RESERVED +CVE-2021-46298 + RESERVED +CVE-2021-46297 + RESERVED +CVE-2021-46296 + RESERVED +CVE-2021-46295 + RESERVED +CVE-2021-46294 + RESERVED +CVE-2021-46293 + RESERVED +CVE-2021-46292 + RESERVED +CVE-2021-46291 + RESERVED +CVE-2021-46290 + RESERVED +CVE-2021-46289 + RESERVED +CVE-2021-46288 + RESERVED +CVE-2021-46287 + RESERVED +CVE-2021-46286 + RESERVED +CVE-2021-46285 + RESERVED +CVE-2021-46284 + RESERVED +CVE-2021-45729 (The Privilege Escalation vulnerability discovered in the WP Google Map ...) + NOT-FOR-US: WordPress plugin +CVE-2021-44779 (Unauthenticated SQL Injection (SQLi) vulnerability discovered in [GWA] ...) + NOT-FOR-US: WordPress plugin +CVE-2021-44777 (Cross-Site Request Forgery (CSRF) vulnerabilities leading to single or ...) + NOT-FOR-US: WordPress plugin +CVE-2021-44760 + RESERVED +CVE-2021-4207 + RESERVED +CVE-2021-4206 + RESERVED +CVE-2021-4205 + RESERVED +CVE-2021-31567 (Authenticated (admin+) Arbitrary File Download vulnerability discovere ...) + NOT-FOR-US: WordPress plugin +CVE-2021-26256 (Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discov ...) + NOT-FOR-US: WordPress plugin +CVE-2021-23227 (Cross-Site Request Forgery (CSRF) vulnerability discovered in PHP Ever ...) + NOT-FOR-US: WordPress plugin +CVE-2021-23209 + RESERVED +CVE-2021-23174 (Authenticated (admin+) Persistent Cross-Site Scripting (XSS) vulnerabi ...) + NOT-FOR-US: WordPress plugin +CVE-2021-23150 + RESERVED +CVE-2021-46283 (nf_tables_newset in net/netfilter/nf_tables_api.c in the Linux kernel ...) + - linux 5.14.6-1 + [bullseye] - linux 5.10.70-1 + [buster] - linux <not-affected> (Vulnerable code not present) + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/ad9f151e560b016b6ad3280b48e42fa11e1a5440 (5.13-rc7) +CVE-2021-4204 [eBPF Improper Input Validation Vulnerability] + RESERVED + - linux <unfixed> + [buster] - linux <not-affected> (Vulnerable code introduced later) + [stretch] - linux <not-affected> (Vulnerable code introduced later) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/11/4 +CVE-2021-46269 + RESERVED +CVE-2021-46268 + RESERVED +CVE-2021-46267 + RESERVED +CVE-2021-46266 + RESERVED +CVE-2021-46265 (Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain ...) + NOT-FOR-US: Tenda +CVE-2021-46264 (Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain ...) + NOT-FOR-US: Tenda +CVE-2021-46263 (Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain ...) + NOT-FOR-US: Tenda +CVE-2021-46262 (Tenda AC Series Router AC11_V02.03.01.104_CN was discovered to contain ...) + NOT-FOR-US: Tenda +CVE-2021-46261 + RESERVED +CVE-2021-46260 + RESERVED +CVE-2021-46259 + RESERVED +CVE-2021-46258 + RESERVED +CVE-2021-46257 + RESERVED +CVE-2021-46256 + RESERVED +CVE-2021-46255 (eyouCMS V1.5.5-UTF8-SP3_1 suffers from Arbitrary file deletion due to ...) + NOT-FOR-US: eyouCMS +CVE-2021-46254 + RESERVED +CVE-2021-46253 (A cross-site scripting (XSS) vulnerability in the Create Post function ...) + NOT-FOR-US: Anchor CMS +CVE-2021-46252 (A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of S ...) + NOT-FOR-US: scratch-confirmaccount-v3 +CVE-2021-46251 (A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit ...) + NOT-FOR-US: ScratchOAuth2 +CVE-2021-46250 (An issue in SOA2Login::commented of ScratchOAuth2 before commit a91879 ...) + NOT-FOR-US: ScratchOAuth2 +CVE-2021-46249 (An authorization bypass exploited by a user-controlled key in Specific ...) + NOT-FOR-US: ScratchOAuth2 +CVE-2021-46248 + RESERVED +CVE-2021-46247 (The use of a hard-coded cryptographic key significantly increases the ...) + NOT-FOR-US: ASUS +CVE-2021-46246 + RESERVED +CVE-2021-46245 + RESERVED +CVE-2021-46244 (A Divide By Zero vulnerability exists in HDF5 v1.13.1-1 vis the functi ...) + - hdf5 <undetermined> + NOTE: https://github.com/HDFGroup/hdf5/issues/1327 + NOTE: https://github.com/advisories/GHSA-vrxh-5gxg-rmhm +CVE-2021-46243 (An untrusted pointer dereference vulnerability exists in HDF5 v1.13.1- ...) + - hdf5 <undetermined> + NOTE: https://github.com/HDFGroup/hdf5/issues/1326 + NOTE: https://github.com/advisories/GHSA-2rqw-mg55-mp69 +CVE-2021-46242 (HDF5 v1.13.1-1 was discovered to contain a heap-use-after free via the ...) + - hdf5 <undetermined> + NOTE: https://github.com/HDFGroup/hdf5/issues/1329 + NOTE: https://github.com/advisories/GHSA-x9pw-hh7v-wjpf +CVE-2021-46241 + RESERVED +CVE-2021-46240 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the ...) + - gpac <unfixed> + [bullseye] - gpac <ignored> (Minor issue) + [buster] - gpac <ignored> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2028 + NOTE: https://github.com/gpac/gpac/commit/31eb879ea67b3a6ff67d3211f4c6b83369d4898d +CVE-2021-46239 (The binary MP4Box in GPAC v1.1.0 was discovered to contain an invalid ...) + - gpac <unfixed> + [bullseye] - gpac <ignored> (Minor issue) + [buster] - gpac <ignored> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2026 + NOTE: https://github.com/gpac/gpac/commit/4e1215758fa89455e8de1262df36f11740bb1bc4 +CVE-2021-46238 (GPAC v1.1.0 was discovered to contain a stack overflow via the functio ...) + - gpac <unfixed> + [bullseye] - gpac <ignored> (Minor issue) + [buster] - gpac <ignored> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2027 + NOTE: https://github.com/gpac/gpac/commit/4b9736ab8c9274db5858e5bf9fe0470bc3e7b6cf +CVE-2021-46237 (An untrusted pointer dereference vulnerability exists in GPAC v1.1.0 v ...) + - gpac <unfixed> + [bullseye] - gpac <ignored> (Minor issue) + [buster] - gpac <ignored> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2033 + NOTE: https://github.com/gpac/gpac/commit/3cc122ad664a2355cce9784f50b59c6272d43f00 +CVE-2021-46236 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the ...) + - gpac <unfixed> + [bullseye] - gpac <ignored> (Minor issue) + [buster] - gpac <ignored> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2024 + NOTE: https://github.com/gpac/gpac/commit/6a5effb57153cb05e72f6e9bd72afefc334a673d +CVE-2021-46235 + RESERVED +CVE-2021-46234 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the ...) + - gpac <unfixed> + [bullseye] - gpac <ignored> (Minor issue) + [buster] - gpac <ignored> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2023 + NOTE: https://github.com/gpac/gpac/commit/70c6f6f832dccff814a19a74d87b97b3d68a4af5 +CVE-2021-46233 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46232 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46231 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46230 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46229 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46228 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46227 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46226 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) + NOT-FOR-US: D-Link +CVE-2021-46225 (A buffer overflow in the GmfOpenMesh() function of libMeshb v7.61 allo ...) + NOT-FOR-US: libMeshb +CVE-2021-46224 + RESERVED +CVE-2021-46223 + RESERVED +CVE-2021-46222 + RESERVED +CVE-2021-46221 + RESERVED +CVE-2021-46220 + RESERVED +CVE-2021-46219 + RESERVED +CVE-2021-46218 + RESERVED +CVE-2021-46217 + RESERVED +CVE-2021-46216 + RESERVED +CVE-2021-46215 + RESERVED +CVE-2021-46214 + RESERVED +CVE-2021-46213 + RESERVED +CVE-2021-46212 + RESERVED +CVE-2021-46211 + RESERVED +CVE-2021-46210 + RESERVED +CVE-2021-46209 + RESERVED +CVE-2021-46208 + RESERVED +CVE-2021-46207 + RESERVED +CVE-2021-46206 + RESERVED +CVE-2021-46205 + RESERVED +CVE-2021-46204 (Taocms v3.0.2 was discovered to contain an arbitrary file read vulnera ...) + NOT-FOR-US: taocms +CVE-2021-46203 (Taocms v3.0.2 was discovered to contain an arbitrary file read vulnera ...) + NOT-FOR-US: taocms +CVE-2021-46202 + RESERVED +CVE-2021-46201 (An SQL Injection vulnerability exists in Sourcecodester Online Resort ...) + NOT-FOR-US: Sourcecodester Online Resort Management System +CVE-2021-46200 (An SQL Injection vulnerability exists in Sourcecodester Simple Music C ...) + NOT-FOR-US: Sourcecodester +CVE-2021-46199 + RESERVED +CVE-2021-46198 (An SQL Injection vulnerability exists in Sourceodester Courier Managem ...) + NOT-FOR-US: Sourcecodester +CVE-2021-46197 + RESERVED +CVE-2021-46196 + RESERVED +CVE-2021-46195 (GCC v12.0 was discovered to contain an uncontrolled recursion via the ...) + - binutils <unfixed> (unimportant) + NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841 + NOTE: binutils not covered by security support +CVE-2021-46194 + RESERVED +CVE-2021-46193 + RESERVED +CVE-2021-46192 + RESERVED +CVE-2021-46191 + RESERVED +CVE-2021-46190 + RESERVED +CVE-2021-46189 + RESERVED +CVE-2021-46188 + RESERVED +CVE-2021-46187 + RESERVED +CVE-2021-46186 + RESERVED +CVE-2021-46185 + RESERVED +CVE-2021-46184 + RESERVED +CVE-2021-46183 + RESERVED +CVE-2021-46182 + RESERVED +CVE-2021-46181 + RESERVED +CVE-2021-46180 + RESERVED +CVE-2021-46179 + RESERVED +CVE-2021-46178 + RESERVED +CVE-2021-46177 + RESERVED +CVE-2021-46176 + RESERVED +CVE-2021-46175 + RESERVED +CVE-2021-46174 + RESERVED +CVE-2021-46173 + RESERVED +CVE-2021-46172 + RESERVED +CVE-2021-46171 (Modex v2.11 was discovered to contain a NULL pointer dereference in se ...) + NOT-FOR-US: Modex +CVE-2021-46170 (An issue was discovered in JerryScript commit a6ab5e9. There is an Use ...) + - iotjs <unfixed> + [bullseye] - iotjs <no-dsa> (Minor issue) + [buster] - iotjs <no-dsa> (Minor issue) + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4917 + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4942/commits/5e1fdd1d1e75105b43392b4bb3996099cdc50f3d +CVE-2021-46169 (Modex v2.11 was discovered to contain an Use-After-Free vulnerability ...) + NOT-FOR-US: Modex +CVE-2021-46168 (Spin v6.5.1 was discovered to contain an out-of-bounds write in lex() ...) + NOT-FOR-US: Spin +CVE-2021-46167 + RESERVED +CVE-2021-44458 (Linux users running Lens 5.2.6 and earlier could be compromised by vis ...) + NOT-FOR-US: Lens +CVE-2021-4203 [af_unix: fix races in sk_peer_pid and sk_peer_cred accesses] + RESERVED + - linux 5.14.12-1 + [bullseye] - linux 5.10.84-1 + [stretch] - linux 4.9.290-1 + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2230 + NOTE: https://git.kernel.org/linus/35306eb23814444bd4021f8a1c3047d3cb0c8b2b (5.15-rc4) +CVE-2021-4202 + RESERVED + - linux 5.15.5-1 (unimportant) + [bullseye] - linux 5.10.84-1 + NOTE: CONFIG_NFC_NCI not enabled in Debian +CVE-2021-23218 (When running with FIPS mode enabled, Mirantis Container Runtime 20.10. ...) + NOT-FOR-US: Mirantis Container Runtime +CVE-2021-23154 (In Lens prior to 5.3.4, custom helm chart configuration creates helm c ...) + NOT-FOR-US: Lens +CVE-2021-46166 (Zoho ManageEngine Desktop Central before 10.0.662 allows authenticated ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-46165 (Zoho ManageEngine Desktop Central before 10.0.662, during startup, lau ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-46164 (Zoho ManageEngine Desktop Central before 10.0.662 allows remote code e ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-46163 (Kentico Xperience 13.0.44 allows XSS via an XML document to the Media ...) + NOT-FOR-US: Kentico Xperience CMS +CVE-2021-46162 + RESERVED +CVE-2021-46161 (A vulnerability has been identified in Simcenter Femap V2020.2 (All ve ...) + NOT-FOR-US: Siemens +CVE-2021-46160 (A vulnerability has been identified in Simcenter Femap V2020.2 (All ve ...) + NOT-FOR-US: Siemens +CVE-2021-46159 (A vulnerability has been identified in Simcenter Femap V2020.2 (All ve ...) + NOT-FOR-US: Siemens +CVE-2021-46158 (A vulnerability has been identified in Simcenter Femap V2020.2 (All ve ...) + NOT-FOR-US: Siemens +CVE-2021-46157 (A vulnerability has been identified in Simcenter Femap V2020.2 (All ve ...) + NOT-FOR-US: Siemens +CVE-2021-46156 (A vulnerability has been identified in Simcenter Femap V2020.2 (All ve ...) + NOT-FOR-US: Siemens +CVE-2021-46155 (A vulnerability has been identified in Simcenter Femap V2020.2 (All ve ...) + NOT-FOR-US: Siemens +CVE-2021-46154 (A vulnerability has been identified in Simcenter Femap V2020.2 (All ve ...) + NOT-FOR-US: Siemens +CVE-2021-46153 (A vulnerability has been identified in Simcenter Femap V2020.2 (All ve ...) + NOT-FOR-US: Siemens +CVE-2021-46152 (A vulnerability has been identified in Simcenter Femap V2020.2 (All ve ...) + NOT-FOR-US: Siemens +CVE-2021-46151 (A vulnerability has been identified in Simcenter Femap V2020.2 (All ve ...) + NOT-FOR-US: Siemens +CVE-2021-46150 (An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36 ...) + NOT-FOR-US: MediaWiki extension CheckUser +CVE-2021-46149 (An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36 ...) + NOT-FOR-US: MediaWiki extension UniversalLanguageSelector +CVE-2021-46148 (An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36 ...) + NOT-FOR-US: MediaWiki extension SecurePoll +CVE-2021-46147 (An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36 ...) + NOT-FOR-US: MediaWiki extension MassEditRegex +CVE-2021-46146 (An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36 ...) + NOT-FOR-US: MediaWiki extension WikiBaseMediainfo +CVE-2021-4201 (Missing access control in ForgeRock Access Management 7.1.0 and earlie ...) + NOT-FOR-US: ForgeRock +CVE-2021-46145 (The keyfob subsystem in Honda Civic 2012 vehicles allows a replay atta ...) + NOT-FOR-US: keyfob subsystem in Honda Civic 2012 vehicles +CVE-2021-46143 (In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an int ...) + {DSA-5073-1 DLA-2904-1} + - expat 2.4.3-1 + NOTE: https://github.com/libexpat/libexpat/issues/532 + NOTE: https://github.com/libexpat/libexpat/pull/538 + NOTE: https://github.com/libexpat/libexpat/commit/85ae9a2d7d0e9358f356b33977b842df8ebaec2b (R_2_4_3) +CVE-2021-46142 (An issue was discovered in uriparser before 0.9.6. It performs invalid ...) + {DSA-5063-1 DLA-2883-1} + - uriparser 0.9.6+dfsg-1 + NOTE: https://github.com/uriparser/uriparser/issues/122 + NOTE: https://github.com/uriparser/uriparser/commit/c0483990e6b5b454f7c8752b36760cfcb0d093f5 (uriparser-0.9.6) + NOTE: https://github.com/uriparser/uriparser/pull/124 +CVE-2021-46141 (An issue was discovered in uriparser before 0.9.6. It performs invalid ...) + {DSA-5063-1 DLA-2883-2 DLA-2883-1} + - uriparser 0.9.6+dfsg-1 + NOTE: https://github.com/uriparser/uriparser/issues/121 + NOTE: https://github.com/uriparser/uriparser/commit/987b046e41f407d17c622e580fc82a5e834b4329 (uriparser-0.9.6) + NOTE: https://github.com/uriparser/uriparser/commit/b1a34743bc1472e055d886e29e9b53f670eb3282 (uriparser-0.9.6) + NOTE: https://github.com/uriparser/uriparser/pull/124 +CVE-2021-4200 + RESERVED +CVE-2021-46140 + RESERVED +CVE-2021-46139 + RESERVED +CVE-2021-46138 + RESERVED +CVE-2021-46137 + RESERVED +CVE-2021-46136 + RESERVED +CVE-2021-46135 + RESERVED +CVE-2021-46134 + RESERVED +CVE-2021-46133 + RESERVED +CVE-2021-46132 + RESERVED +CVE-2021-46131 + RESERVED +CVE-2021-45722 + RESERVED +CVE-2021-45110 + RESERVED +CVE-2021-45073 + RESERVED +CVE-2021-44778 + RESERVED +CVE-2021-44468 + RESERVED +CVE-2021-44456 + RESERVED +CVE-2021-44452 + RESERVED +CVE-2021-43352 + RESERVED +CVE-2021-4199 + RESERVED +CVE-2021-4198 + RESERVED +CVE-2021-31564 + RESERVED +CVE-2021-23229 + RESERVED +CVE-2021-46130 + RESERVED +CVE-2021-46129 + RESERVED +CVE-2021-46128 + RESERVED +CVE-2021-46127 + RESERVED +CVE-2021-46126 + RESERVED +CVE-2021-46125 + RESERVED +CVE-2021-46124 + RESERVED +CVE-2021-46123 + RESERVED +CVE-2021-46122 + RESERVED +CVE-2021-46121 + RESERVED +CVE-2021-46120 + RESERVED +CVE-2021-46119 + RESERVED +CVE-2021-46118 (jpress 4.2.0 is vulnerable to remote code execution via io.jpress.modu ...) + NOT-FOR-US: jpress +CVE-2021-46117 (jpress 4.2.0 is vulnerable to remote code execution via io.jpress.modu ...) + NOT-FOR-US: jpress +CVE-2021-46116 (jpress 4.2.0 is vulnerable to remote code execution via io.jpress.web. ...) + NOT-FOR-US: jpress +CVE-2021-46115 (jpress 4.2.0 is vulnerable to RCE via io.jpress.web.admin._TemplateCon ...) + NOT-FOR-US: jpress +CVE-2021-46114 (jpress v 4.2.0 is vulnerable to RCE via io.jpress.module.product.Produ ...) + NOT-FOR-US: jpress +CVE-2021-46113 (In MartDevelopers KEA-Hotel-ERP open source as of 12-31-2021, a remote ...) + NOT-FOR-US: MartDevelopers KEA-Hotel-ERP open source +CVE-2021-46112 + RESERVED +CVE-2021-46111 + RESERVED +CVE-2021-46110 (Online Shopping Portal v3.1 was discovered to contain multiple time-ba ...) + NOT-FOR-US: Online Shopping Portal +CVE-2021-46109 (Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) ...) + NOT-FOR-US: ASUS +CVE-2021-46108 (D-Link DSL-2730E CT-20131125 devices allow XSS via the username parame ...) + NOT-FOR-US: D-Link +CVE-2021-46107 + RESERVED +CVE-2021-46106 + RESERVED +CVE-2021-46105 + RESERVED +CVE-2021-46104 (An issue was discovered in webp_server_go 0.4.0. There is a directory ...) + NOT-FOR-US: webp_server_go +CVE-2021-46103 + RESERVED +CVE-2021-46102 (From version 0.2.14 to 0.2.16 for Solana rBPF, function "relocate" in ...) + NOT-FOR-US: Solana rBBP +CVE-2021-46101 (In Git for windows through 2.34.1 when using git pull to update the lo ...) + NOT-FOR-US: Git for Windows +CVE-2021-46100 + RESERVED +CVE-2021-46099 + RESERVED +CVE-2021-46098 + RESERVED +CVE-2021-46097 (Dolphinphp v1.5.0 contains a remote code execution vulnerability in /a ...) + NOT-FOR-US: Dolphinphp +CVE-2021-46096 + RESERVED +CVE-2021-46095 + RESERVED +CVE-2021-46094 + RESERVED +CVE-2021-46093 (eliteCMS v1.0 is vulnerable to Insecure Permissions via manage_uploads ...) + NOT-FOR-US: eliteCMS +CVE-2021-46092 + RESERVED +CVE-2021-46091 + RESERVED +CVE-2021-46090 + RESERVED +CVE-2021-46089 (In JeecgBoot 3.0, there is a SQL injection vulnerability that can oper ...) + NOT-FOR-US: JeecgBoot +CVE-2021-46088 (Zabbix 4.0 LTS, 4.2, 4.4, and 5.0 LTS is vulnerable to Remote Code Exe ...) + - zabbix <undetermined> + NOTE: closed upstream as a "feature", then changed in 5.4 to make the attack less likely + NOTE: https://github.com/paalbra/zabbix-zbxsec-7 + NOTE: https://www.zabbix.com/documentation/3.0/en/manual/config/notifications/action/operation/remote_command + NOTE: https://www.zabbix.com/documentation/current/en/manual/config/notifications/action/operation/remote_command#access-permissions +CVE-2021-46087 (In jfinal_cms >= 5.1 0, there is a storage XSS vulnerability in the ...) + NOT-FOR-US: jfinal_cms +CVE-2021-46086 (xzs-mysql >= t3.4.0 is vulnerable to Insecure Permissions. The fron ...) + NOT-FOR-US: xzs-mysql +CVE-2021-46085 (OneBlog <= 2.2.8 is vulnerable to Insecure Permissions. Low level a ...) + NOT-FOR-US: OneBlog +CVE-2021-46084 (uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) v ...) + NOT-FOR-US: uscat +CVE-2021-46083 (uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) v ...) + NOT-FOR-US: uscat +CVE-2021-46082 (Moxa TN-5900 v3.1 series routers, MGate 5109 v2.2 series protocol gate ...) + NOT-FOR-US: Moxa +CVE-2021-46081 + RESERVED +CVE-2021-46080 (A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Se ...) + NOT-FOR-US: Sourcecodester Vehicle Service Management System +CVE-2021-46079 (An Unrestricted File Upload vulnerability exists in Sourcecodester Veh ...) + NOT-FOR-US: Sourcecodester Vehicle Service Management System +CVE-2021-46078 (An Unrestricted File Upload vulnerability exists in Sourcecodester Veh ...) + NOT-FOR-US: Sourcecodester Vehicle Service Management System +CVE-2021-46077 + RESERVED +CVE-2021-46076 (Sourcecodester Vehicle Service Management System 1.0 is vulnerable to ...) + NOT-FOR-US: Sourcecodester Vehicle Service Management System +CVE-2021-46075 (A Privilege Escalation vulnerability exists in Sourcecodester Vehicle ...) + NOT-FOR-US: Sourcecodester Vehicle Service Management System +CVE-2021-46074 (A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecode ...) + NOT-FOR-US: Sourcecodester Vehicle Service Management System +CVE-2021-46073 (A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecode ...) + NOT-FOR-US: Sourcecodester Vehicle Service Management System +CVE-2021-46072 (A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Se ...) + NOT-FOR-US: Sourcecodester Vehicle Service Management System +CVE-2021-46071 (A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Se ...) + NOT-FOR-US: Sourcecodester Vehicle Service Management System +CVE-2021-46070 (A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Se ...) + NOT-FOR-US: Sourcecodester Vehicle Service Management System +CVE-2021-46069 (A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Se ...) + NOT-FOR-US: Sourcecodester Vehicle Service Management System +CVE-2021-46068 (A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Se ...) + NOT-FOR-US: Sourcecodester Vehicle Service Management System +CVE-2021-46067 (In Vehicle Service Management System 1.0 an attacker can steal the coo ...) + NOT-FOR-US: Sourcecodester Vehicle Service Management System +CVE-2021-46066 + RESERVED +CVE-2021-46065 (A Cross-site scripting (XSS) vulnerability in Secondary Email Field in ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-46064 + RESERVED +CVE-2021-46063 (MCMS v5.2.5 was discovered to contain a Server Side Template Injection ...) + NOT-FOR-US: MCMS +CVE-2021-46062 (MCMS v5.2.5 was discovered to contain an arbitrary file deletion vulne ...) + NOT-FOR-US: MCMS +CVE-2021-46061 (An SQL Injection vulnerability exists in Sourcecodester Computer and M ...) + NOT-FOR-US: Sourcecodester +CVE-2021-46060 + REJECTED +CVE-2021-46059 + REJECTED +CVE-2021-46058 + REJECTED +CVE-2021-46057 + RESERVED +CVE-2021-46056 + RESERVED +CVE-2021-46055 (A Denial of Service vulnerability exists in Binaryen 104 due to an ass ...) + - binaryen <unfixed> (unimportant) + NOTE: https://github.com/WebAssembly/binaryen/issues/4413 + NOTE: Crash in CLI tool, no security impact +CVE-2021-46054 (A Denial of Service vulnerability exists in Binaryen 104 due to an ass ...) + - binaryen <unfixed> (unimportant) + NOTE: https://github.com/WebAssembly/binaryen/issues/4410 + NOTE: Crash in CLI tool, no security impact +CVE-2021-46053 (A Denial of Service vulnerability exists in Binaryen 103. The program ...) + - binaryen <unfixed> (unimportant) + NOTE: https://github.com/WebAssembly/binaryen/issues/4392 + NOTE: Crash in CLI tool, no security impact +CVE-2021-46052 (A Denial of Service vulnerability exists in Binaryen 104 due to an ass ...) + - binaryen <unfixed> (unimportant) + NOTE: https://github.com/WebAssembly/binaryen/issues/4411 + NOTE: Crash in CLI tool, no security impact +CVE-2021-46051 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the Media ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2011 + NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f +CVE-2021-46050 (A Stack Overflow vulnerability exists in Binaryen 103 via the printf_c ...) + - binaryen <unfixed> (unimportant) + NOTE: https://github.com/WebAssembly/binaryen/issues/4391 + NOTE: Crash in CLI tool, no security impact +CVE-2021-46049 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the gf_fi ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2013 + NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f +CVE-2021-46048 (A Denial of Service vulnerability exists in Binaryen 104 due to an ass ...) + - binaryen <unfixed> (unimportant) + NOTE: https://github.com/WebAssembly/binaryen/issues/4412 + NOTE: Crash in CLI tool, no security impact +CVE-2021-46047 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the gf_hi ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2008 + NOTE: https://github.com/gpac/gpac/commit/dd2e8b1b9378a9679de8e7e5dcb2d7841acd5dbd +CVE-2021-46046 (A Pointer Derefernce Vulnerbility exists GPAC 1.0.1 the gf_isom_box_si ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2005 + NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f +CVE-2021-46045 (GPAC 1.0.1 is affected by: Abort failed. The impact is: cause a denial ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2007 + NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f +CVE-2021-46044 (A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1via ShiftMetaOf ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2006 + NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f +CVE-2021-46043 (A Pointer Dereference Vulnerability exits in GPAC 1.0.1 in the gf_list ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2001 + NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f +CVE-2021-46042 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the _fsee ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2002 + NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f +CVE-2021-46041 (A Segmentation Fault Vulnerability exists in GPAC 1.0.1 via the co64_b ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2004 + NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f +CVE-2021-46040 (A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1 via the finpla ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2003 + NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f +CVE-2021-46039 (A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1 via the shift_ ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/1999 + NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f +CVE-2021-46038 (A Pointer Dereference vulnerability exists in GPAC 1.0.1 in unlink_chu ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2000 + NOTE: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f +CVE-2021-46037 (MCMS v5.2.4 was discovered to contain an arbitrary file deletion vulne ...) + NOT-FOR-US: MCMS +CVE-2021-46036 (An arbitrary file upload vulnerability in the component /ms/file/uploa ...) + NOT-FOR-US: MCMS +CVE-2021-46035 + RESERVED +CVE-2021-46034 (A problem was found in ForestBlog, as of 2021-12-29, there is a XSS vu ...) + NOT-FOR-US: ForestBlog +CVE-2021-46033 (In ForestBlog, as of 2021-12-28, File upload can bypass verification. ...) + NOT-FOR-US: ForestBlog +CVE-2021-46032 + RESERVED +CVE-2021-46031 + RESERVED +CVE-2021-46030 (There is a Cross Site Scripting attack (XSS) vulnerability in JavaQuar ...) + NOT-FOR-US: JavaQuarkBBS +CVE-2021-46029 + RESERVED +CVE-2021-46028 (In mblog <= 3.5.0 there is a CSRF vulnerability in the background a ...) + NOT-FOR-US: mblog +CVE-2021-46027 (mysiteforme, as of 19-12-2022, has a CSRF vulnerability in the backgro ...) + NOT-FOR-US: mysiteforme +CVE-2021-46026 (mysiteforme, as of 19-12-2022, is vulnerable to Cross Site Scripting ( ...) + NOT-FOR-US: mysiteforme +CVE-2021-46025 (A Cross SIte Scripting (XSS) vulnerability exists in OneBlog <= 2.2 ...) + NOT-FOR-US: OneBlog +CVE-2021-46024 (Projectworlds online-shopping-webvsite-in-php 1.0 suffers from a SQL I ...) + NOT-FOR-US: Projectworlds online-shopping-webvsite-in-php +CVE-2021-46023 + RESERVED +CVE-2021-46022 (An Use-After-Free vulnerability in rec_mset_elem_destroy() at rec-mset ...) + - recutils <unfixed> (unimportant) + NOTE: https://lists.gnu.org/archive/html/bug-recutils/2021-12/msg00007.html + NOTE: Negligible security impact +CVE-2021-46021 (An Use-After-Free vulnerability in rec_record_destroy() at rec-record. ...) + - recutils <unfixed> (unimportant) + NOTE: https://lists.gnu.org/archive/html/bug-recutils/2021-12/msg00008.html + NOTE: Negligible security impact +CVE-2021-46020 (An untrusted pointer dereference in mrb_vm_exec() of mruby v3.0.0 can ...) + - mruby <unfixed> + [bullseye] - mruby <no-dsa> (Minor issue) + [buster] - mruby <no-dsa> (Minor issue) + [stretch] - mruby <postponed> (revisit when/if fix is complete) + NOTE: https://github.com/mruby/mruby/issues/5613 +CVE-2021-46019 (An untrusted pointer dereference in rec_db_destroy() at rec-db.c of GN ...) + - recutils <unfixed> (unimportant) + NOTE: https://lists.gnu.org/archive/html/bug-recutils/2021-12/msg00009.html + NOTE: Negligible security impact +CVE-2021-46018 + RESERVED +CVE-2021-46017 + RESERVED +CVE-2021-46016 + RESERVED +CVE-2021-46015 + RESERVED +CVE-2021-46014 + RESERVED +CVE-2021-46013 (An unrestricted file upload vulnerability exists in Sourcecodester Fre ...) + NOT-FOR-US: Sourcecodester +CVE-2021-46012 + REJECTED +CVE-2021-46011 + RESERVED +CVE-2021-46010 + RESERVED +CVE-2021-46009 + RESERVED +CVE-2021-46008 + RESERVED +CVE-2021-46007 + RESERVED +CVE-2021-46006 + RESERVED +CVE-2021-46005 (Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross ...) + NOT-FOR-US: Sourcecodester +CVE-2021-46004 + RESERVED +CVE-2021-46003 + RESERVED +CVE-2021-46002 + RESERVED +CVE-2021-46001 + RESERVED +CVE-2021-46000 + RESERVED +CVE-2021-45999 + RESERVED +CVE-2021-45998 (D-Link device DIR_882 DIR_882_FW1.30B06_Hotfix_02 was discovered to co ...) + NOT-FOR-US: D-Link +CVE-2021-45997 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2021-45996 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2021-45995 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2021-45994 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2021-45993 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2021-45992 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2021-45991 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2021-45990 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2021-45989 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2021-45988 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2021-45987 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2021-45986 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2021-45985 + RESERVED +CVE-2021-4197 [cgroup: Use open-time creds and namespace for migration perm checks] + RESERVED + - linux 5.15.15-1 + NOTE: https://lore.kernel.org/lkml/20211209214707.805617-1-tj@kernel.org/T/ + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2035652 +CVE-2021-46144 (Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML ...) + {DSA-5037-1 DLA-2878-1} + - roundcube <unfixed> (bug #1003027) + NOTE: https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0 (1.5.2) + NOTE: https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8 (1.4.13) + NOTE: https://roundcube.net/news/2021/12/30/update-1.5.2-released + NOTE: https://roundcube.net/news/2021/12/30/security-update-1.4.13-released +CVE-2021-45984 + RESERVED +CVE-2021-45983 + RESERVED +CVE-2021-45982 + RESERVED +CVE-2021-45981 + RESERVED +CVE-2021-45980 (Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote atta ...) + NOT-FOR-US: Foxit +CVE-2021-45979 (Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote atta ...) + NOT-FOR-US: Foxit +CVE-2021-45978 (Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote atta ...) + NOT-FOR-US: Foxit +CVE-2021-45977 + RESERVED +CVE-2021-45976 + RESERVED +CVE-2021-45975 (In ListCheck.exe in Acer Care Center 4.x before 4.00.3038, a vulnerabi ...) + NOT-FOR-US: Acer +CVE-2021-45974 + RESERVED +CVE-2021-45973 + RESERVED +CVE-2021-45972 (The giftrans function in giftrans 1.12.2 contains a stack-based buffer ...) + - giftrans <unfixed> (bug #1002739; unimportant) + NOTE: Negligible security impact; crash in CLI tool +CVE-2021-45971 (An issue was discovered in SdHostDriver in Insyde InsydeH2O with kerne ...) + NOT-FOR-US: Insyde +CVE-2021-45970 (An issue was discovered in IdeBusDxe in Insyde InsydeH2O with kernel 5 ...) + NOT-FOR-US: Insyde +CVE-2021-45969 (An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel ...) + NOT-FOR-US: Insyde +CVE-2021-45968 + RESERVED +CVE-2021-45967 + RESERVED +CVE-2021-45966 + RESERVED +CVE-2021-45965 + RESERVED +CVE-2021-45964 + RESERVED +CVE-2021-45963 + RESERVED +CVE-2021-45962 + RESERVED +CVE-2021-45961 + RESERVED +CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...) + {DSA-5073-1 DLA-2904-1} + - expat 2.4.3-1 (bug #1002994) + NOTE: https://github.com/libexpat/libexpat/issues/531 + NOTE: https://github.com/libexpat/libexpat/pull/534 + NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/0adcb34c49bee5b19bd29b16a578c510c23597ea (R_2_4_3) +CVE-2021-45959 + REJECTED +CVE-2021-45958 (UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow ...) + - ujson <unfixed> (bug #1005140) + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009 + NOTE: https://github.com/ultrajson/ultrajson/issues/501 + NOTE: https://github.com/ultrajson/ultrajson/issues/502 +CVE-2021-45957 (** DISPUTED ** Dnsmasq 2.86 has a heap-based buffer overflow in answer ...) + - dnsmasq <unfixed> (unimportant) + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35920 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-935.yaml + NOTE: Non issue, result of poorly automated fuzzing effort +CVE-2021-45956 (** DISPUTED ** Dnsmasq 2.86 has a heap-based buffer overflow in print_ ...) + - dnsmasq <unfixed> (unimportant) + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35887 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-933.yaml + NOTE: Non issue, result of poorly automated fuzzing effort +CVE-2021-45955 (** DISPUTED ** Dnsmasq 2.86 has a heap-based buffer overflow in resize ...) + - dnsmasq <unfixed> (unimportant) + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35898 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-932.yaml + NOTE: Non issue, result of poorly automated fuzzing effort +CVE-2021-45954 (** DISPUTED ** Dnsmasq 2.86 has a heap-based buffer overflow in extrac ...) + - dnsmasq <unfixed> (unimportant) + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35861 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-931.yaml + NOTE: Non issue, result of poorly automated fuzzing effort +CVE-2021-45953 (** DISPUTED ** Dnsmasq 2.86 has a heap-based buffer overflow in extrac ...) + - dnsmasq <unfixed> (unimportant) + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35858 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-929.yaml + NOTE: Non issue, result of poorly automated fuzzing effort +CVE-2021-45952 (** DISPUTED ** Dnsmasq 2.86 has a heap-based buffer overflow in dhcp_r ...) + - dnsmasq <unfixed> (unimportant) + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35870 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-927.yaml + NOTE: Non issue, result of poorly automated fuzzing effort +CVE-2021-45951 (** DISPUTED ** Dnsmasq 2.86 has a heap-based buffer overflow in check_ ...) + - dnsmasq <unfixed> (unimportant) + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35868 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-924.yaml + NOTE: Non issue, result of poorly automated fuzzing effort +CVE-2021-45950 (LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds write in ...) + - libredwg <itp> (bug #595191) +CVE-2021-45949 (Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overf ...) + {DSA-5038-1 DLA-2879-1} + - ghostscript 9.55.0~dfsg-1 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=703902 + NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7 +CVE-2021-45948 (Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-base ...) + - assimp 5.1.1~ds0-1 + [bullseye] - assimp <not-affected> (Vulnerable code not present) + [buster] - assimp <not-affected> (Vulnerable code not present) + [stretch] - assimp <not-affected> (M3D format support not present) + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/assimp/OSV-2021-775.yaml + NOTE: https://github.com/assimp/assimp/pull/4146 + NOTE: https://github.com/assimp/assimp/commit/30f17aa2064b86c0096f0ec701b9e8ea9312fef2 (v5.1.0) + NOTE: Introduced by: https://github.com/assimp/assimp/commit/a622e109a0739435e3e2f05bfbedba0e8385282d (v5.1.0.rc1) +CVE-2021-45947 (Wasm3 0.5.0 has an out-of-bounds write in Runtime_Release (called from ...) + NOT-FOR-US: wasm3 +CVE-2021-45946 (Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from Co ...) + NOT-FOR-US: wasm3 +CVE-2021-45945 + REJECTED +CVE-2021-45944 (Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in sampl ...) + {DSA-5038-1 DLA-2879-1} + - ghostscript 9.54.0~dfsg-5 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29903 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-237.yaml + NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7861fcad13c497728189feafb41cd57b5b50ea25 +CVE-2021-45943 (GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::C ...) + {DLA-2877-1} + [experimental] - gdal 3.4.1~rc1+dfsg-1~exp1 + - gdal <unfixed> + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41993 + NOTE: https://github.com/OSGeo/gdal/pull/4944 + NOTE: https://github.com/OSGeo/gdal/commit/93913a849dc1d217a40dbf9d6e6a3a23c42b61a6 (master) + NOTE: Backport to 3.4: https://github.com/OSGeo/gdal/pull/4947 + NOTE: https://github.com/OSGeo/gdal/commit/9b2bcbc47d1649adc0ab65b801f96f56156cf017 (v3.4.1RC1) + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2021-1651.yaml +CVE-2021-45942 (OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1 ...) + - openexr <unfixed> + [buster] - openexr <no-dsa> (Minor issue) + [stretch] - openexr <no-dsa> (Minor issue) + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1209 +CVE-2021-45941 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in _ ...) + - libbpf <unfixed> + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1576.yaml + TODO: check details on fixing commit upstream, furthermore intorducing commit is only when oss-fuzz started +CVE-2021-45940 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (4 bytes) in _ ...) + - libbpf <unfixed> + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1562.yaml + TODO: check details on fixing commit upstream, furthermore intorducing commit is only when oss-fuzz started +CVE-2021-45939 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) + NOT-FOR-US: uWebSockets +CVE-2021-45938 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) + NOT-FOR-US: wolfMQTT +CVE-2021-45937 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) + NOT-FOR-US: wolfMQTT +CVE-2021-45936 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttDecode_Di ...) + NOT-FOR-US: wolfMQTT +CVE-2021-45935 (Grok 9.5.0 has a heap-based buffer overflow in openhtj2k::T1OpenHTJ2K: ...) + - libgrokj2k <unfixed> + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39021 + NOTE: Referenced fix isn't in the upstream repo +CVE-2021-45934 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) + NOT-FOR-US: wolfMQTT +CVE-2021-45933 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (8 bytes) in Mqt ...) + NOT-FOR-US: wolfMQTT +CVE-2021-45932 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (4 bytes) in Mqt ...) + NOT-FOR-US: wolfMQTT +CVE-2021-45931 (HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t:: ...) + - harfbuzz <undetermined> + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/harfbuzz/OSV-2021-1159.yaml + NOTE: https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81 (2.9.1) + TODO: check correctness of commit, might not affect any Debian released version +CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-o ...) + {DLA-2895-1 DLA-2885-1} + - qtsvg-opensource-src 5.15.2-4 (bug #1002991) + [bullseye] - qtsvg-opensource-src <no-dsa> (Minor issue) + [buster] - qtsvg-opensource-src <no-dsa> (Minor issue) + - qt4-x11 <removed> + [buster] - qt4-x11 <no-dsa> (Minor issue) + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37306 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-1121.yaml + NOTE: https://bugreports.qt.io/browse/QTBUG-96044 + NOTE: https://github.com/qt/qtsvg/commit/36cfd9efb9b22b891adee9c48d30202289cfa620 (dev) + NOTE: https://github.com/qt/qtsvg/commit/79bb9f51fa374106a612d17c9d98d35d807be670 (v6.2.2) + NOTE: https://github.com/qt/qtsvg/commit/a3b753c2d077313fc9eb93af547051b956e383fc (v5.12.12) +CVE-2021-45929 (Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from Co ...) + NOT-FOR-US: wasm3 +CVE-2021-45928 (libjxl b02d6b9, as used in libvips 8.11 through 8.11.2 and other produ ...) + - jpeg-xl <not-affected> (Vulnerable code not present in a released Debian version; fixed before inital upload to Debian) + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36456 + NOTE: https://github.com/libjxl/libjxl/issues/360 + NOTE: https://github.com/libjxl/libjxl/pull/365 + NOTE: Introduced by: https://github.com/libjxl/libjxl/pull/205 (v0.6) + NOTE: Fixed by: https://github.com/libjxl/libjxl/commit/1c05e110d69b457696366fb4e762057b6855349b (v0.6) +CVE-2021-45927 (MDB Tools (aka mdbtools) 0.9.2 has a stack-based buffer overflow (at 0 ...) + - mdbtools <undetermined> + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36187 + TODO: check, possibly fixed in 0.9.3, but unclear fixing commit, related to 9b6b52cc8c5838cffeee9388c04890fe1eb73b52? +CVE-2021-45926 (MDB Tools (aka mdbtools) 0.9.2 has a stack-based buffer overflow (at 0 ...) + - mdbtools <undetermined> + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35972 + TODO: check, possibly fixed in 0.9.3, but unclear fixing commit, related to 9b6b52cc8c5838cffeee9388c04890fe1eb73b52? +CVE-2021-4196 + RESERVED +CVE-2021-4195 + RESERVED +CVE-2021-45732 (Netgear Nighthawk R6700 version 1.0.4.120 makes use of a hardcoded cre ...) + NOT-FOR-US: Netgear +CVE-2021-45077 (Netgear Nighthawk R6700 version 1.0.4.120 stores sensitive information ...) + NOT-FOR-US: Netgear +CVE-2021-44466 (Bitmask Riseup VPN 0.21.6 contains a local privilege escalation flaw d ...) + NOT-FOR-US: Bitmask Riseup VPN +CVE-2021-4194 (bookstack is vulnerable to Improper Access Control ...) + NOT-FOR-US: bookstack +CVE-2021-4193 (vim is vulnerable to Out-of-bounds Read ...) + - vim 2:8.2.3995-1 + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/92c1940d-8154-473f-84ce-0de43b0c2eb0 + NOTE: Fixed by: https://github.com/vim/vim/commit/94f3192b03ed27474db80b4d3a409e107140738b (v8.2.3950) +CVE-2021-4192 (vim is vulnerable to Use After Free ...) + - vim 2:8.2.3995-1 + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/6dd9cb2e-a940-4093-856e-59b502429f22 + NOTE: Fixed by: https://github.com/vim/vim/commit/4c13e5e6763c6eb36a343a2b8235ea227202e952 (v8.2.3949) +CVE-2021-4191 + RESERVED +CVE-2021-23147 (Netgear Nighthawk R6700 version 1.0.4.120 does not have sufficient pro ...) + NOT-FOR-US: Netgear +CVE-2021-45919 (Studio 42 elFinder through 2.1.31 allows XSS via an SVG document. ...) + NOT-FOR-US: Studio 42 elFinder +CVE-2021-4190 (Large loop in the Kafka dissector in Wireshark 3.6.0 allows denial of ...) + - wireshark <unfixed> + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) + [stretch] - wireshark <no-dsa> (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2021-22.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17811 +CVE-2021-4189 [ftplib should not use the host from the PASV response] + RESERVED + {DLA-2919-1} + - python3.10 <not-affected> (Fixed before initial upload to Debian unstable) + - python3.9 3.9.7-1 + [bullseye] - python3.9 <no-dsa> (Minor issue) + - python3.7 <removed> + [buster] - python3.7 <no-dsa> (Minor issue) + - python3.5 <removed> + [stretch] - python3.5 <no-dsa> (Minor issue) + - python2.7 <unfixed> + [bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support) + [buster] - python2.7 <no-dsa> (Minor issue) + NOTE: https://bugs.python.org/issue43285 + NOTE: https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e (master) + NOTE: https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335 (v3.9.3) + NOTE: https://github.com/python/cpython/commit/79373951b3eab585d42e0f0ab83718cbe1d0ee33 (v3.7.11) + NOTE: https://github.com/python/cpython/commit/4134f154ae2f621f25c5d698cc0f1748035a1b88 (v3.6.14) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036020 +CVE-2021-45918 + RESERVED +CVE-2021-45917 (The server-request receiver function of Shockwall system has an improp ...) + NOT-FOR-US: Shockwall system +CVE-2021-45916 (The programming function of Shockwall system has an improper input val ...) + NOT-FOR-US: Shockwall system +CVE-2021-45915 + RESERVED +CVE-2021-45914 + RESERVED +CVE-2021-4188 (mruby is vulnerable to NULL Pointer Dereference ...) + - mruby <not-affected> (Vulnerable code introduced later) + NOTE: https://huntr.dev/bounties/78533fb9-f3e0-47c2-86dc-d1f96d5bea28 + NOTE: Fixed by: https://github.com/mruby/mruby/commit/27d1e0132a0804581dca28df042e7047fd27eaa8 +CVE-2021-45913 (A hardcoded key in ControlUp Real-Time Agent (cuAgent.exe) before 8.2. ...) + NOT-FOR-US: ControlUp Real-Time Agent +CVE-2021-45912 (An unauthenticated Named Pipe channel in Controlup Real-Time Agent (cu ...) + NOT-FOR-US: ControlUp Real-Time Agent +CVE-2021-44775 + RESERVED +CVE-2021-44465 + RESERVED +CVE-2021-4187 (vim is vulnerable to Use After Free ...) + - vim 2:8.2.3995-1 + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <not-affected> (Vulnerable code introduced later) + [stretch] - vim <not-affected> (Vulnerable code introduced later) + NOTE: https://huntr.dev/bounties/a8bee03a-6e2e-43bf-bee3-4968c5386a2e + NOTE: Introduced after: https://github.com/vim/vim/commit/04b12697838b232b8b17c553ccc74cf1f1bdb81c (v8.2.0695) + NOTE: Fixed by: https://github.com/vim/vim/commit/4bf1006cae7e87259ccd5219128c3dba75774441 (v8.2.3923) +CVE-2021-45911 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer ...) + - gif2apng <removed> (bug #1002687) +CVE-2021-45910 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer ...) + - gif2apng <removed> (bug #1002667) +CVE-2021-45909 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer ...) + - gif2apng <removed> (bug #1002668) +CVE-2021-45908 (An issue was discovered in gif2apng 1.9. There is a stack-based buffer ...) + - gif2apng <removed> (bug #1002669; unimportant) + NOTE: Negligible security impact +CVE-2021-45907 (An issue was discovered in gif2apng 1.9. There is a stack-based buffer ...) + - gif2apng <removed> (bug #1002669; unimportant) + NOTE: Negligible security impact +CVE-2021-45906 (OpenWrt 21.02.1 allows XSS via the NAT Rules Name screen. ...) + NOT-FOR-US: OpenWrt +CVE-2021-45905 (OpenWrt 21.02.1 allows XSS via the Traffic Rules Name screen. ...) + NOT-FOR-US: OpenWrt +CVE-2021-45904 (OpenWrt 21.02.1 allows XSS via the Port Forwards Add Name screen. ...) + NOT-FOR-US: OpenWrt +CVE-2021-45903 (A persistent cross-site scripting (XSS) issue in the web interface of ...) + NOT-FOR-US: SuiteCRM +CVE-2021-45902 + RESERVED +CVE-2021-45901 (The password-reset form in ServiceNow Orlando provides different respo ...) + NOT-FOR-US: ServiceNow Orlando +CVE-2021-45900 + RESERVED +CVE-2021-45899 (SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserializatio ...) + NOT-FOR-US: SuiteCRM +CVE-2021-45898 (SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusio ...) + NOT-FOR-US: SuiteCRM +CVE-2021-45897 (SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code executi ...) + NOT-FOR-US: SuiteCRM +CVE-2021-45896 (Nokia FastMile 3TG00118ABAD52 devices allow privilege escalation by an ...) + NOT-FOR-US: Nokia FastMile 3TG00118ABAD52 devices +CVE-2021-45895 (Netgen Tags Bundle 3.4.x before 3.4.11 and 4.0.x before 4.0.15 allows ...) + NOT-FOR-US: Netgen Tags Bundle +CVE-2021-45894 + RESERVED +CVE-2021-45893 + RESERVED +CVE-2021-45892 + RESERVED +CVE-2021-45891 + RESERVED +CVE-2021-45890 (basic/BasicAuthProvider.java in AuthGuard before 0.9.0 allows authenti ...) + NOT-FOR-US: AuthGuard +CVE-2021-45889 + RESERVED +CVE-2021-45888 + RESERVED +CVE-2021-45887 + RESERVED +CVE-2021-45886 + RESERVED +CVE-2021-45885 (An issue was discovered in Stormshield Network Security (SNS) 4.2.2 th ...) + NOT-FOR-US: Stormshield Network Security (SNS) +CVE-2021-4186 (Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows den ...) + - wireshark 3.6.0-1 + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) + [stretch] - wireshark <no-dsa> (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2021-16.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17737 +CVE-2021-4185 (Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3 ...) + - wireshark 3.6.2-1 + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) + [stretch] - wireshark <no-dsa> (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2021-17.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17745 +CVE-2021-4184 (Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3 ...) + - wireshark 3.6.2-1 + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) + [stretch] - wireshark <no-dsa> (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2021-18.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17754 +CVE-2021-4183 (Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of se ...) + - wireshark 3.6.2-1 + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) + [stretch] - wireshark <no-dsa> (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2021-19.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17755 +CVE-2021-4182 (Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 ...) + - wireshark 3.6.2-1 + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) + [stretch] - wireshark <no-dsa> (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2021-20.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17801 +CVE-2021-4181 (Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3. ...) + - wireshark 3.6.2-1 + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) + [stretch] - wireshark <no-dsa> (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2021-21.html + NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/5429 +CVE-2021-45884 (In Brave Desktop 1.17 through 1.33 before 1.33.106, when CNAME-based a ...) + - brave-browser <itp> (bug #864795) +CVE-2021-45883 + RESERVED +CVE-2021-45882 + RESERVED +CVE-2021-45881 + RESERVED +CVE-2021-45880 + RESERVED +CVE-2021-45879 + RESERVED +CVE-2021-45878 + RESERVED +CVE-2021-45877 + RESERVED +CVE-2021-45876 + RESERVED +CVE-2021-45875 + RESERVED +CVE-2021-45874 + RESERVED +CVE-2021-45873 + RESERVED +CVE-2021-45872 + RESERVED +CVE-2021-45871 + RESERVED +CVE-2021-45870 + RESERVED +CVE-2021-45869 + RESERVED +CVE-2021-45868 + RESERVED +CVE-2021-45867 + RESERVED +CVE-2021-45866 + RESERVED +CVE-2021-45865 + RESERVED +CVE-2021-45864 + RESERVED +CVE-2021-45863 + RESERVED +CVE-2021-45862 + RESERVED +CVE-2021-45861 + RESERVED +CVE-2021-45860 + RESERVED +CVE-2021-45859 + RESERVED +CVE-2021-45858 + RESERVED +CVE-2021-45857 + RESERVED +CVE-2021-45856 (Accu-Time Systems MAXIMUS 1.0 telnet service suffers from a remote buf ...) + NOT-FOR-US: Accu-Time Systems MAXIMUS +CVE-2021-45855 + RESERVED +CVE-2021-45854 + RESERVED +CVE-2021-45853 + RESERVED +CVE-2021-45852 + RESERVED +CVE-2021-45851 + RESERVED +CVE-2021-45850 + RESERVED +CVE-2021-45849 + RESERVED +CVE-2021-45848 + RESERVED +CVE-2021-45847 (Several missing input validations in the 3MF parser component of Slic3 ...) + - slic3r <unfixed> + NOTE: https://github.com/slic3r/Slic3r/issues/5118 + NOTE: https://github.com/slic3r/Slic3r/issues/5119 + NOTE: https://github.com/slic3r/Slic3r/issues/5120 +CVE-2021-45846 (A flaw in the AMF parser of Slic3r libslic3r 1.3.0 allows an attacker ...) + - slic3r <unfixed> + NOTE: https://github.com/slic3r/Slic3r/issues/5117 +CVE-2021-45845 (The Path Sanity Check script of FreeCAD 0.19 is vulnerable to OS comma ...) + - freecad <unfixed> + [stretch] - freecad <not-affected> (Vulnerable code introduced in 0.17) + NOTE: https://github.com/FreeCAD/FreeCAD/pull/5306 + NOTE: Fixed by: https://github.com/FreeCAD/FreeCAD/commit/169eb655f30180b95e5923be2eb3bc4de6e02406 + NOTE: https://tracker.freecad.org/view.php?id=4810 +CVE-2021-45844 (Improper sanitization in the invocation of ODA File Converter from Fre ...) + - freecad <unfixed> (bug #1005747) + NOTE: https://github.com/FreeCAD/FreeCAD/commit/1742d7ff82af1653253c4a4183c262c9af3b26d6 (0.20) + NOTE: https://tracker.freecad.org/view.php?id=4809 +CVE-2021-45843 (glFusion CMS v1.7.9 is affected by a reflected Cross Site Scripting (X ...) + NOT-FOR-US: glFusion CMS +CVE-2021-45842 + RESERVED +CVE-2021-45841 + RESERVED +CVE-2021-45840 + RESERVED +CVE-2021-45839 + RESERVED +CVE-2021-45838 + RESERVED +CVE-2021-45837 + RESERVED +CVE-2021-45836 + RESERVED +CVE-2021-45835 + RESERVED +CVE-2021-45834 + RESERVED +CVE-2021-45833 (A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13.1-1 vi ...) + - hdf5 <undetermined> + NOTE: https://github.com/HDFGroup/hdf5/issues/1313 + NOTE: https://github.com/advisories/GHSA-x57p-jwp6-4v79 +CVE-2021-45832 (A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13.1-1 at ...) + - hdf5 <undetermined> + NOTE: https://github.com/HDFGroup/hdf5/issues/1315 + NOTE: https://github.com/advisories/GHSA-hvh7-f5p9-68g8 +CVE-2021-45831 (A Null Pointer Dereference vulnerability exitgs in GPAC 1.0.1 in MP4Bo ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1990 + NOTE: https://github.com/gpac/gpac/commit/4613a35362e15a6df90453bd632d083645e5a765 +CVE-2021-45830 (A heap-based buffer overflow vulnerability exists in HDF5 1.13.1-1 via ...) + - hdf5 <undetermined> + NOTE: https://github.com/HDFGroup/hdf5/issues/1314 + NOTE: https://github.com/advisories/GHSA-5h2h-fjjr-x9m2 +CVE-2021-45829 (HDF5 1.13.1-1 is affected by: segmentation fault, which causes a Denia ...) + - hdf5 <undetermined> + NOTE: https://github.com/HDFGroup/hdf5/issues/1317 + NOTE: https://github.com/advisories/GHSA-23gx-cm6v-952g +CVE-2021-45828 + RESERVED +CVE-2021-45827 + RESERVED +CVE-2021-45826 + RESERVED +CVE-2021-45825 + RESERVED +CVE-2021-45824 + RESERVED +CVE-2021-45823 + RESERVED +CVE-2021-45822 + RESERVED +CVE-2021-45821 + RESERVED +CVE-2021-45820 + RESERVED +CVE-2021-45819 + RESERVED +CVE-2021-45818 (SAFARI Montage 8.7.32 is affected by a CRLF injection vulnerability wh ...) + NOT-FOR-US: SAFARI Montage +CVE-2021-45817 + REJECTED +CVE-2021-45816 + RESERVED +CVE-2021-45815 (Quectel UC20 UMTS/HSPA+ UC20 6.3.14 is affected by a Cross Site Script ...) + NOT-FOR-US: Quectel UC20 UMTS/HSPA+ UC20 +CVE-2021-45814 (Nettmp NNT 5.1 is affected by a SQL injection vulnerability. An attack ...) + NOT-FOR-US: Nettmp NNT +CVE-2021-45813 (SLICAN WebCTI 1.01 2015 is affected by a Cross Site Scripting (XSS) vu ...) + NOT-FOR-US: SLICAN WebCTI +CVE-2021-45812 (NUUO Network Video Recorder NVRsolo 3.9.1 is affected by a Cross Site ...) + NOT-FOR-US: NUUO Network Video Recorder NVRsolo +CVE-2021-45811 + RESERVED +CVE-2021-45810 + RESERVED +CVE-2021-45809 + RESERVED +CVE-2021-45808 (jpress v4.2.0 allows users to register an account by default. With the ...) + NOT-FOR-US: jpress +CVE-2021-45807 (jpress v4.2.0 is vulnerable to command execution via io.jpress.web.adm ...) + NOT-FOR-US: jpress +CVE-2021-45806 (jpress v4.2.0 admin panel provides a function through which attackers ...) + NOT-FOR-US: jpress +CVE-2021-45805 + RESERVED +CVE-2021-45804 + RESERVED +CVE-2021-45803 (MartDevelopers iResturant 1.0 is vulnerable to SQL Injection. SQL Inje ...) + NOT-FOR-US: MartDevelopers iResturant +CVE-2021-45802 (MartDevelopers iResturant 1.0 is vulnerable to SQL Injection. SQL Inje ...) + NOT-FOR-US: MartDevelopers iResturant +CVE-2021-45801 + RESERVED +CVE-2021-45800 + RESERVED +CVE-2021-45799 + RESERVED +CVE-2021-45798 + RESERVED +CVE-2021-45797 + RESERVED +CVE-2021-45796 + RESERVED +CVE-2021-45795 + RESERVED +CVE-2021-45794 + RESERVED +CVE-2021-45793 + RESERVED +CVE-2021-45792 + RESERVED +CVE-2021-45791 + RESERVED +CVE-2021-45790 (An arbitrary file upload vulnerability was found in Metersphere v1.15. ...) + NOT-FOR-US: Metersphere +CVE-2021-45789 (An arbitrary file read vulnerability was found in Metersphere v1.15.4, ...) + NOT-FOR-US: Metersphere +CVE-2021-45788 (Time-based SQL Injection vulnerabilities were found in Metersphere v1. ...) + NOT-FOR-US: Metersphere +CVE-2021-45787 + RESERVED +CVE-2021-45786 + RESERVED +CVE-2021-45785 + RESERVED +CVE-2021-45784 + RESERVED +CVE-2021-45783 + RESERVED +CVE-2021-45782 + REJECTED +CVE-2021-45781 + REJECTED +CVE-2021-45780 + REJECTED +CVE-2021-45779 + REJECTED +CVE-2021-45778 + REJECTED +CVE-2021-45777 + RESERVED +CVE-2021-45776 + RESERVED +CVE-2021-45775 + REJECTED +CVE-2021-45774 + REJECTED +CVE-2021-45773 (A NULL pointer dereference in CS104_IPAddress_setFromString at src/iec ...) + NOT-FOR-US: lib60870 +CVE-2021-45772 + RESERVED +CVE-2021-45771 + RESERVED +CVE-2021-45770 + RESERVED +CVE-2021-45769 (A NULL pointer dereference in AcseConnection_parseMessage at src/mms/i ...) + NOT-FOR-US: libiec61850 +CVE-2021-45768 + RESERVED +CVE-2021-45767 (GPAC 1.1.0 was discovered to contain an invalid memory address derefer ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1982 + NOTE: https://github.com/gpac/gpac/commit/830548acd030467e857f4cf0b79af8ebf1e04dde +CVE-2021-45766 + RESERVED +CVE-2021-45765 + RESERVED +CVE-2021-45764 (GPAC v1.1.0 was discovered to contain an invalid memory address derefe ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1971 + NOTE: https://github.com/gpac/gpac/commit/e54df17892bee983d09d9437e44e6a1528fb46cb +CVE-2021-45763 (GPAC v1.1.0 was discovered to contain an invalid call in the function ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1974 + NOTE: https://github.com/gpac/gpac/commit/d2f74e49f2cb8d687c0dc38f66b99e3c5c7d7fec +CVE-2021-45762 (GPAC v1.1.0 was discovered to contain an invalid memory address derefe ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1978 + NOTE: https://github.com/gpac/gpac/commit/6d647f6e458c9b727eae1a8077d27fa433ced788 +CVE-2021-45761 (ROPium v3.1 was discovered to contain an invalid memory address derefe ...) + NOT-FOR-US: ROPium +CVE-2021-45760 (GPAC v1.1.0 was discovered to contain an invalid memory address derefe ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1966 + NOTE: https://github.com/gpac/gpac/commit/5041fcbaa904a89d280561905a163171b3828cea +CVE-2021-45759 + RESERVED +CVE-2021-45758 + RESERVED +CVE-2021-45757 + RESERVED +CVE-2021-45756 + RESERVED +CVE-2021-45755 + RESERVED +CVE-2021-45754 + RESERVED +CVE-2021-45753 + RESERVED +CVE-2021-45752 + RESERVED +CVE-2021-45751 + RESERVED +CVE-2021-45750 + RESERVED +CVE-2021-45749 + RESERVED +CVE-2021-45748 + RESERVED +CVE-2021-45747 + RESERVED +CVE-2021-45746 + RESERVED +CVE-2021-45745 (A Stored Cross Site Scripting (XSS) vulnerability exists in Bludit 3.1 ...) + NOT-FOR-US: Bludit +CVE-2021-45744 (A Stored Cross Site Scripting (XSS) vulnerability exists in bludit 3.1 ...) + NOT-FOR-US: Bludit +CVE-2021-45743 + RESERVED +CVE-2021-45742 (TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a comm ...) + NOT-FOR-US: TOTOLINK +CVE-2021-45741 (TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a sta ...) + NOT-FOR-US: TOTOLINK +CVE-2021-45740 (TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stac ...) + NOT-FOR-US: TOTOLINK +CVE-2021-45739 (TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stac ...) + NOT-FOR-US: TOTOLINK +CVE-2021-45738 (TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a com ...) + NOT-FOR-US: TOTOLINK +CVE-2021-45737 (TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stac ...) + NOT-FOR-US: TOTOLINK +CVE-2021-45736 (TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a sta ...) + NOT-FOR-US: TOTOLINK +CVE-2021-45735 (TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to use the HTTP ...) + NOT-FOR-US: TOTOLINK +CVE-2021-45734 (TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a sta ...) + NOT-FOR-US: TOTOLINK +CVE-2021-45733 (TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a com ...) + NOT-FOR-US: TOTOLINK +CVE-2021-4180 + RESERVED + - tripleo-heat-templates <removed> + NOTE: https://bugs.launchpad.net/tripleo/+bug/1955397 +CVE-2021-4179 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) + NOT-FOR-US: livehelperchat +CVE-2021-45720 (An issue was discovered in the lru crate before 0.7.1 for Rust. The it ...) + NOT-FOR-US: Rust crate lru +CVE-2021-45719 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) + NOT-FOR-US: Rust crate rusqlite +CVE-2021-45718 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) + NOT-FOR-US: Rust crate rusqlite +CVE-2021-45717 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) + NOT-FOR-US: Rust crate rusqlite +CVE-2021-45716 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) + NOT-FOR-US: Rust crate rusqlite +CVE-2021-45715 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) + NOT-FOR-US: Rust crate rusqlite +CVE-2021-45714 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) + NOT-FOR-US: Rust crate rusqlite +CVE-2021-45713 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) + NOT-FOR-US: Rust crate rusqlite +CVE-2021-45712 (An issue was discovered in the rust-embed crate before 6.3.0 for Rust. ...) + NOT-FOR-US: Rust crate rust-embed +CVE-2021-45711 (An issue was discovered in the simple_asn1 crate 0.6.0 before 0.6.1 fo ...) + NOT-FOR-US: Rust crate simple_asn1 +CVE-2021-45710 (An issue was discovered in the tokio crate before 1.8.4, and 1.9.x thr ...) + - rust-tokio <unfixed> + [bullseye] - rust-tokio <no-dsa> (Minor issue) + NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0124.html + NOTE: https://github.com/tokio-rs/tokio/issues/4225 +CVE-2021-45709 (An issue was discovered in the crypto2 crate through 2021-10-08 for Ru ...) + NOT-FOR-US: Rust crate crypto2 +CVE-2021-45708 (An issue was discovered in the abomonation crate through 2021-10-17 fo ...) + NOT-FOR-US: Rust crate abomonation +CVE-2021-45707 (An issue was discovered in the nix crate before 0.20.2, 0.21.x before ...) + - rust-nix 0.23.0-1 + [bullseye] - rust-nix <no-dsa> (Minor issue) + [buster] - rust-nix <not-affected> (Introduced in 0.16) + NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0119.html +CVE-2021-45706 (An issue was discovered in the zeroize_derive crate before 1.1.1 for R ...) + NOT-FOR-US: Rust crate zeroize_derive +CVE-2021-45705 (An issue was discovered in the nanorand crate before 0.6.1 for Rust. T ...) + NOT-FOR-US: Rust crate nanorand +CVE-2021-45704 (An issue was discovered in the metrics-util crate before 0.7.0 for Rus ...) + NOT-FOR-US: Rust crate metrics-util +CVE-2021-45703 (An issue was discovered in the tectonic_xdv crate before 0.1.12 for Ru ...) + NOT-FOR-US: Rust crate tectonic_xdv +CVE-2021-45702 (An issue was discovered in the tremor-script crate before 0.11.6 for R ...) + NOT-FOR-US: Rust crate tremor-script +CVE-2021-45701 (An issue was discovered in the tremor-script crate before 0.11.6 for R ...) + NOT-FOR-US: Rust crate tremor-script +CVE-2021-45700 (An issue was discovered in the ckb crate before 0.40.0 for Rust. Attac ...) + NOT-FOR-US: Rust crate ckb +CVE-2021-45699 (An issue was discovered in the ckb crate before 0.40.0 for Rust. Remot ...) + NOT-FOR-US: Rust crate ckb +CVE-2021-45698 (An issue was discovered in the ckb crate before 0.40.0 for Rust. A get ...) + NOT-FOR-US: Rust crate ckb +CVE-2021-45697 (An issue was discovered in the molecule crate before 0.7.2 for Rust. A ...) + NOT-FOR-US: Rust crate molecule +CVE-2021-45696 (An issue was discovered in the sha2 crate 0.9.7 before 0.9.8 for Rust. ...) + - rust-sha2 <not-affected> (Only affetced 0.9.7, never uploaded to the archive) + NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0100.html +CVE-2021-45695 (An issue was discovered in the mopa crate through 2021-06-01 for Rust. ...) + NOT-FOR-US: Rust crate mopa +CVE-2021-45694 (An issue was discovered in the rdiff crate through 2021-02-03 for Rust ...) + NOT-FOR-US: Rust crate rdiff +CVE-2021-45693 (An issue was discovered in the messagepack-rs crate through 2021-01-26 ...) + NOT-FOR-US: Rust crate messagepack-rs +CVE-2021-45692 (An issue was discovered in the messagepack-rs crate through 2021-01-26 ...) + NOT-FOR-US: Rust crate messagepack-rs +CVE-2021-45691 (An issue was discovered in the messagepack-rs crate through 2021-01-26 ...) + NOT-FOR-US: Rust crate messagepack-rs +CVE-2021-45690 (An issue was discovered in the messagepack-rs crate through 2021-01-26 ...) + NOT-FOR-US: Rust crate messagepack-rs +CVE-2021-45689 (An issue was discovered in the gfx-auxil crate through 2021-01-07 for ...) + NOT-FOR-US: Rust crate gfx-auxil +CVE-2021-45688 (An issue was discovered in the ash crate before 0.33.1 for Rust. util: ...) + NOT-FOR-US: Rust crate ash +CVE-2021-45687 (An issue was discovered in the raw-cpuid crate before 9.1.1 for Rust. ...) + NOT-FOR-US: Rust crate raw-cpuid +CVE-2021-45686 (An issue was discovered in the csv-sniffer crate through 2021-01-05 fo ...) + NOT-FOR-US: Rust crate csv-sniffer +CVE-2021-45685 (An issue was discovered in the columnar crate through 2021-01-07 for R ...) + NOT-FOR-US: Rust crate columnar +CVE-2021-45684 (An issue was discovered in the flumedb crate through 2021-01-07 for Ru ...) + NOT-FOR-US: Rust crate flumedb +CVE-2021-45683 (An issue was discovered in the binjs_io crate through 2021-01-03 for R ...) + NOT-FOR-US: Rust crate binjs +CVE-2021-45682 (An issue was discovered in the bronzedb-protocol crate through 2021-01 ...) + NOT-FOR-US: Rust crate bronzedb-protocol +CVE-2021-45681 (An issue was discovered in the derive-com-impl crate before 0.1.2 for ...) + NOT-FOR-US: Rust crate derive-com-impl +CVE-2021-45680 (An issue was discovered in the vec-const crate before 2.0.0 for Rust. ...) + NOT-FOR-US: Rust crate vec-const +CVE-2021-45111 + RESERVED +CVE-2021-45071 + RESERVED +CVE-2021-44547 + RESERVED +CVE-2021-44476 + RESERVED +CVE-2021-44475 + RESERVED +CVE-2021-44461 + RESERVED +CVE-2021-44460 + RESERVED +CVE-2021-4178 + RESERVED + NOT-FOR-US: fabric8io/kubernetes-client + NOTE: https://github.com/fabric8io/kubernetes-client/issues/3653 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2034388 +CVE-2021-4177 (livehelperchat is vulnerable to Generation of Error Message Containing ...) + NOT-FOR-US: livehelperchat +CVE-2021-4176 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) + NOT-FOR-US: livehelperchat +CVE-2021-4175 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) + NOT-FOR-US: livehelperchat +CVE-2021-26947 + RESERVED +CVE-2021-23186 + RESERVED +CVE-2021-23178 + RESERVED +CVE-2021-23176 + RESERVED +CVE-2021-23166 + RESERVED +CVE-2021-4174 + RESERVED +CVE-2021-4173 (vim is vulnerable to Use After Free ...) + - vim 2:8.2.3995-1 + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <not-affected> (Vulnerable code introduced later) + [stretch] - vim <not-affected> (Vulnerable code introduced later) + NOTE: https://huntr.dev/bounties/a1b236b9-89fb-4ccf-9689-ba11b471e766 + NOTE: Introduced after: https://github.com/vim/vim/commit/04b12697838b232b8b17c553ccc74cf1f1bdb81c (v8.2.0695) + NOTE: Fixed by: https://github.com/vim/vim/commit/9c23f9bb5fe435b28245ba8ac65aa0ca6b902c04 (v8.2.3902) +CVE-2021-4172 (Cross-site Scripting (XSS) - Stored in GitHub repository star7th/showd ...) + NOT-FOR-US: ShowDoc +CVE-2021-4171 (calibre-web is vulnerable to Business Logic Errors ...) + NOT-FOR-US: calibre-web +CVE-2021-45679 (Certain NETGEAR devices are affected by privilege escalation. This aff ...) + NOT-FOR-US: Netgear +CVE-2021-45678 (NETGEAR RAX200 devices before 1.0.5.132 are affected by insecure code. ...) + NOT-FOR-US: Netgear +CVE-2021-45677 (Certain NETGEAR devices are affected by stored XSS. This affects GS108 ...) + NOT-FOR-US: Netgear +CVE-2021-45676 (Certain NETGEAR devices are affected by stored XSS. This affects RAX20 ...) + NOT-FOR-US: Netgear +CVE-2021-45675 (Certain NETGEAR devices are affected by stored XSS. This affects R6120 ...) + NOT-FOR-US: Netgear +CVE-2021-45674 (Certain NETGEAR devices are affected by stored XSS. This affects R7000 ...) + NOT-FOR-US: Netgear +CVE-2021-45673 (Certain NETGEAR devices are affected by stored XSS. This affects R7000 ...) + NOT-FOR-US: Netgear +CVE-2021-45672 (Certain NETGEAR devices are affected by Stored XSS. This affects D6200 ...) + NOT-FOR-US: Netgear +CVE-2021-45671 (Certain NETGEAR devices are affected by stored XSS. This affects CBR40 ...) + NOT-FOR-US: Netgear +CVE-2021-45670 (Certain NETGEAR devices are affected by stored XSS. This affects CBR40 ...) + NOT-FOR-US: Netgear +CVE-2021-45669 (Certain NETGEAR devices are affected by stored XSS. This affects RAX20 ...) + NOT-FOR-US: Netgear +CVE-2021-45668 (Certain NETGEAR devices are affected by stored XSS. This affects EAX20 ...) + NOT-FOR-US: Netgear +CVE-2021-45667 (Certain NETGEAR devices are affected by stored XSS. This affects CBR40 ...) + NOT-FOR-US: Netgear +CVE-2021-45666 (Certain NETGEAR devices are affected by stored XSS. This affects CBR40 ...) + NOT-FOR-US: Netgear +CVE-2021-45665 (Certain NETGEAR devices are affected by stored XSS. This affects EAX20 ...) + NOT-FOR-US: Netgear +CVE-2021-45664 (NETGEAR R7000 devices before 1.0.11.126 are affected by stored XSS. ...) + NOT-FOR-US: Netgear +CVE-2021-45663 (NETGEAR R7000 devices before 1.0.11.126 are affected by stored XSS. ...) + NOT-FOR-US: Netgear +CVE-2021-45662 (NETGEAR R7000 devices before 1.0.9.88 are affected by stored XSS. ...) + NOT-FOR-US: Netgear +CVE-2021-45661 (Certain NETGEAR devices are affected by server-side injection. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45660 (Certain NETGEAR devices are affected by server-side injection. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45659 (Certain NETGEAR devices are affected by server-side injection. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45658 (Certain NETGEAR devices are affected by server-side injection. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45657 (Certain NETGEAR devices are affected by server-side injection. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45656 (Certain NETGEAR devices are affected by server-side injection. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45655 (NETGEAR R6400 devices before 1.0.1.70 are affected by server-side inje ...) + NOT-FOR-US: Netgear +CVE-2021-45654 (NETGEAR XR1000 devices before 1.0.0.58 are affected by disclosure of s ...) + NOT-FOR-US: Netgear +CVE-2021-45653 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) + NOT-FOR-US: Netgear +CVE-2021-45652 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) + NOT-FOR-US: Netgear +CVE-2021-45651 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) + NOT-FOR-US: Netgear +CVE-2021-45650 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) + NOT-FOR-US: Netgear +CVE-2021-45649 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) + NOT-FOR-US: Netgear +CVE-2021-45648 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) + NOT-FOR-US: Netgear +CVE-2021-45647 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) + NOT-FOR-US: Netgear +CVE-2021-45646 (NETGEAR R7000 devices before 1.0.11.116 are affected by disclosure of ...) + NOT-FOR-US: Netgear +CVE-2021-45645 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) + NOT-FOR-US: Netgear +CVE-2021-45644 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) + NOT-FOR-US: Netgear +CVE-2021-45643 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) + NOT-FOR-US: Netgear +CVE-2021-45642 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) + NOT-FOR-US: Netgear +CVE-2021-45641 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) + NOT-FOR-US: Netgear +CVE-2021-45640 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) + NOT-FOR-US: Netgear +CVE-2021-45639 (Certain NETGEAR devices are affected by reflected XSS. This affects CB ...) + NOT-FOR-US: Netgear +CVE-2021-45638 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) + NOT-FOR-US: Netgear +CVE-2021-45637 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) + NOT-FOR-US: Netgear +CVE-2021-45636 (NETGEAR D7000 devices before 1.0.1.82 are affected by a stack-based bu ...) + NOT-FOR-US: Netgear +CVE-2021-45635 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45634 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45633 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45632 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45631 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45630 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45629 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45628 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45627 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45626 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45625 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45624 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45623 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45622 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45621 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45620 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45619 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45618 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45617 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45616 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45615 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45614 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45613 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45612 (Certain NETGEAR devices are affected by command injection by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45611 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45610 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45609 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) + NOT-FOR-US: Netgear +CVE-2021-45608 (Certain D-Link, Edimax, NETGEAR, TP-Link, Tenda, and Western Digital d ...) + NOT-FOR-US: D-Link, Edimax, NETGEAR, TP-Link, Tenda, and Western Digital devices +CVE-2021-45607 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) + NOT-FOR-US: Netgear +CVE-2021-45606 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) + NOT-FOR-US: Netgear +CVE-2021-45605 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) + NOT-FOR-US: Netgear +CVE-2021-45604 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) + NOT-FOR-US: Netgear +CVE-2021-45603 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) + NOT-FOR-US: Netgear +CVE-2021-45602 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45601 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45600 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45599 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45598 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45597 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45596 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45595 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45594 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45593 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45592 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45591 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45590 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45589 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45588 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45587 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45586 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45585 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45584 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45583 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45582 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45581 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45580 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45579 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45578 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45577 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45576 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45575 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45574 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45573 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) + NOT-FOR-US: Netgear +CVE-2021-45572 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45571 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45570 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45569 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45568 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45567 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45566 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45565 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45564 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45563 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45562 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45561 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45560 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45559 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45558 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45557 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45556 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45555 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45554 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45553 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45552 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45551 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45550 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45549 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45548 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45547 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45546 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45545 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45544 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45543 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45542 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45541 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45540 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45539 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45538 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45537 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45536 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45535 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45534 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45533 (Certain NETGEAR devices are affected by command injection by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45532 (NETGEAR R8000 devices before 1.0.4.76 are affected by command injectio ...) + NOT-FOR-US: Netgear +CVE-2021-45531 (NETGEAR D6220 devices before 1.0.0.76 are affected by command injectio ...) + NOT-FOR-US: Netgear +CVE-2021-45530 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45529 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45528 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45527 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45526 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45525 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) + NOT-FOR-US: Netgear +CVE-2021-45524 (NETGEAR R8000 devices before 1.0.4.62 are affected by a buffer overflo ...) + NOT-FOR-US: Netgear +CVE-2021-45523 (NETGEAR R7000 devices before 1.0.9.42 are affected by a buffer overflo ...) + NOT-FOR-US: Netgear +CVE-2021-45522 (NETGEAR XR1000 devices before 1.0.0.58 are affected by a hardcoded pas ...) + NOT-FOR-US: Netgear +CVE-2021-45521 (Certain NETGEAR devices are affected by a hardcoded password. This aff ...) + NOT-FOR-US: Netgear +CVE-2021-45520 (Certain NETGEAR devices are affected by a hardcoded password. This aff ...) + NOT-FOR-US: Netgear +CVE-2021-45519 (NETGEAR XR1000 devices before 1.0.0.58 are affected by denial of servi ...) + NOT-FOR-US: Netgear +CVE-2021-45518 (NETGEAR XR1000 devices before 1.0.0.58 are affected by denial of servi ...) + NOT-FOR-US: Netgear +CVE-2021-45517 (NETGEAR XR1000 devices before 1.0.0.58 are affected by denial of servi ...) + NOT-FOR-US: Netgear +CVE-2021-45516 (Certain NETGEAR devices are affected by denial of service. This affect ...) + NOT-FOR-US: Netgear +CVE-2021-45515 (Certain NETGEAR devices are affected by denial of service. This affect ...) + NOT-FOR-US: Netgear +CVE-2021-45514 (NETGEAR XR1000 devices before 1.0.0.58 are affected by command injecti ...) + NOT-FOR-US: Netgear +CVE-2021-45513 (NETGEAR XR1000 devices before 1.0.0.58 are affected by command injecti ...) + NOT-FOR-US: Netgear +CVE-2021-45512 (Certain NETGEAR devices are affected by weak cryptography. This affect ...) + NOT-FOR-US: Netgear +CVE-2021-45511 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45510 (NETGEAR XR1000 devices before 1.0.0.58 are affected by authentication ...) + NOT-FOR-US: Netgear +CVE-2021-45509 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45508 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45507 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45506 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45505 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45504 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45503 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45502 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45501 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45500 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45499 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + NOT-FOR-US: Netgear +CVE-2021-45498 (NETGEAR R6700v2 devices before 1.2.0.88 are affected by authentication ...) + NOT-FOR-US: Netgear +CVE-2021-45497 (NETGEAR D7000 devices before 1.0.1.82 are affected by authentication b ...) + NOT-FOR-US: Netgear +CVE-2021-45496 (NETGEAR D7000 devices before 1.0.1.82 are affected by authentication b ...) + NOT-FOR-US: Netgear +CVE-2021-45495 (NETGEAR D7000 devices before 1.0.1.68 are affected by authentication b ...) + NOT-FOR-US: Netgear +CVE-2021-45494 (Certain NETGEAR devices are affected by an attacker's ability to read ...) + NOT-FOR-US: Netgear +CVE-2021-45493 (Certain NETGEAR devices are affected by disclosure of administrative c ...) + NOT-FOR-US: Netgear +CVE-2021-4170 (calibre-web is vulnerable to Improper Neutralization of Input During W ...) + NOT-FOR-US: calibre-web +CVE-2021-4169 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) + NOT-FOR-US: livehelperchat +CVE-2021-45492 + RESERVED +CVE-2021-4168 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: ShowDoc +CVE-2021-45491 + RESERVED +CVE-2021-45490 + RESERVED +CVE-2021-45489 (In NetBSD through 9.2, the IPv6 Flow Label generation algorithm employ ...) + NOT-FOR-US: NetBSD +CVE-2021-45488 (In NetBSD through 9.2, there is an information leak in the TCP ISN (IS ...) + NOT-FOR-US: NetBSD +CVE-2021-45487 (In NetBSD through 9.2, the IPv4 ID generation algorithm does not use a ...) + NOT-FOR-US: NetBSD +CVE-2021-45486 (In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4 ...) + - linux 5.10.38-1 + [buster] - linux 4.19.208-1 + [stretch] - linux 4.9.290-1 + NOTE: https://arxiv.org/pdf/2112.09604.pdf + NOTE: https://git.kernel.org/linus/aa6dd211e4b1dde9d5dc25d699d35f789ae7eeba (5.13-rc1) +CVE-2021-45485 (In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6 ...) + - linux 5.14.6-1 + [bullseye] - linux 5.10.70-1 + [buster] - linux 4.19.208-1 + [stretch] - linux 4.9.290-1 + NOTE: https://arxiv.org/pdf/2112.09604.pdf + NOTE: https://git.kernel.org/linus/62f20e068ccc50d6ab66fdb72ba90da2b9418c99 (5.14-rc1) +CVE-2021-45484 (In NetBSD through 9.2, the IPv6 fragment ID generation algorithm emplo ...) + NOT-FOR-US: NetBSD +CVE-2021-45483 (In WebKitGTK before 2.32.4, there is a use-after-free in WebCore::Fram ...) + {DSA-4996-1 DSA-4995-1} + - webkit2gtk 2.34.0-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.1-1 +CVE-2021-45482 (In WebKitGTK before 2.32.4, there is a use-after-free in WebCore::Cont ...) + {DSA-4976-1 DSA-4975-1} + - webkit2gtk 2.32.4-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.32.4-1 +CVE-2021-45481 (In WebKitGTK before 2.32.4, there is incorrect memory allocation in We ...) + {DSA-4996-1 DSA-4995-1} + - webkit2gtk 2.34.0-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.1-1 +CVE-2021-45480 (An issue was discovered in the Linux kernel before 5.15.11. There is a ...) + {DSA-5050-1} + - linux 5.15.15-1 + [stretch] - linux <not-affected> (Vulnerable code introduced later) + NOTE: https://git.kernel.org/linus/5f9562ebe710c307adc5f666bf1a2162ee7977c0 +CVE-2021-4167 + RESERVED +CVE-2021-45479 + RESERVED +CVE-2021-45478 + RESERVED +CVE-2021-45477 + RESERVED +CVE-2021-45476 + RESERVED +CVE-2021-45475 + RESERVED +CVE-2021-4166 (vim is vulnerable to Out-of-bounds Read ...) + - vim 2:8.2.3995-1 + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/229df5dd-5507-44e9-832c-c70364bdf035 + NOTE: https://github.com/vim/vim/commit/6f98371532fcff911b462d51bc64f2ce8a6ae682 (v8.2.3884) +CVE-2021-4165 + RESERVED +CVE-2021-4164 (calibre-web is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: calibre-web +CVE-2021-4163 + RESERVED +CVE-2021-4162 (archivy is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: archivy +CVE-2021-45474 (In MediaWiki through 1.37, the Special:ImportFile URI (aka FileImporte ...) + NOT-FOR-US: FileImporter MediaWiki extension + NOTE: https://gerrit.wikimedia.org/r/q/Id1c8910aeac5b452fbabeddab70360765518223e + NOTE: https://phabricator.wikimedia.org/T296605 +CVE-2021-45473 (In MediaWiki through 1.37, Wikibase item descriptions allow XSS, which ...) + NOT-FOR-US: WikiBase MediaWiki extension + NOTE: https://gerrit.wikimedia.org/r/q/I3cd080a1a7dacd7396d37ee0c98cff0b4e241f8d + NOTE: https://phabricator.wikimedia.org/T294693 +CVE-2021-45472 (In MediaWiki through 1.37, XSS can occur in Wikibase because an extern ...) + NOT-FOR-US: WikiBase MediaWiki extension + NOTE: https://gerrit.wikimedia.org/r/q/I37ece1dfdc80d38055067c9c4fa73ba591acd8bd + NOTE: https://phabricator.wikimedia.org/T297570 +CVE-2021-45471 (In MediaWiki through 1.37, blocked IP addresses are allowed to edit En ...) + NOT-FOR-US: EntitySchema MediaWiki extension + NOTE: https://gerrit.wikimedia.org/r/q/Iac86cf63bd014ef99e83dccfce9b8942e15d2bf9 + NOTE: https://gerrit.wikimedia.org/r/q/Id9af124427bcd1e85301d2140a38bf47bbc5622c + NOTE: https://phabricator.wikimedia.org/T296578 +CVE-2021-45470 (lib/DatabaseLayer.py in cve-search before 4.1.0 allows regular express ...) + NOT-FOR-US: cve-search +CVE-2021-4161 (The affected products contain vulnerable firmware, which could allow a ...) + NOT-FOR-US: Moxa +CVE-2021-45469 (In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15 ...) + {DSA-5050-1} + - linux 5.15.15-1 + NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=215235 +CVE-2021-45468 (Imperva Web Application Firewall (WAF) before 2021-12-23 allows remote ...) + NOT-FOR-US: Imperva Web Application Firewall +CVE-2021-45467 + RESERVED +CVE-2021-45466 + RESERVED +CVE-2021-45465 + RESERVED +CVE-2021-4160 (There is a carry propagation bug in the MIPS32 and MIPS64 squaring pro ...) + - openssl 1.1.1m-1 + [bullseye] - openssl <no-dsa> (Minor issue) + [buster] - openssl <no-dsa> (Minor issue) + [stretch] - openssl <ignored> (This is MIPS-specific and we don't support MIPS for stretch-security) + NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb (OpenSSL_1_1_1m) + NOTE: https://mta.openssl.org/pipermail/openssl-announce/2022-January/000214.html + NOTE: https://www.openssl.org/news/secadv/20220128.txt +CVE-2021-4159 [bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()] + RESERVED + - linux 5.7.6-1 + NOTE: Fixed by: https://git.kernel.org/linus/294f2fc6da27620a506e6c050241655459ccd6bd (5.7-rc1) +CVE-2021-45464 [hypervisor escape and host code execution] + RESERVED + - kvmtool <unfixed> + NOTE: https://www.kalmarunionen.dk/writeups/2021/hxp-2021/lkvm/ +CVE-2021-45463 (load_cache in GEGL before 0.4.34 allows shell expansion when a pathnam ...) + - gegl 1:0.4.34-1 (bug #1002661) + [bullseye] - gegl <no-dsa> (Minor issue) + [buster] - gegl <no-dsa> (Minor issue) + [stretch] - gegl <no-dsa> (Minor issue; can be fixed later) + NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b (GEGL_0_4_34) + NOTE: Followup: https://gitlab.gnome.org/GNOME/gegl/-/commit/2172cf7e8d7e8891ae2053d6eef213d5bef939cb (GEGL_0_4_34) +CVE-2021-45462 (In Open5GS 2.4.0, a crafted packet from UE can crash SGW-U/UPF. ...) + NOT-FOR-US: Open5GS +CVE-2021-4158 [NULL pointer dereference in pci_write() in hw/acpi/pcihp.c] + RESERVED + - qemu 1:6.2+dfsg-2 + [bullseye] - qemu <not-affected> (Vulnerable code introduced later) + [buster] - qemu <not-affected> (Vulnerable code introduced later) + [stretch] - qemu <not-affected> (Vulnerable code introduced later) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2035002 + NOTE: https://gitlab.com/qemu-project/qemu/-/issues/770 + NOTE: Introduced in: https://gitlab.com/qemu-project/qemu/-/commit/b32bd763a1ca929677e22ae1c51cb3920921bdce (v6.0.0-rc0) + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/9bd6565ccee68f72d5012e24646e12a1c662827e + NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-12/msg03692.html +CVE-2021-45461 (FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 1 ...) + NOT-FOR-US: FreePBX +CVE-2021-45460 (A vulnerability has been identified in SICAM PQ Analyzer (All versions ...) + NOT-FOR-US: Siemens +CVE-2021-4157 [pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()] + RESERVED + - linux 5.10.38-1 + [buster] - linux 4.19.194-1 + [stretch] - linux 4.9.272-1 + NOTE: https://git.kernel.org/linus/ed34695e15aba74f45247f1ee2cf7e09d449f925 (5.13-rc1) +CVE-2021-4156 [heap out-of-bounds read in src/flac.c in flac_buffer_copy] + RESERVED + - libsndfile <unfixed> + [bullseye] - libsndfile <no-dsa> (Minor issue) + [buster] - libsndfile <no-dsa> (Minor issue) + [stretch] - libsndfile <no-dsa> (Minor issue) + NOTE: https://github.com/libsndfile/libsndfile/issues/731 + NOTE: https://github.com/libsndfile/libsndfile/commit/ced91d7b971be6173b604154c39279ce90ad87cc (1.1.0beta1) +CVE-2021-4155 + RESERVED + {DSA-5050-1} + - linux 5.15.15-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2034813 + NOTE: https://git.kernel.org/linus/983d8e60f50806f90534cc5373d0ce867e5aaf79 (5.16) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/10/1 +CVE-2021-45459 (lib/cmd.js in the node-windows package before 1.0.0-beta.6 for Node.js ...) + NOT-FOR-US: Node windows +CVE-2021-4154 (A use-after-free flaw was found in cgroup1_parse_param in kernel/cgrou ...) + - linux 5.14.6-1 + [bullseye] - linux 5.10.70-1 + [buster] - linux <not-affected> (Vulnerable code not present) + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/3b0462726e7ef281c35a7a4ae33e93ee2bc9975b (5.14-rc2) +CVE-2021-4153 + RESERVED +CVE-2021-4152 + RESERVED +CVE-2021-4151 + RESERVED +CVE-2021-45458 (Apache Kylin provides encryption classes PasswordPlaceholderConfigurer ...) + NOT-FOR-US: Apache Kylin (different from Kylin desktop environment) +CVE-2021-45457 (In Apache Kylin, Cross-origin requests with credentials are allowed to ...) + NOT-FOR-US: Apache Kylin (different from Kylin desktop environment) +CVE-2021-45456 (Apache kylin checks the legitimacy of the project before executing som ...) + NOT-FOR-US: Apache Kylin (different from Kylin desktop environment) +CVE-2021-45455 + RESERVED +CVE-2021-45454 + RESERVED +CVE-2021-45453 + RESERVED +CVE-2021-45452 (Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 b ...) + - python-django 2:3.2.11-1 (bug #1003113) + [bullseye] - python-django <postponed> (Minor issue; fix in next update) + [buster] - python-django <postponed> (Minor issue; fix in next update) + [stretch] - python-django <postponed> (Minor issue; fix in next update) + NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ + NOTE: https://github.com/django/django/commit/8d2f7cff76200cbd2337b2cf1707e383eb1fb54b (3.2.11) + NOTE: https://github.com/django/django/commit/4cb35b384ceef52123fc66411a73c36a706825e1 (2.2.26) +CVE-2021-4150 [Block subsystem mishandles reference counts] + RESERVED + - linux 5.15.3-1 + NOTE: https://git.kernel.org/linus/9fbfabfda25d8774c5a08634fdd2da000a924890 (5.15-rc7) +CVE-2021-4149 [Improper lock operation in btrfs] + RESERVED + - linux 5.14.16-1 + NOTE: https://git.kernel.org/linus/19ea40dddf1833db868533958ca066f368862211 (5.15-rc6) +CVE-2021-4148 [Improper implementation of block_invalidatepage() allows users to crash the kernel] + RESERVED + - linux <unfixed> + NOTE: https://lkml.org/lkml/2021/9/17/1037 + NOTE: https://lkml.org/lkml/2021/9/12/323 +CVE-2021-4147 [deadlock and crash in libxl driver] + RESERVED + - libvirt 7.10.0-2 (bug #1002535) + [bullseye] - libvirt <no-dsa> (Minor issue) + [buster] - libvirt <no-dsa> (Minor issue) + [stretch] - libvirt <no-dsa> (Minor issue) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2034195 + NOTE: https://listman.redhat.com/archives/libvir-list/2021-November/msg00908.html + NOTE: https://gitlab.com/libvirt/libvirt/-/commit/23b51d7b8ec885e97a9277cf0a6c2833db4636e8 + NOTE: https://gitlab.com/libvirt/libvirt/-/commit/a4e6fba069c0809b8b5dde5e9db62d2efd91b4a0 + NOTE: https://gitlab.com/libvirt/libvirt/-/commit/e4f7589a3ec285489618ca04c8c0230cc31f3d99 + NOTE: https://gitlab.com/libvirt/libvirt/-/commit/b9a5faea49b7412e26d7389af4c32fc2b3ee80e5 + NOTE: https://gitlab.com/libvirt/libvirt/-/commit/5c5df5310f72be4878a71ace47074c54e0d1a27d + NOTE: https://gitlab.com/libvirt/libvirt/-/commit/a7a03324d86e111f81687b5315b8f296dde84340 +CVE-2021-4146 (Business Logic Errors in GitHub repository pimcore/pimcore prior to 10 ...) + NOT-FOR-US: pimcore +CVE-2021-4145 (A NULL pointer dereference issue was found in the block mirror layer o ...) + - qemu 1:6.2+dfsg-1 + [bullseye] - qemu <not-affected> (Vulnerable code introduced later) + [buster] - qemu <not-affected> (Vulnerable code introduced later) + [stretch] - qemu <not-affected> (Vulnerable code introduced later) + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/d44dae1a7cf782ec9235746ebb0e6c1a20dd7288 (v6.1.0-rc0) + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/66fed30c9cd11854fc878a4eceb507e915d7c9cd (v6.2.0-rc0) +CVE-2021-4144 (TP-Link wifi router TL-WR802N V4(JP), with firmware version prior to 2 ...) + NOT-FOR-US: TP-Link +CVE-2021-45451 (In Mbed TLS before 3.1.0, psa_aead_generate_nonce allows policy bypass ...) + - mbedtls <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/ARMmbed/mbedtls/commit/cae590905363747d26fb5617b71bd567541a2f39 (mbedtls-3.1.0) +CVE-2021-45450 (In Mbed TLS before 2.28.0 and 3.x before 3.1.0, psa_cipher_generate_iv ...) + - mbedtls <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/ARMmbed/mbedtls/commit/c423acbe0f7957d8ef1e6036c2429c9f79c6f05e (mbedtls-2.28.0) + NOTE: https://github.com/ARMmbed/mbedtls/commit/4c224fe3ccbe527a2b7d55a927f1f09511ff1b83 (mbedtls-2.28.0) +CVE-2021-45449 (Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitiv ...) + NOT-FOR-US: Docker Desktop on Windows +CVE-2021-45448 + RESERVED +CVE-2021-45447 + RESERVED +CVE-2021-45446 + RESERVED +CVE-2021-45445 (Unisys ClearPath MCP TCP/IP Networking Services 59.1, 60.0, and 62.0 h ...) + NOT-FOR-US: Unisys +CVE-2021-45444 (In zsh before 5.8.1, an attacker can achieve code execution if they co ...) + {DSA-5078-1 DLA-2926-1} + - zsh 5.8.1-1 + NOTE: https://sourceforge.net/p/zsh/code/ci/c187154f47697cdbf822c2f9d714d570ed4a0fd1/ + NOTE: https://sourceforge.net/p/zsh/code/ci/fdb8b0ce6244ff26bf55e0fd825310a58d0d3156/ + NOTE: https://sourceforge.net/p/zsh/code/ci/bdc4d70a7e033b754e68a8659a037ea0fc5f38de/ +CVE-2021-45443 + RESERVED +CVE-2021-4143 (Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutto ...) + NOT-FOR-US: BigBlueButton +CVE-2021-45442 (A link following denial-of-service vulnerability in Trend Micro Worry- ...) + NOT-FOR-US: Trend Micro +CVE-2021-45441 (A origin validation error vulnerability in Trend Micro Apex One (on-pr ...) + NOT-FOR-US: Trend Micro +CVE-2021-45440 (A unnecessary privilege vulnerability in Trend Micro Apex One and Tren ...) + NOT-FOR-US: Trend Micro +CVE-2021-45439 + RESERVED +CVE-2021-45438 + RESERVED +CVE-2021-45437 + RESERVED +CVE-2021-45436 + RESERVED +CVE-2021-45435 (An SQL Injection vulnerability exists in Sourcecodester Simple Cold St ...) + NOT-FOR-US: Sourcecodester +CVE-2021-45434 + RESERVED +CVE-2021-45433 + RESERVED +CVE-2021-45432 + RESERVED +CVE-2021-45431 + RESERVED +CVE-2021-45430 + RESERVED +CVE-2021-45429 (A Buffer Overflow vulnerablity exists in VirusTotal YARA git commit: 6 ...) + - yara <unfixed> + [stretch] - yara <no-dsa> (Minor issue) + NOTE: https://github.com/VirusTotal/yara/issues/1616 + NOTE: https://github.com/VirusTotal/yara/commit/a36b497926b141624ea673111a101e9ddd7ac2eb (v4.2.0-rc1) +CVE-2021-45428 (TLR-2005KSH is affected by an incorrect access control vulnerability. ...) + NOT-FOR-US: TLR-2005KSH +CVE-2021-45427 (Emerson XWEB 300D EVO 3.0.7--3ee403 is affected by: unauthenticated ar ...) + NOT-FOR-US: Emerson +CVE-2021-45426 + RESERVED +CVE-2021-45425 (Reflected Cross Site Scripting (XSS) in SAFARI Montage versions 8.3 an ...) + NOT-FOR-US: SAFARI Montage +CVE-2021-45424 + RESERVED +CVE-2021-45423 + RESERVED +CVE-2021-45422 (Reprise License Manager 14.2 is affected by a reflected cross-site scr ...) + NOT-FOR-US: Reprise License Manager +CVE-2021-45421 (** UNSUPPORTED WHEN ASSIGNED ** Emerson Dixell XWEB-500 products are a ...) + NOT-FOR-US: Emerson +CVE-2021-45420 (** UNSUPPORTED WHEN ASSIGNED ** Emerson Dixell XWEB-500 products are a ...) + NOT-FOR-US: Emerson +CVE-2021-45419 (Certain Starcharge products are affected by Improper Input Validation. ...) + NOT-FOR-US: Nova 360 Cabinet +CVE-2021-45418 (Certain Starcharge products are vulnerable to Directory Traversal via ...) + NOT-FOR-US: Nova 360 Cabinet +CVE-2021-45417 (AIDE before 0.17.4 allows local users to obtain root privileges via cr ...) + {DSA-5051-1 DLA-2894-1} + - aide 0.17.4-1 + NOTE: https://github.com/aide/aide/commit/175d1f2626f4500b4fc5ecb7167bba9956b174bc (v0.17.4) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/20/3 +CVE-2021-45416 (Reflected Cross-site scripting (XSS) vulnerability in RosarioSIS 8.2.1 ...) + NOT-FOR-US: RosarioSIS +CVE-2021-45415 + RESERVED +CVE-2021-45414 + RESERVED +CVE-2021-45413 + RESERVED +CVE-2021-45412 + RESERVED +CVE-2021-45411 (In Sourcecodetester Printable Staff ID Card Creator System 1.0 after c ...) + NOT-FOR-US: Sourcecodetester +CVE-2021-45410 + RESERVED +CVE-2021-45409 + RESERVED +CVE-2021-45408 (Open Redirect vulnerability exists in SeedDMS 6.0.15 in out.Login.php, ...) + NOT-FOR-US: SeedDMS +CVE-2021-45407 + RESERVED +CVE-2021-45406 (In SalonERP 3.0.1, a SQL injection vulnerability allows an attacker to ...) + NOT-FOR-US: SalonERP +CVE-2021-45405 + RESERVED +CVE-2021-45404 + RESERVED +CVE-2021-45403 + RESERVED +CVE-2021-45402 (The check_alu_op() function in kernel/bpf/verifier.c in the Linux kern ...) + - linux 5.15.15-1 + [bullseye] - linux 5.10.92-1 + [buster] - linux <not-affected> (Vulnerable code introduced later) + [stretch] - linux <not-affected> (Vulnerable code introduced later) + NOTE: https://git.kernel.org/linus/3cf2b61eb06765e27fec6799292d9fb46d0b7e60 + NOTE: https://git.kernel.org/linus/b1a7288dedc6caf9023f2676b4f5ed34cf0d4029 + NOTE: https://git.kernel.org/linus/e572ff80f05c33cd0cb4860f864f5c9c044280b6 +CVE-2021-45401 (A Command injection vulnerability exists in Tenda AC10U AC1200 Smart D ...) + NOT-FOR-US: Tenda +CVE-2021-45400 + RESERVED +CVE-2021-45399 + RESERVED +CVE-2021-45398 + RESERVED +CVE-2021-45397 + RESERVED +CVE-2021-45396 + RESERVED +CVE-2021-45395 + RESERVED +CVE-2021-45394 (An issue was discovered in Spipu HTML2PDF before 5.2.4. Attackers can ...) + NOT-FOR-US: PHP HTML2PDF +CVE-2021-45393 + RESERVED +CVE-2021-45392 (A Buffer Overflow vulnerability exists in Tenda Router AX12 V22.03.01. ...) + NOT-FOR-US: Tenda +CVE-2021-45391 (A Buffer Overflow vulnerability exists in Tenda Router AX12 V22.03.01. ...) + NOT-FOR-US: Tenda +CVE-2021-45390 + RESERVED +CVE-2021-45389 (StarWind SAN & NAS build 1578 and StarWind Command Center Build 68 ...) + NOT-FOR-US: StarWind +CVE-2021-45388 + REJECTED +CVE-2021-45387 (tcpreplay 4.3.4 has a Reachable Assertion in add_tree_ipv4() at tree.c ...) + - tcpreplay 4.4.0-1 (unimportant) + NOTE: https://github.com/appneta/tcpreplay/issues/687 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/46cf964a7db636da76abeebf10482acf6f682a87 (v4.4.0) + NOTE: Crash in CLI tool, no security impact +CVE-2021-45386 (tcpreplay 4.3.4 has a Reachable Assertion in add_tree_ipv6() at tree.c ...) + - tcpreplay 4.4.0-1 (unimportant) + NOTE: https://github.com/appneta/tcpreplay/issues/687 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/46cf964a7db636da76abeebf10482acf6f682a87 (v4.4.0) + NOTE: Crash in CLI tool, no security impact +CVE-2021-45385 (A Null Pointer Dereference vulnerability exits in ffjpeg d5cfd49 (2021 ...) + NOT-FOR-US: ffjpeg +CVE-2021-45384 + RESERVED +CVE-2021-45383 + RESERVED +CVE-2021-45382 (A Remote Command Execution (RCE) vulnerability exists in all series H/ ...) + NOT-FOR-US: D-Link +CVE-2021-45381 + RESERVED +CVE-2021-45380 (AppCMS 2.0.101 has a XSS injection vulnerability in \templates\m\inc_h ...) + NOT-FOR-US: AppCMS +CVE-2021-45378 + RESERVED +CVE-2021-45377 + RESERVED +CVE-2021-45376 + RESERVED +CVE-2021-45375 + RESERVED +CVE-2021-45374 + RESERVED +CVE-2021-45373 + RESERVED +CVE-2021-45372 + RESERVED +CVE-2021-45371 + RESERVED +CVE-2021-45370 + RESERVED +CVE-2021-45369 + RESERVED +CVE-2021-45368 + RESERVED +CVE-2021-45367 + RESERVED +CVE-2021-45366 + RESERVED +CVE-2021-45365 + RESERVED +CVE-2021-45364 (** DISPUTED ** A Code Execution vulnerability exists in Statamic Versi ...) + NOT-FOR-US: Statamic +CVE-2021-45363 + RESERVED +CVE-2021-45362 + RESERVED +CVE-2021-45361 + RESERVED +CVE-2021-45360 + RESERVED +CVE-2021-45359 + RESERVED +CVE-2021-45358 + RESERVED +CVE-2021-45357 (Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the ...) + - piwigo <removed> +CVE-2021-45356 + RESERVED +CVE-2021-45355 + RESERVED +CVE-2021-45354 + RESERVED +CVE-2021-45353 + RESERVED +CVE-2021-45352 + RESERVED +CVE-2021-45351 + RESERVED +CVE-2021-45350 + RESERVED +CVE-2021-45349 + RESERVED +CVE-2021-45348 (An Arbitrary File Deletion vulnerability exists in SourceCodester Atte ...) + NOT-FOR-US: SourceCodester +CVE-2021-45347 (An Incorrect Access Control vulnerability exists in zzcms 8.2, which l ...) + NOT-FOR-US: zzcms +CVE-2021-45346 (A Memory Leak vulnerabilty exists in SQLite Project SQLite3 3.35.1 and ...) + - sqlite3 <unfixed> (bug #1005974) + NOTE: https://github.com/guyinatuxedo/sqlite3_record_leaking + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2054793 +CVE-2021-45345 + RESERVED +CVE-2021-45344 + RESERVED +CVE-2021-45343 (In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of ...) + {DSA-5077-1 DLA-2908-1} + - librecad 2.1.3-3 (bug #1004518) + NOTE: https://github.com/LibreCAD/LibreCAD/issues/1468 + NOTE: https://github.com/LibreCAD/LibreCAD/pull/1469 + NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/5771425808bd16e78e1c6f28728c0712c47316f7 +CVE-2021-45342 (A buffer overflow vulnerability in CDataList of the jwwlib component o ...) + {DSA-5077-1 DLA-2908-1} + - librecad 2.1.3-3 (bug #1004518) + NOTE: https://github.com/LibreCAD/LibreCAD/issues/1464 + NOTE: https://github.com/LibreCAD/LibreCAD/pull/1465 + NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/4edcbe72679f95cb60979c77a348c1522a20b0f4 +CVE-2021-45341 (A buffer overflow vulnerability in CDataMoji of the jwwlib component o ...) + {DSA-5077-1 DLA-2908-1} + - librecad 2.1.3-3 (bug #1004518) + NOTE: https://github.com/LibreCAD/LibreCAD/issues/1462 + NOTE: https://github.com/LibreCAD/LibreCAD/pull/1463 + NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/f3502963eaf379a429bc9da73c1224c5db649997 +CVE-2021-45340 (In Libsixel prior to and including v1.10.3, a NULL pointer dereference ...) + - libsixel <unfixed> (bug #1004377) + [bullseye] - libsixel <no-dsa> (Minor issue) + [buster] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel <no-dsa> (Minor issue) + NOTE: https://github.com/libsixel/libsixel/issues/51 + NOTE: Fixed by: https://github.com/libsixel/libsixel/pull/52 +CVE-2021-45339 (Privilege escalation vulnerability in Avast Antivirus prior to 20.4 al ...) + NOT-FOR-US: Avast Antivirus +CVE-2021-45338 (Multiple privilege escalation vulnerabilities in Avast Antivirus prior ...) + NOT-FOR-US: Avast Antivirus +CVE-2021-45337 (Privilege escalation vulnerability in the Self-Defense driver of Avast ...) + NOT-FOR-US: Avast Antivirus +CVE-2021-45336 (Privilege escalation vulnerability in the Sandbox component of Avast A ...) + NOT-FOR-US: Avast Antivirus +CVE-2021-45335 (Sandbox component in Avast Antivirus prior to 20.4 has an insecure per ...) + NOT-FOR-US: Avast Antivirus +CVE-2021-45334 (Sourcecodester Online Thesis Archiving System 1.0 is vulnerable to SQL ...) + NOT-FOR-US: Sourcecodester Online Thesis Archiving System +CVE-2021-45333 + RESERVED +CVE-2021-45332 + RESERVED +CVE-2021-45331 (An Authentication Bypass vulnerability exists in Gitea before 1.5.0, w ...) + - gitea <removed> +CVE-2021-45330 (An issue exsits in Gitea through 1.15.7, which could let a malicious u ...) + - gitea <removed> +CVE-2021-45329 (Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 ...) + - gitea <removed> +CVE-2021-45328 (Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site (' ...) + - gitea <removed> +CVE-2021-45327 (Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on ...) + - gitea <removed> +CVE-2021-45326 (Cross Site Request Forgery (CSRF) vulnerability exists in Gitea before ...) + - gitea <removed> +CVE-2021-45325 (Server Side Request Forgery (SSRF) vulneraility exists in Gitea before ...) + - gitea <removed> +CVE-2021-45324 + RESERVED +CVE-2021-45323 + RESERVED +CVE-2021-45322 + RESERVED +CVE-2021-45321 + RESERVED +CVE-2021-45320 + RESERVED +CVE-2021-45319 + RESERVED +CVE-2021-45318 + RESERVED +CVE-2021-45317 + RESERVED +CVE-2021-45316 + RESERVED +CVE-2021-45315 + RESERVED +CVE-2021-45314 + RESERVED +CVE-2021-45313 + RESERVED +CVE-2021-45312 + RESERVED +CVE-2021-45311 + RESERVED +CVE-2021-45310 (Sangoma Technologies Corporation Switchvox Version 102409 is affected ...) + NOT-FOR-US: Sangoma Technologies Corporation Switchvox +CVE-2021-45309 + RESERVED +CVE-2021-45308 + RESERVED +CVE-2021-45307 + RESERVED +CVE-2021-45306 + RESERVED +CVE-2021-45305 + RESERVED +CVE-2021-45304 + RESERVED +CVE-2021-45303 + RESERVED +CVE-2021-45302 + RESERVED +CVE-2021-45301 + RESERVED +CVE-2021-45300 + RESERVED +CVE-2021-45299 + RESERVED +CVE-2021-45298 + RESERVED +CVE-2021-45297 (An infinite loop vulnerability exists in Gpac 1.0.1 in gf_get_bit_size ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1973 + NOTE: https://github.com/gpac/gpac/commit/fb13af36286b9d898e332e8762a286eb83bd1770 +CVE-2021-45296 + RESERVED +CVE-2021-45295 + RESERVED +CVE-2021-45294 + RESERVED +CVE-2021-45293 (A Denial of Service vulnerability exists in Binaryen 103 due to an Inv ...) + - binaryen 104-1 (unimportant) + NOTE: https://github.com/WebAssembly/binaryen/issues/4384 + NOTE: https://github.com/WebAssembly/binaryen/pull/4388 + NOTE: https://github.com/WebAssembly/binaryen/commit/b1f6298ed8756bdc3336429c04b92ba58d000b49 (version_104) + NOTE: Crash in CLI tool, no security impact +CVE-2021-45292 (The gf_isom_hint_rtp_read function in GPAC 1.0.1 allows attackers to c ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1958 + NOTE: https://github.com/gpac/gpac/commit/3dafcb5e71e9ffebb50238784dcad8b105da81f6 +CVE-2021-45291 (The gf_dump_setup function in GPAC 1.0.1 allows malicoius users to cau ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1955 + NOTE: https://github.com/gpac/gpac/commit/a07c64979af592aad56bc175157b7397e43fa9cc +CVE-2021-45290 (A Denial of Service vulnerability exits in Binaryen 103 due to an asse ...) + - binaryen 104-1 (unimportant) + NOTE: https://github.com/WebAssembly/binaryen/issues/4383 + NOTE: https://github.com/WebAssembly/binaryen/pull/4389 + NOTE: https://github.com/WebAssembly/binaryen/commit/62d83d5fcad015ce52f0f3122eab9df1c629cafb (version_104) + NOTE: Crash in CLI tool, no security impact +CVE-2021-45289 (A vulnerability exists in GPAC 1.0.1 due to an omission of security-re ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1972 + NOTE: https://github.com/gpac/gpac/commit/5e1f084e0c6ad2736c9913715c4abb57c554209d +CVE-2021-45288 (A Double Free vulnerability exists in filedump.c in GPAC 1.0.1, which ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1956 + NOTE: https://github.com/gpac/gpac/commit/9bbce9634cba1128aa4b96d590be578ae3ce80b3 +CVE-2021-45287 + RESERVED +CVE-2021-45286 (Directory Traversal vulnerability exists in ZZCMS 2021 via the skin pa ...) + NOT-FOR-US: ZZCMS +CVE-2021-45285 + RESERVED +CVE-2021-45284 + RESERVED +CVE-2021-45283 + RESERVED +CVE-2021-45282 + RESERVED +CVE-2021-45281 (QuickBox Pro v2.4.8 contains a cross-site scripting (XSS) vulnerabilit ...) + NOT-FOR-US: QuickBox Pro +CVE-2021-45280 + RESERVED +CVE-2021-45279 + RESERVED +CVE-2021-45278 + RESERVED +CVE-2021-45277 + RESERVED +CVE-2021-45276 + RESERVED +CVE-2021-45275 + RESERVED +CVE-2021-45274 + RESERVED +CVE-2021-45273 + RESERVED +CVE-2021-45272 + RESERVED +CVE-2021-45271 + RESERVED +CVE-2021-45270 + RESERVED +CVE-2021-45269 + RESERVED +CVE-2021-45268 (** DISPUTED ** A Cross Site Request Forgery (CSRF) vulnerability exist ...) + NOT-FOR-US: Backdrop CMS +CVE-2021-45267 (An invalid memory address dereference vulnerability exists in gpac 1.1 ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1965 + NOTE: https://github.com/gpac/gpac/commit/29f31f431b18278b94c659452562e8a027436487 +CVE-2021-45266 (A null pointer dereference vulnerability exists in gpac 1.1.0 via the ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1985 + NOTE: https://github.com/gpac/gpac/commit/76b9e3f578a056fee07a4b317f5b36a83d01810e +CVE-2021-45265 + RESERVED +CVE-2021-45264 + RESERVED +CVE-2021-45263 (An invalid free vulnerability exists in gpac 1.1.0 via the gf_svg_dele ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1975 + NOTE: https://github.com/gpac/gpac/commit/b232648da3b111a0efe500501ee8ca8f32b616e9 +CVE-2021-45262 (An invalid free vulnerability exists in gpac 1.1.0 via the gf_sg_comma ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1980 + NOTE: https://github.com/gpac/gpac/commit/ef86a8eba3b166b885dec219066dd3a47501e03a +CVE-2021-45261 (An Invalid Pointer vulnerability exists in GNU patch 2.7 via the anoth ...) + - patch <unfixed> (unimportant) + NOTE: https://savannah.gnu.org/bugs/?61685 + NOTE: Negligible security impact +CVE-2021-45260 (A null pointer dereference vulnerability exists in gpac 1.1.0 in the l ...) + - gpac <unfixed> + [bullseye] - gpac <ignored> (Minor issue) + [buster] - gpac <ignored> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/1979 + NOTE: https://github.com/gpac/gpac/issues/1977 + NOTE: https://github.com/gpac/gpac/commit/5e5e9c48b1a61e3844e9fbe26292305ab4c06d04 + NOTE: Reported twice upstream, fix is in issue 1977 - identical report in issue 1979 +CVE-2021-45259 (An Invalid pointer reference vulnerability exists in gpac 1.1.0 via th ...) + - gpac <unfixed> + [bullseye] - gpac <ignored> (Minor issue) + [buster] - gpac <ignored> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/1986 + NOTE: https://github.com/gpac/gpac/commit/654c796482c2609aa736315f9273d6c5912e0a29 +CVE-2021-45258 (A stack overflow vulnerability exists in gpac 1.1.0 via the gf_bifs_de ...) + - gpac <unfixed> + [bullseye] - gpac <ignored> (Minor issue) + [buster] - gpac <ignored> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/1970 + NOTE: https://github.com/gpac/gpac/commit/47a26a32c9a2cd630c48517c3e6ab2fa5f6a26ad +CVE-2021-45257 (An infinite loop vulnerability exists in nasm 2.16rc0 via the gpaste_t ...) + - nasm <unfixed> (unimportant) + NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392790 + NOTE: Negligible security impact +CVE-2021-45256 (A Null Pointer Dereference vulnerability existfs in nasm 2.16rc0 via a ...) + - nasm <unfixed> (unimportant) + NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392789 + NOTE: Crash in CLI tool, no security impact +CVE-2021-45255 (The email parameter from ajax.php of Video Sharing Website 1.0 appears ...) + NOT-FOR-US: Video Sharing Website +CVE-2021-45254 + RESERVED +CVE-2021-45253 (The id parameter in view_storage.php from Simple Cold Storage Manageme ...) + NOT-FOR-US: Simple Cold Storage Management System +CVE-2021-45252 (Multiple SQL injection vulnerabilities are found on Simple Forum-Discu ...) + NOT-FOR-US: Simple Forum-Discussion System +CVE-2021-45251 + RESERVED +CVE-2021-45250 + RESERVED +CVE-2021-45249 + RESERVED +CVE-2021-45248 + RESERVED +CVE-2021-45247 + RESERVED +CVE-2021-45246 + RESERVED +CVE-2021-45245 + RESERVED +CVE-2021-45244 + RESERVED +CVE-2021-45243 + RESERVED +CVE-2021-45242 + RESERVED +CVE-2021-45241 + RESERVED +CVE-2021-45240 + RESERVED +CVE-2021-45239 + RESERVED +CVE-2021-45238 + RESERVED +CVE-2021-45237 + RESERVED +CVE-2021-45236 + RESERVED +CVE-2021-45235 + RESERVED +CVE-2021-45234 + RESERVED +CVE-2021-4142 + RESERVED + NOT-FOR-US: Red Hat Satellite / Candlepin +CVE-2021-4141 + RESERVED +CVE-2021-4140 + RESERVED + {DSA-5045-1 DSA-5044-1 DLA-2881-1 DLA-2880-1} + - firefox 96.0-1 + - firefox-esr 91.5.0esr-1 + - thunderbird 1:91.5.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2021-4140 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2021-4140 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2021-4140 +CVE-2021-4139 (pimcore is vulnerable to Improper Neutralization of Input During Web P ...) + NOT-FOR-US: Pimcore +CVE-2021-4138 + RESERVED + - geckodriver <itp> (bug #989456) +CVE-2021-45233 + RESERVED +CVE-2021-45232 (In Apache APISIX Dashboard before 2.10.1, the Manager API uses two fra ...) + NOT-FOR-US: Apache APISIX Dashboard +CVE-2021-45231 (A link following privilege escalation vulnerability in Trend Micro Ape ...) + NOT-FOR-US: Trend Micro +CVE-2021-45230 (In Apache Airflow prior to 2.2.0. This CVE applies to a specific case ...) + - airflow <itp> (bug #819700) +CVE-2021-45229 + RESERVED +CVE-2021-45228 + RESERVED +CVE-2021-45227 + RESERVED +CVE-2021-45226 (An issue was discovered in COINS Construction Cloud 11.12. Due to impr ...) + NOT-FOR-US: COINS Construction Cloud +CVE-2021-45225 (An issue was discovered in COINS Construction Cloud 11.12. Due to impr ...) + NOT-FOR-US: COINS Construction Cloud +CVE-2021-45224 (An issue was discovered in COINS Construction Cloud 11.12. In several ...) + NOT-FOR-US: COINS Construction Cloud +CVE-2021-45223 (An issue was discovered in COINS Construction Cloud 11.12. Due to insu ...) + NOT-FOR-US: COINS Construction Cloud +CVE-2021-45222 (An issue was discovered in COINS Construction Cloud 11.12. Due to logi ...) + NOT-FOR-US: COINS Construction Cloud +CVE-2021-45221 + RESERVED +CVE-2021-45220 + RESERVED +CVE-2021-45219 + RESERVED +CVE-2021-45218 + RESERVED +CVE-2021-45217 + RESERVED +CVE-2021-45216 + RESERVED +CVE-2021-45215 + RESERVED +CVE-2021-45214 + RESERVED +CVE-2021-45213 + RESERVED +CVE-2021-45212 + RESERVED +CVE-2021-45211 + RESERVED +CVE-2021-45210 + RESERVED +CVE-2021-45209 + RESERVED +CVE-2021-45208 + RESERVED +CVE-2021-45207 + RESERVED +CVE-2021-45206 + RESERVED +CVE-2021-45205 + RESERVED +CVE-2021-45204 + RESERVED +CVE-2021-45203 + RESERVED +CVE-2021-45202 + RESERVED +CVE-2021-45201 + RESERVED +CVE-2021-45200 + RESERVED +CVE-2021-45199 + RESERVED +CVE-2021-45198 + RESERVED +CVE-2021-45197 + RESERVED +CVE-2021-45196 + RESERVED +CVE-2021-45195 + RESERVED +CVE-2021-45194 + RESERVED +CVE-2021-45193 + RESERVED +CVE-2021-45192 + RESERVED +CVE-2021-45191 + RESERVED +CVE-2021-45190 + RESERVED +CVE-2021-45189 + RESERVED +CVE-2021-45188 + RESERVED +CVE-2021-45187 + RESERVED +CVE-2021-45186 + RESERVED +CVE-2021-45185 + RESERVED +CVE-2021-45184 + RESERVED +CVE-2021-45183 + RESERVED +CVE-2021-45182 + RESERVED +CVE-2021-45181 + RESERVED +CVE-2021-45180 + RESERVED +CVE-2021-45179 + RESERVED +CVE-2021-45178 + RESERVED +CVE-2021-45177 + RESERVED +CVE-2021-45176 + RESERVED +CVE-2021-45175 + RESERVED +CVE-2021-45174 + RESERVED +CVE-2021-45173 + RESERVED +CVE-2021-45172 + RESERVED +CVE-2021-45171 + RESERVED +CVE-2021-45170 + RESERVED +CVE-2021-45169 + RESERVED +CVE-2021-45168 + RESERVED +CVE-2021-45167 + RESERVED +CVE-2021-45166 + RESERVED +CVE-2021-45165 + RESERVED +CVE-2021-45164 + RESERVED +CVE-2021-45163 + RESERVED +CVE-2021-45162 + RESERVED +CVE-2021-45161 + RESERVED +CVE-2021-45160 + RESERVED +CVE-2021-45159 + RESERVED +CVE-2021-45158 + RESERVED +CVE-2021-45157 + RESERVED +CVE-2021-45156 + RESERVED +CVE-2021-45155 + RESERVED +CVE-2021-45154 + RESERVED +CVE-2021-45153 + RESERVED +CVE-2021-45152 + RESERVED +CVE-2021-45151 + RESERVED +CVE-2021-45150 + RESERVED +CVE-2021-45149 + RESERVED +CVE-2021-45148 + RESERVED +CVE-2021-45147 + RESERVED +CVE-2021-45146 + RESERVED +CVE-2021-45145 + RESERVED +CVE-2021-45144 + RESERVED +CVE-2021-45143 + RESERVED +CVE-2021-45142 + RESERVED +CVE-2021-45141 + RESERVED +CVE-2021-45140 + RESERVED +CVE-2021-45139 + RESERVED +CVE-2021-45138 + RESERVED +CVE-2021-45137 + RESERVED +CVE-2021-45136 + RESERVED +CVE-2021-45135 + RESERVED +CVE-2021-45134 + RESERVED +CVE-2021-45133 + RESERVED +CVE-2021-45132 + RESERVED +CVE-2021-45131 + RESERVED +CVE-2021-45130 + RESERVED +CVE-2021-45129 + RESERVED +CVE-2021-45128 + RESERVED +CVE-2021-45127 + RESERVED +CVE-2021-45126 + RESERVED +CVE-2021-45125 + RESERVED +CVE-2021-45124 + RESERVED +CVE-2021-45123 + RESERVED +CVE-2021-45122 + RESERVED +CVE-2021-45121 + RESERVED +CVE-2021-45120 + RESERVED +CVE-2021-45119 + RESERVED +CVE-2021-45118 + RESERVED +CVE-2021-45117 + RESERVED +CVE-2021-45116 (An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11 ...) + - python-django 2:3.2.11-1 (bug #1003113) + [bullseye] - python-django <postponed> (Minor issue; fix in next update) + [buster] - python-django <postponed> (Minor issue; fix in next update) + [stretch] - python-django <postponed> (Minor issue; fix in next update) + NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ + NOTE: https://github.com/django/django/commit/c7fe895bca06daf12cc1670b56eaf72a1ef27a16 (3.2.11) + NOTE: https://github.com/django/django/commit/c9f648ccfac5ab90fb2829a66da4f77e68c7f93a (2.2.26) +CVE-2021-45115 (An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11 ...) + - python-django 2:3.2.11-1 (bug #1003113) + [bullseye] - python-django <postponed> (Minor issue; fix in next update) + [buster] - python-django <postponed> (Minor issue; fix in next update) + [stretch] - python-django <postponed> (Minor issue; fix in next update) + NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ + NOTE: https://github.com/django/django/commit/a8b32fe13bcaed1c0b772fdc53de84abc224fb20 (3.2.11) + NOTE: https://github.com/django/django/commit/2135637fdd5ce994de110affef9e67dffdf77277 (2.2.26) +CVE-2021-45106 (A vulnerability has been identified in SICAM TOOLBOX II (All versions) ...) + NOT-FOR-US: Siemens +CVE-2021-44463 (Missing DLLs, if replaced by an insider, could allow an attacker to ac ...) + NOT-FOR-US: Emerson +CVE-2021-44462 + RESERVED +CVE-2021-4137 + RESERVED +CVE-2021-4136 (vim is vulnerable to Heap-based Buffer Overflow ...) + - vim 2:8.2.3995-1 (bug #1002534) + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <not-affected> (Vulnerable code introduced later) + [stretch] - vim <not-affected> (Vulnerable code introduced later) + NOTE: https://huntr.dev/bounties/5c6b93c1-2d27-4e98-a931-147877b8c938 + NOTE: Introduced by: https://github.com/vim/vim/commit/2949cfdbe4335b9abcfeda1be4dfc52090ee1df6 (v8.2.2257) + NOTE: Fixed by: https://github.com/vim/vim/commit/605ec91e5a7330d61be313637e495fa02a6dc264 (v8.2.3847) +CVE-2021-4135 + RESERVED + - linux 5.15.15-1 (unimportant) + [bullseye] - linux 5.10.92-1 + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/481221775d53d6215a6e5e9ce1cce6d2b4ab9a46 (5.16-rc6) + NOTE: CONFIG_NETDEVSIM is not set in Debian +CVE-2021-4134 (The Fancy Product Designer WordPress plugin is vulnerable to SQL Injec ...) + NOT-FOR-US: WordPress plugin +CVE-2021-4133 (A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 ...) + NOT-FOR-US: Keycloak +CVE-2021-4132 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) + NOT-FOR-US: livehelperchat +CVE-2021-4131 (livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: livehelperchat +CVE-2021-4130 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: snipe-it +CVE-2021-4129 + RESERVED +CVE-2021-4128 + RESERVED +CVE-2021-4127 + RESERVED +CVE-2021-4126 + RESERVED + {DSA-5034-1 DLA-2874-1} + - thunderbird 1:91.4.1-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-55/#CVE-2021-4126 +CVE-2021-26264 (A specially crafted script could cause the DeltaV Distributed Control ...) + NOT-FOR-US: DeltaV Distributed Control System Controllers +CVE-2021-23173 (The affected product is vulnerable to an improper access control, whic ...) + NOT-FOR-US: Philips +CVE-2021-23157 (WECON LeviStudioU Versions 2019-09-21 and prior are vulnerable to a he ...) + NOT-FOR-US: WECON LeviStudioU +CVE-2021-23138 (WECON LeviStudioU Versions 2019-09-21 and prior are vulnerable to a st ...) + NOT-FOR-US: WECON LeviStudioU +CVE-2021-45379 (Glewlwyd 2.0.0, fixed in 2.6.1 is affected by an incorrect access cont ...) + - glewlwyd 2.6.1-1 + [bullseye] - glewlwyd <no-dsa> (Minor issue; can be fixed via point release) + [buster] - glewlwyd <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/babelouest/glewlwyd/commit/125281f1c0d4b6a8b49f7e55a757205a2ef01fbe (v2.6.1) +CVE-2021-45105 (Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and ...) + {DSA-5024-1 DLA-2852-1} + - apache-log4j2 2.17.0-1 (bug #1001891) + NOTE: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105 + NOTE: https://issues.apache.org/jira/browse/LOG4J2-3230 +CVE-2021-31566 [symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive] + RESERVED + - libarchive 3.5.2-1 (bug #1001990) + [bullseye] - libarchive <no-dsa> (Minor issue) + [buster] - libarchive <no-dsa> (Minor issue) + NOTE: https://github.com/libarchive/libarchive/issues/1566 + NOTE: https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 (v3.5.2) + NOTE: https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b (v3.5.2) +CVE-2021-23177 [extracting a symlink with ACLs modifies ACLs of target] + RESERVED + - libarchive 3.5.2-1 (bug #1001986) + [bullseye] - libarchive <no-dsa> (Minor issue) + [buster] - libarchive <no-dsa> (Minor issue) + NOTE: https://github.com/libarchive/libarchive/issues/1565 + NOTE: https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad (v3.5.2) +CVE-2021-45104 + RESERVED +CVE-2021-45103 + RESERVED +CVE-2021-45102 (An issue was discovered in HTCondor 9.0.x before 9.0.4 and 9.1.x befor ...) + - condor <not-affected> (Only affects 9.0.0 and above) + NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0004/ +CVE-2021-45101 (An issue was discovered in HTCondor before 8.8.15, 9.0.x before 9.0.4, ...) + - condor <unfixed> (bug #1002540) + [stretch] - condor <ignored> (Patch is too destructive to backport it; Patch does not apply cleanly. Too many calls in patch, not existed in this version of the software) + NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0003/ + NOTE: https://github.com/htcondor/htcondor/commit/8b311dee6dee6be518e65381e020fb74848b552b (V8_8_14) +CVE-2021-45099 (** DISPUTED ** The addon.stdin service in addon-ssh (aka Home Assistan ...) + NOT-FOR-US: Home Assistant Community Add-on: SSH & Web Terminal +CVE-2021-45098 (An issue was discovered in Suricata before 6.0.4. It is possible to by ...) + - suricata 1:6.0.4-1 + [bullseye] - suricata <no-dsa> (Minor issue) + [buster] - suricata <no-dsa> (Minor issue) + [stretch] - suricata <no-dsa> (Minor issue) + NOTE: https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942 + NOTE: https://github.com/OISF/suricata/commit/50e2b973eeec7172991bf8f544ab06fb782b97df + NOTE: https://redmine.openinfosecfoundation.org/issues/4710 +CVE-2021-45097 (KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in ...) + NOT-FOR-US: NIME Server +CVE-2021-45096 (KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external X ...) + NOT-FOR-US: KNIME Analytics Platform +CVE-2021-45094 + RESERVED +CVE-2021-45093 + RESERVED +CVE-2021-45092 (Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachab ...) + NOT-FOR-US: Thinfinity VirtualUI +CVE-2021-45091 (Stormshield Endpoint Security from 2.1.0 to 2.1.1 has Incorrect Access ...) + NOT-FOR-US: Stormshield Endpoint Security +CVE-2021-45090 (Stormshield Endpoint Security before 2.1.2 allows remote code executio ...) + NOT-FOR-US: Stormshield Endpoint Security +CVE-2021-45089 (Stormshield Endpoint Security 2.x before 2.1.2 has Incorrect Access Co ...) + NOT-FOR-US: Stormshield Endpoint Security +CVE-2021-45088 (XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before ...) + {DSA-5042-1} + - epiphany-browser 41.2-1 + [stretch] - epiphany-browser <ignored> (WebKit browser, not covered by security support in stretch) + NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612 + NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045 +CVE-2021-45087 (XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before ...) + {DSA-5042-1} + - epiphany-browser 41.2-1 + [stretch] - epiphany-browser <ignored> (WebKit browser, not covered by security support in stretch) + NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612 + NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045 +CVE-2021-45086 (XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before ...) + {DSA-5042-1} + - epiphany-browser 41.2-1 + [stretch] - epiphany-browser <ignored> (WebKit browser, not covered by security support in stretch) + NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612 + NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045 +CVE-2021-45085 (XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before ...) + {DSA-5042-1} + - epiphany-browser 41.2-1 + [stretch] - epiphany-browser <ignored> (WebKit browser, not covered by security support in stretch) + NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612 + NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1045 +CVE-2021-45084 + RESERVED +CVE-2021-45083 (An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler ...) + - cobbler <removed> +CVE-2021-45082 (An issue was discovered in Cobbler before 3.3.1. In the templar.py fil ...) + - cobbler <removed> +CVE-2021-45081 (An issue was discovered in Cobbler through 3.3.1. Routines in several ...) + - cobbler <removed> +CVE-2021-45080 + RESERVED +CVE-2021-45079 (In strongSwan before 5.9.5, a malicious responder can send an EAP-Succ ...) + {DSA-5056-1 DLA-2909-1} + - strongswan 5.9.5-1 + NOTE: https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html + NOTE: Patches: https://download.strongswan.org/security/CVE-2021-45079/ +CVE-2021-45078 (stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows ...) + - binutils 2.37.50.20220106-1 (unimportant) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28694 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=161e87d12167b1e36193385485c1f6ce92f74f02 + NOTE: binutils not covered by security support +CVE-2021-4125 + RESERVED + NOT-FOR-US: OpenShift metering hive containers +CVE-2021-42550 (In logback version 1.2.7 and prior versions, an attacker with the requ ...) + - logback 1:1.2.8-1 + [bullseye] - logback <no-dsa> (Minor issue) + [buster] - logback <no-dsa> (Minor issue) + [stretch] - logback <no-dsa> (Minor issue) + NOTE: https://jira.qos.ch/browse/LOGBACK-1591 + NOTE: https://github.com/qos-ch/logback/commit/21d772f2bc2ed780b01b4fe108df7e29707763f1 (v_1.2.8) +CVE-2021-44771 + REJECTED +CVE-2021-4124 (janus-gateway is vulnerable to Improper Neutralization of Input During ...) + - janus <unfixed> (unimportant) + NOTE: https://huntr.dev/bounties/a6ca142e-60aa-4d6f-b231-5d1bcd1b7190 + NOTE: https://github.com/meetecho/janus-gateway/commit/f62bba6513ec840761f2434b93168106c7c65a3d + NOTE: Issues only in janus-demos built from src:janus +CVE-2021-4123 (livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: livehelperchat +CVE-2021-4122 [decryption through LUKS2 reencryption crash recovery] + RESERVED + {DSA-5070-1} + - cryptsetup 2:2.4.3-1 (bug #1003686) + [buster] - cryptsetup <not-affected> (Vulnerable code not present; does not support online LUKS2 reencryption) + [stretch] - cryptsetup <not-affected> (Vulnerable code not present; does not support LUKS2) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/13/2 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2032401 + NOTE: https://gitlab.com/cryptsetup/cryptsetup/-/commit/0113ac2d889c5322659ad0596d4cfc6da53e356c + NOTE: 2.4 branch: https://gitlab.com/cryptsetup/cryptsetup/-/commit/de98f011418c62e7b825a8ce3256e8fcdc84756e + NOTE: 2.3 branch: https://gitlab.com/cryptsetup/cryptsetup/-/commit/60addcffa6794c29dccf33d8db5347f24b75f2fc +CVE-2021-4121 (yetiforcecrm is vulnerable to Improper Neutralization of Input During ...) + NOT-FOR-US: yetiforcecrm +CVE-2021-23151 + REJECTED +CVE-2021-45100 (The ksmbd server through 3.4.2, as used in the Linux kernel through 5. ...) + - linux 5.15.15-1 (unimportant) + [bullseye] - linux <not-affected> (Vulnerable code not present) + [buster] - linux <not-affected> (Vulnerable code not present) + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: https://github.com/cifsd-team/ksmbd/issues/550 + NOTE: https://github.com/cifsd-team/ksmbd/pull/551 + NOTE: https://marc.info/?l=linux-kernel&m=163961726017023&w=2 + NOTE: SMB_SERVER enabled only as module since 5.16~rc1-1~exp1. +CVE-2021-45095 (pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 ...) + {DSA-5050-1} + - linux 5.15.15-1 + NOTE: https://lore.kernel.org/all/20211209082839.33985-1-hbh25y@gmail.com/ +CVE-2021-45070 + RESERVED +CVE-2021-45069 + RESERVED +CVE-2021-45068 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-45067 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-45066 + RESERVED +CVE-2021-45065 + RESERVED +CVE-2021-45064 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-45063 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-45062 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-45061 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-45060 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-45059 (Adobe InDesign version 16.4 (and earlier) is affected by a use-after-f ...) + NOT-FOR-US: Adobe +CVE-2021-45058 (Adobe InDesign version 16.4 (and earlier) is affected by an out-of-bou ...) + NOT-FOR-US: Adobe +CVE-2021-45057 (Adobe InDesign version 16.4 (and earlier) is affected by an out-of-bou ...) + NOT-FOR-US: Adobe +CVE-2021-45056 (Adobe InCopy version 16.4 (and earlier) is affected by an out-of-bound ...) + NOT-FOR-US: Adobe +CVE-2021-45055 (Adobe InCopy version 16.4 (and earlier) is affected by an out-of-bound ...) + NOT-FOR-US: Adobe +CVE-2021-45054 (Adobe InCopy version 16.4 (and earlier) is affected by a use-after-fre ...) + NOT-FOR-US: Adobe +CVE-2021-45053 (Adobe InCopy version 16.4 (and earlier) is affected by an out-of-bound ...) + NOT-FOR-US: Adobe +CVE-2021-45052 (Adobe Bridge version 11.1.2 (and earlier) and version 12.0 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2021-45051 (Adobe Bridge version 11.1.2 (and earlier) and version 12.0 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2021-4120 (snapd 2.54.2 fails to perform sufficient validation of snap content in ...) + - snapd <unfixed> + [bullseye] - snapd 2.49-1+deb11u1 + NOTE: https://bugs.launchpad.net/snapd/+bug/1949368 + NOTE: https://www.openwall.com/lists/oss-security/2022/02/18/2 +CVE-2021-45050 + RESERVED +CVE-2021-45049 + RESERVED +CVE-2021-45048 + RESERVED +CVE-2021-45047 + RESERVED +CVE-2021-45046 (It was found that the fix to address CVE-2021-44228 in Apache Log4j 2. ...) + {DSA-5022-1} + - apache-log4j2 2.16.0-1 (bug #1001729) + [stretch] - apache-log4j2 <not-affected> (JndiLookup class has been removed) + NOTE: https://www.openwall.com/lists/oss-security/2021/12/14/4 + NOTE: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046 + NOTE: https://issues.apache.org/jira/browse/LOG4J2-3221 + NOTE: https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/ +CVE-2021-45045 + RESERVED +CVE-2021-45044 + RESERVED +CVE-2021-44768 + RESERVED +CVE-2021-44544 (DIAEnergie Version 1.7.5 and prior is vulnerable to multiple cross-sit ...) + NOT-FOR-US: DIAEnergie +CVE-2021-44471 (DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site ...) + NOT-FOR-US: DIAEnergie +CVE-2021-4119 (bookstack is vulnerable to Improper Access Control ...) + NOT-FOR-US: bookstack +CVE-2021-4118 (pytorch-lightning is vulnerable to Deserialization of Untrusted Data ...) + NOT-FOR-US: pytorch-lightning +CVE-2021-4117 (yetiforcecrm is vulnerable to Business Logic Errors ...) + NOT-FOR-US: yetiforcecrm +CVE-2021-4116 (yetiforcecrm is vulnerable to Improper Neutralization of Input During ...) + NOT-FOR-US: yetiforcecrm +CVE-2021-4115 (There is a flaw in polkit which can allow an unprivileged user to caus ...) + [experimental] - policykit-1 0.120-6 + - policykit-1 0.105-32 (bug #1005784) + [bullseye] - policykit-1 <no-dsa> (Minor issue) + [buster] - policykit-1 <not-affected> (Vulnerable code not present, patch introducing issue not backported) + [stretch] - policykit-1 <not-affected> (Vulnerable code not present, patch introducing issue not backported) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2007534 + NOTE: https://securitylab.github.com/advisories/GHSL-2021-077-polkit/ + NOTE: Fixed by: https://gitlab.freedesktop.org/polkit/polkit/-/commit/41cb093f554da8772362654a128a84dd8a5542a7 + NOTE: https://gitlab.freedesktop.org/polkit/polkit/-/issues/141 + NOTE: Issue Upstream introduced in 0.113 with https://gitlab.freedesktop.org/polkit/polkit/-/commit/bfa5036bfb93582c5a87c44b847957479d911e38 + NOTE: Debian backported 0.113 commits in 0.105-26 +CVE-2021-4114 + REJECTED +CVE-2021-4113 + REJECTED +CVE-2021-4112 + RESERVED + NOT-FOR-US: Ansible Tower +CVE-2021-4111 (yetiforcecrm is vulnerable to Business Logic Errors ...) + NOT-FOR-US: yetiforcecrm +CVE-2021-31558 (DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site ...) + NOT-FOR-US: DIAEnergie +CVE-2021-23228 (DIAEnergie Version 1.7.5 and prior is vulnerable to a reflected cross- ...) + NOT-FOR-US: DIAEnergie +CVE-2021-45043 (HD-Network Real-time Monitoring System 2.0 allows ../ directory traver ...) + NOT-FOR-US: HD-Network Real-time Monitoring System +CVE-2021-45042 (In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8 ...) + NOT-FOR-US: HashiCorp Vault +CVE-2021-45041 (SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL i ...) + NOT-FOR-US: SuiteCRM +CVE-2021-4110 (mruby is vulnerable to NULL Pointer Dereference ...) + - mruby 3.0.0-2 (bug #1001768) + [bullseye] - mruby <no-dsa> (Minor issue) + [buster] - mruby <no-dsa> (Minor issue) + [stretch] - mruby <postponed> (revisit when/if fix is complete) + NOTE: https://huntr.dev/bounties/4ce5dc47-2512-4c87-8609-453adc8cad20 + NOTE: https://github.com/mruby/mruby/commit/f5e10c5a79a17939af763b1dcf5232ce47e24a34 +CVE-2021-4109 + RESERVED +CVE-2021-4108 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...) + NOT-FOR-US: snipe-it +CVE-2021-45040 + RESERVED +CVE-2021-45039 + RESERVED +CVE-2021-45038 (An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36 ...) + {DSA-5021-1} + - mediawiki 1:1.35.5-1 + [buster] - mediawiki <not-affected> (Vulnerable code not present) + [stretch] - mediawiki <not-affected> (Vulnerable code not present) + NOTE: https://phabricator.wikimedia.org/T297574 + NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/ +CVE-2021-45037 + RESERVED +CVE-2021-45036 + RESERVED +CVE-2021-45035 + RESERVED +CVE-2021-45034 (A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O ...) + NOT-FOR-US: Siemens +CVE-2021-45033 (A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O ...) + NOT-FOR-US: Siemens +CVE-2021-45032 + RESERVED +CVE-2021-45031 + RESERVED +CVE-2021-45030 + RESERVED +CVE-2021-45029 (Groovy Code Injection & SpEL Injection which lead to Remote Code E ...) + NOT-FOR-US: Apache ShenYu +CVE-2021-45028 + RESERVED +CVE-2021-45027 + RESERVED +CVE-2021-45026 + RESERVED +CVE-2021-45025 + RESERVED +CVE-2021-45024 + RESERVED +CVE-2021-45023 + RESERVED +CVE-2021-45022 + RESERVED +CVE-2021-45021 + RESERVED +CVE-2021-45020 + RESERVED +CVE-2021-45019 + RESERVED +CVE-2021-45018 (Cross Site Scripting (XSS) vulnerability exists in Catfish <=6.3.0 ...) + NOT-FOR-US: CatFish (not same as src:catfish) +CVE-2021-45017 (Cross Site Request Forgery (CSRF) vulnerability exits in Catfish <= ...) + NOT-FOR-US: CatFish (not same as src:catfish) +CVE-2021-45016 + RESERVED +CVE-2021-45015 (taocms 3.0.2 is vulnerable to arbitrary file deletion via taocms\inclu ...) + NOT-FOR-US: taocms +CVE-2021-45014 (There is an upload sql injection vulnerability in the background of ta ...) + NOT-FOR-US: taocms +CVE-2021-45013 + RESERVED +CVE-2021-45012 + RESERVED +CVE-2021-45011 + RESERVED +CVE-2021-45010 + RESERVED +CVE-2021-45009 + RESERVED +CVE-2021-45008 (Plesk CMS 18.0.37 is affected by an insecure permissions vulnerability ...) + NOT-FOR-US: Plesk CMS +CVE-2021-45007 (Plesk 18.0.37 is affected by a Cross Site Request Forgery (CSRF) vulne ...) + NOT-FOR-US: Plesk +CVE-2021-45006 + RESERVED +CVE-2021-45005 (Artifex MuJS v1.1.3 was discovered to contain a heap buffer overflow w ...) + - mujs <unfixed> + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=704749 (not public) + NOTE: http://git.ghostscript.com/?p=mujs.git;h=df8559e7bdbc6065276e786217eeee70f28fce66 (1.2.0) +CVE-2021-45004 + RESERVED +CVE-2021-45003 (Laundry Booking Management System 1.0 (Latest) and previous versions a ...) + NOT-FOR-US: Laundry Booking Management System +CVE-2021-45002 + RESERVED +CVE-2021-45001 + RESERVED +CVE-2021-45000 + RESERVED +CVE-2021-44999 + RESERVED +CVE-2021-44998 + RESERVED +CVE-2021-44997 + RESERVED +CVE-2021-44996 + RESERVED +CVE-2021-44995 + RESERVED +CVE-2021-44994 (There is an Assertion ''JERRY_CONTEXT (jmem_heap_allocated_size) == 0' ...) + - iotjs <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4894 + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4944 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4895 +CVE-2021-44993 (There is an Assertion ''ecma_is_value_boolean (base_value)'' failed at ...) + - iotjs <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4876 + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4878 +CVE-2021-44992 (There is an Assertion ''ecma_object_is_typedarray (obj_p)'' failed at ...) + - iotjs <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4875 + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4879 +CVE-2021-44991 + RESERVED +CVE-2021-44990 + RESERVED +CVE-2021-44989 + RESERVED +CVE-2021-44988 (Jerryscript v3.0.0 and below was discovered to contain a stack overflo ...) + - iotjs <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4891 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4890 + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4899 +CVE-2021-44987 + RESERVED +CVE-2021-44986 + RESERVED +CVE-2021-44985 + RESERVED +CVE-2021-44984 + RESERVED +CVE-2021-44983 (In taocms 3.0.1 after logging in to the background, there is an Arbitr ...) + NOT-FOR-US: taocms +CVE-2021-44982 + RESERVED +CVE-2021-44981 (In QuickBox Pro v2.5.8 and below, the config.php file has a variable w ...) + NOT-FOR-US: QuickBox Pro +CVE-2021-44980 + RESERVED +CVE-2021-44979 + RESERVED +CVE-2021-44978 (iCMS <= 8.0.0 allows users to add and render a comtom template, whi ...) + NOT-FOR-US: iCMS +CVE-2021-44977 (In iCMS <=8.0.0, a directory traversal vulnerability allows an atta ...) + NOT-FOR-US: iCMS +CVE-2021-44976 + RESERVED +CVE-2021-44975 + RESERVED +CVE-2021-44974 + RESERVED +CVE-2021-44973 + RESERVED +CVE-2021-44972 + RESERVED +CVE-2021-44971 (Multiple Tenda devices are affected by authentication bypass, such as ...) + NOT-FOR-US: Tenda +CVE-2021-44970 (MiniCMS v1.11 was discovered to contain a cross-site scripting (XSS) v ...) + NOT-FOR-US: MiniCMS +CVE-2021-44969 (Taocms v3.0.2 was discovered to contain a cross-site scripting (XSS) v ...) + NOT-FOR-US: Taocms +CVE-2021-44968 (A Use after Free vulnerability exists in IOBit Advanced SystemCare 15 ...) + NOT-FOR-US: IOBit Advanced SystemCare +CVE-2021-44967 + RESERVED +CVE-2021-44966 (SQL injection bypass authentication vulnerability in PHPGURUKUL Employ ...) + NOT-FOR-US: PHPGURUKUL Employee Record Management System +CVE-2021-44965 (Directory traversal vulnerability in /admin/includes/* directory for P ...) + NOT-FOR-US: PHPGURUKUL Employee Record Management System +CVE-2021-44964 + RESERVED +CVE-2021-44963 + RESERVED +CVE-2021-44962 + RESERVED +CVE-2021-44961 + RESERVED +CVE-2021-44960 (In SVGPP SVG++ library 1.3.0, the XMLDocument::getRoot function in the ...) + - svgpp <unfixed> + [bullseye] - svgpp <no-dsa> (Minor issue) + [buster] - svgpp <no-dsa> (Minor issue) + NOTE: https://github.com/svgpp/svgpp/issues/101 +CVE-2021-44959 + RESERVED +CVE-2021-44958 + RESERVED +CVE-2021-44957 (Global buffer overflow vulnerability exist in ffjpeg through 01.01.202 ...) + NOT-FOR-US: ffjpeg +CVE-2021-44956 (Two Heap based buffer overflow vulnerabilities exist in ffjpeg through ...) + NOT-FOR-US: ffjpeg +CVE-2021-44955 + RESERVED +CVE-2021-44954 + RESERVED +CVE-2021-44953 + RESERVED +CVE-2021-44952 + RESERVED +CVE-2021-44951 + RESERVED +CVE-2021-44950 + RESERVED +CVE-2021-44949 (glFusion CMS 1.7.9 is affected by an access control vulnerability via ...) + NOT-FOR-US: glFusion CMS +CVE-2021-44948 + REJECTED +CVE-2021-44947 + RESERVED +CVE-2021-44946 + RESERVED +CVE-2021-44945 + RESERVED +CVE-2021-44944 + RESERVED +CVE-2021-44943 + RESERVED +CVE-2021-44942 (glFusion CMS 1.7.9 is affected by a Cross Site Request Forgery (CSRF) ...) + NOT-FOR-US: glFusion CMS +CVE-2021-44941 + RESERVED +CVE-2021-44940 + RESERVED +CVE-2021-44939 + RESERVED +CVE-2021-44938 + RESERVED +CVE-2021-44937 (glFusion CMS v1.7.9 is affected by an arbitrary user registration vuln ...) + NOT-FOR-US: glFusion CMS +CVE-2021-44936 + RESERVED +CVE-2021-44935 (glFusion CMS v1.7.9 is affected by an arbitrary user impersonation vul ...) + NOT-FOR-US: glFusion CMS +CVE-2021-44934 + RESERVED +CVE-2021-44933 + RESERVED +CVE-2021-44932 + RESERVED +CVE-2021-44931 + RESERVED +CVE-2021-44930 + RESERVED +CVE-2021-44929 + RESERVED +CVE-2021-44928 + RESERVED +CVE-2021-44927 (A null pointer dereference vulnerability exists in gpac 1.1.0 in the g ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1960 + NOTE: https://github.com/gpac/gpac/commit/eaea647cc7dec7b452c17e72f4ce46be35348c92 +CVE-2021-44926 (A null pointer dereference vulnerability exists in gpac 1.1.0-DEV in t ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1961 + NOTE: https://github.com/gpac/gpac/commit/f73da86bf32992f62b9ff2b9c9e853e3c97edf8e +CVE-2021-44925 (A null pointer dereference vulnerability exists in gpac 1.1.0 in the g ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1967 + NOTE: https://github.com/gpac/gpac/commit/a5a8dbcdd95666f763fe59ab65154ae9271a18f2 +CVE-2021-44924 (An infinite loop vulnerability exists in gpac 1.1.0 in the gf_log func ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1959 + NOTE: https://github.com/gpac/gpac/commit/e2acb1511d1e69115141ea3080afd1cce6a15497 +CVE-2021-44923 (A null pointer dereference vulnerability exists in gpac 1.1.0 in the g ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1962 + NOTE: https://github.com/gpac/gpac/commit/8a3c021109d26894c3cb85c9d7cda5780a3a2229 +CVE-2021-44922 (A null pointer dereference vulnerability exists in gpac 1.1.0 in the B ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1969 + NOTE: https://github.com/gpac/gpac/issues/1968 + NOTE: https://github.com/gpac/gpac/commit/75474199cf7187868fa4be4e76377db3c659ee9a +CVE-2021-44921 (A null pointer dereference vulnerability exists in gpac 1.1.0 in the g ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1964 + NOTE: https://github.com/gpac/gpac/commit/5b4a6417a90223f1ef6c0b41b055716f7bfbbca2 +CVE-2021-44920 (An invalid memory address dereference vulnerability exists in gpac 1.1 ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1957 + NOTE: https://github.com/gpac/gpac/commit/339fe399e7c8eab748bab76e9e6a9da7e117eeb4 +CVE-2021-44919 (A Null Pointer Dereference vulnerability exists in the gf_sg_vrml_mf_a ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1963 + NOTE: https://github.com/gpac/gpac/issues/1962 + NOTE: https://github.com/gpac/gpac/commit/8a3c021109d26894c3cb85c9d7cda5780a3a2229 +CVE-2021-44918 (A Null Pointer Dereference vulnerability exists in gpac 1.1.0 in the g ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1968 + NOTE: https://github.com/gpac/gpac/commit/75474199cf7187868fa4be4e76377db3c659ee9a +CVE-2021-44917 (A Divide by Zero vulnerability exists in gnuplot 5.4 in the boundary3d ...) + - gnuplot 5.4.2+dfsg2-2 (unimportant; bug #1002539) + NOTE: https://sourceforge.net/p/gnuplot/bugs/2474/ + NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/8938dfc937348f1d4e7b3d6ef6d44209b1d89473/ (master) + NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/acab14de21e323254507fca85f964e471258ac82/ (master) + NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/4cc2a4c83bc95470caa525cda52fba683e95bbb9/ (master) + NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/7285b0c578a067d8d9fe0566ccefaee131f62087/ (branch-5-4-stable) + NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/bac7cf51333242999ecb66883fd6076168ec3441/ (branch-5-4-stable) + NOTE: Crash in CLI tool, negligible security impact +CVE-2021-44916 (Opmantek Open-AudIT Community 4.2.0 (Fixed in 4.3.0) is affected by a ...) + NOT-FOR-US: Open-AudIT +CVE-2021-44915 + RESERVED +CVE-2021-44914 + RESERVED +CVE-2021-44913 + RESERVED +CVE-2021-44912 (In XE 1.116, when uploading the Normal button, there is no restriction ...) + NOT-FOR-US: XE +CVE-2021-44911 (XE before 1.11.6 is vulnerable to Unrestricted file upload via modules ...) + NOT-FOR-US: XE +CVE-2021-44910 + RESERVED +CVE-2021-44909 + RESERVED +CVE-2021-44908 + RESERVED +CVE-2021-44907 + RESERVED +CVE-2021-44906 + RESERVED +CVE-2021-44905 + RESERVED +CVE-2021-44904 + RESERVED +CVE-2021-44903 (Micro-Star International (MSI) Center Pro <= 2.0.16.0 is vulnerable ...) + NOT-FOR-US: Micro-Star International (MSI) Center Pro +CVE-2021-44902 + RESERVED +CVE-2021-44901 (Micro-Star International (MSI) Dragon Center <= 2.0.116.0 is vulner ...) + NOT-FOR-US: Micro-Star International (MSI) Dragon Center +CVE-2021-44900 (Micro-Star International (MSI) App Player <= 4.280.1.6309 is vulner ...) + NOT-FOR-US: Micro-Star International (MSI) App Player +CVE-2021-44899 (Micro-Star International (MSI) Center <= 1.0.31.0 is vulnerable to ...) + NOT-FOR-US: Micro-Star International (MSI) Center +CVE-2021-44898 + RESERVED +CVE-2021-44897 + RESERVED +CVE-2021-44896 (DMP Roadmap before 3.0.4 allows XSS. ...) + NOT-FOR-US: DMP Roadmap +CVE-2021-44895 + RESERVED +CVE-2021-44894 + RESERVED +CVE-2021-44893 + RESERVED +CVE-2021-44892 (A Remote Code Execution (RCE) vulnerability exists in ThinkPHP 3.x.x v ...) + NOT-FOR-US: ThinkPHP +CVE-2021-44891 + RESERVED +CVE-2021-44890 + RESERVED +CVE-2021-44889 + RESERVED +CVE-2021-44888 + RESERVED +CVE-2021-44887 + RESERVED +CVE-2021-44886 (In Zammad 5.0.2, agents can configure "out of office" periods and subs ...) + - zammad <itp> (bug #841355) +CVE-2021-44885 + RESERVED +CVE-2021-44884 + RESERVED +CVE-2021-44883 + RESERVED +CVE-2021-44882 (D-Link device DIR_878_FW1.30B08_Hotfix_02 was discovered to contain a ...) + NOT-FOR-US: D-Link +CVE-2021-44881 (D-Link device DIR_882 DIR_882_FW1.30B06_Hotfix_02 was discovered to co ...) + NOT-FOR-US: D-Link +CVE-2021-44880 (D-Link devices DIR_878 DIR_878_FW1.30B08_Hotfix_02 and DIR_882 DIR_882 ...) + NOT-FOR-US: D-Link +CVE-2021-44879 (In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, ...) + - linux 5.16.7-1 + NOTE: https://www.openwall.com/lists/oss-security/2022/02/12/1 + NOTE: Fixed by: https://git.kernel.org/linus/9056d6489f5a41cfbb67f719d2c0ce61ead72d9f (5.17-rc1) +CVE-2021-44878 (Pac4j v5.1 and earlier allows (by default) clients to accept and succe ...) + NOT-FOR-US: Pac4j +CVE-2021-44877 (Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Incorrect A ...) + NOT-FOR-US: Dalmark Systems Systeam +CVE-2021-44876 (Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to User enumer ...) + NOT-FOR-US: Dalmark Systems Systeam +CVE-2021-44875 (Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to User enumer ...) + NOT-FOR-US: Dalmark Systems Systeam +CVE-2021-44874 (Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Insecure de ...) + NOT-FOR-US: Dalmark Systems Systeam +CVE-2021-44873 + RESERVED +CVE-2021-44872 + RESERVED +CVE-2021-44871 + RESERVED +CVE-2021-44870 + RESERVED +CVE-2021-44869 + RESERVED +CVE-2021-44868 (A problem was found in ming-soft MCMS v5.1. There is a sql injection v ...) + NOT-FOR-US: ming-soft MCMS +CVE-2021-44867 + RESERVED +CVE-2021-44866 (An issue was discovered in Online-Movie-Ticket-Booking-System 1.0. The ...) + NOT-FOR-US: Online-Movie-Ticket-Booking-System +CVE-2021-44865 + RESERVED +CVE-2021-44864 (TP-Link WR886N 3.0 1.0.1 Build 150127 Rel.34123n is vulnerable to Buff ...) + NOT-FOR-US: TP-Link +CVE-2021-44863 + RESERVED +CVE-2021-44862 + RESERVED +CVE-2021-44861 + RESERVED +CVE-2021-44860 (An out-of-bounds read vulnerability exists when reading a TIF file usi ...) + NOT-FOR-US: Open Design Alliance Drawings SDK +CVE-2021-44859 (An out-of-bounds read vulnerability exists when reading a TGA file usi ...) + NOT-FOR-US: Open Design Alliance Drawings SDK +CVE-2021-44858 (An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36 ...) + {DSA-5021-1 DLA-2847-1} + - mediawiki 1:1.35.5-1 + [buster] - mediawiki 1:1.31.16-1+deb10u2 + NOTE: https://phabricator.wikimedia.org/T297322 + NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/ +CVE-2021-44857 (An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36 ...) + {DSA-5021-1} + - mediawiki 1:1.35.5-1 + [buster] - mediawiki <not-affected> (Vulnerable code not present) + [stretch] - mediawiki <not-affected> (Vulnerable code not present) + NOTE: https://phabricator.wikimedia.org/T297322 + NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/ +CVE-2021-44856 [Title blocked in AbuseFilter can be created via Special:ChangeContentModel] + RESERVED + - mediawiki 1:1.35.5-1 + [bullseye] - mediawiki <postponed> (Minor issue) + [buster] - mediawiki <postponed> (Minor issue) + [stretch] - mediawiki <postponed> (Minor issue) + NOTE: https://phabricator.wikimedia.org/T271037 + NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/ +CVE-2021-44855 [Blind Stored XSS in VisualEditor media dialog] + RESERVED + - mediawiki 1:1.35.5-1 + [bullseye] - mediawiki <postponed> (Minor issue) + [buster] - mediawiki <not-affected> (Vulnerable code not present) + [stretch] - mediawiki <not-affected> (Vulnerable code not present) + NOTE: https://phabricator.wikimedia.org/T293589 + NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/ +CVE-2021-44854 [REST API incorrectly publicly caches autocomplete search results from private wikis] + RESERVED + - mediawiki 1:1.35.5-1 + [bullseye] - mediawiki <postponed> (Minor issue) + [buster] - mediawiki <not-affected> (Vulnerable code not present) + [stretch] - mediawiki <not-affected> (Vulnerable code not present) + NOTE: https://phabricator.wikimedia.org/T292763 + NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/QEN3EK4JXAVJMJ5GF3GYOAKNJPEKFQYA/ +CVE-2021-44853 + RESERVED +CVE-2021-44852 (An issue was discovered in BS_RCIO64.sys in Biostar RACING GT Evo 2.1. ...) + NOT-FOR-US: Biostar RACING GT Evo +CVE-2021-44851 + RESERVED +CVE-2021-44850 (On Xilinx Zynq-7000 SoC devices, physical modification of an SD boot i ...) + NOT-FOR-US: Xilinx Zynq-7000 SoC device +CVE-2021-44849 + RESERVED +CVE-2021-44848 (In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns dif ...) + NOT-FOR-US: Cibele Thinfinity VirtualUI +CVE-2021-44847 (A stack-based buffer overflow in handle_request function in DHT.c in t ...) + - libtoxcore 0.2.13-1 (bug #1001711) + [bullseye] - libtoxcore <no-dsa> (Minor issue) + [buster] - libtoxcore <no-dsa> (Minor issue) + NOTE: https://github.com/TokTok/c-toxcore/pull/1718 + NOTE: https://blog.tox.chat/2021/12/stack-based-buffer-overflow-vulnerability-in-udp-packet-handling-in-toxcore-cve-2021-44847/ + NOTE: Introduced by: https://github.com/TokTok/c-toxcore/commit/71260e38e8d12547b0e55916daf6cadd72f52e19 (v0.1.9) + NOTE: Fixed by: https://github.com/TokTok/c-toxcore/commit/1b02bad36864fdfc36694e3f96d2dc6c58a891e4 (v0.2.13) +CVE-2021-44846 + RESERVED +CVE-2021-44845 + RESERVED +CVE-2021-44844 + RESERVED +CVE-2021-44843 + RESERVED +CVE-2021-44842 + RESERVED +CVE-2021-44841 + RESERVED +CVE-2021-44840 (An issue was discovered in Delta RM 1.2. Using an privileged account, ...) + NOT-FOR-US: Delta RM +CVE-2021-44839 (An issue was discovered in Delta RM 1.2. It is possible to request a n ...) + NOT-FOR-US: Delta RM +CVE-2021-44838 (An issue was discovered in Delta RM 1.2. Using the /risque/risque/ajax ...) + NOT-FOR-US: Delta RM +CVE-2021-44837 (An issue was discovered in Delta RM 1.2. It is possible for an unprivi ...) + NOT-FOR-US: Delta RM +CVE-2021-44836 (An issue was discovered in Delta RM 1.2. The /risque/risque/workflow/r ...) + NOT-FOR-US: Delta RM +CVE-2021-44835 + RESERVED +CVE-2021-44834 + RESERVED +CVE-2021-4107 (yetiforcecrm is vulnerable to Improper Neutralization of Input During ...) + NOT-FOR-US: yetiforcecrm +CVE-2021-4106 (A vulnerability in Snow Inventory Java Scanner allows an attacker to r ...) + NOT-FOR-US: Snow Inventory Java Scanner +CVE-2021-4105 + RESERVED +CVE-2021-44833 (The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the c ...) + NOT-FOR-US: CLI for Amazon AWS OpenSearch +CVE-2021-4104 (JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted ...) + {DLA-2905-1} + - apache-log4j1.2 1.2.17-11 + [bullseye] - apache-log4j1.2 <no-dsa> (Minor issue; JMSAppender not configured to be used by default) + [buster] - apache-log4j1.2 <no-dsa> (Minor issue; JMSAppender not configured to be used by default) + NOTE: https://www.openwall.com/lists/oss-security/2021/12/13/1 + NOTE: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 + NOTE: Issue for Log4j 1.2 when specifically configured to use JMSAppender (not the default) + NOTE: https://www.openwall.com/lists/oss-security/2021/12/13/2 +CVE-2021-4103 (Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vd ...) + NOT-FOR-US: vditor +CVE-2021-44832 (Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fi ...) + {DLA-2870-1} + - apache-log4j2 2.17.1-1 (bug #1002813) + [bullseye] - apache-log4j2 <no-dsa> (Minor issue; requires attacker with permissions to modify the logging configuration file) + [buster] - apache-log4j2 <no-dsa> (Minor issue; requires attacker with permissions to modify the logging configuration file) + NOTE: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832 + NOTE: https://issues.apache.org/jira/browse/LOG4J2-3293 + NOTE: https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143 + NOTE: https://github.com/apache/logging-log4j2/commit/05db5f9527254632b59aed2a1d78a32c5ab74f16 (log4j-2.17.1-rc1) + NOTE: Fixed in 2.17.1, 2.12.4 and 2.3.2 +CVE-2021-44831 + RESERVED +CVE-2021-44830 + RESERVED +CVE-2021-44829 (Cross Site Scripting (XSS) vulnerability exists in index.html in AFI W ...) + NOT-FOR-US: AFI WebACMS +CVE-2021-44828 (Arm Mali GPU Kernel Driver (Midgard r26p0 through r30p0, Bifrost r0p0 ...) + NOT-FOR-US: ARM +CVE-2021-44827 + RESERVED +CVE-2021-44826 + RESERVED +CVE-2021-44825 + RESERVED +CVE-2021-44824 + RESERVED +CVE-2021-44823 + RESERVED +CVE-2021-44822 + RESERVED +CVE-2021-44821 + RESERVED +CVE-2021-44820 + RESERVED +CVE-2021-44819 + RESERVED +CVE-2021-44818 + RESERVED +CVE-2021-44817 + RESERVED +CVE-2021-44816 + RESERVED +CVE-2021-44815 + RESERVED +CVE-2021-44814 + RESERVED +CVE-2021-44813 + RESERVED +CVE-2021-44812 + RESERVED +CVE-2021-44811 + RESERVED +CVE-2021-44810 + RESERVED +CVE-2021-44809 + RESERVED +CVE-2021-44808 + RESERVED +CVE-2021-44807 + RESERVED +CVE-2021-44806 + RESERVED +CVE-2021-44805 + RESERVED +CVE-2021-44804 + RESERVED +CVE-2021-44803 + RESERVED +CVE-2021-44802 + RESERVED +CVE-2021-44801 + RESERVED +CVE-2021-44800 + RESERVED +CVE-2021-44799 + RESERVED +CVE-2021-44798 + RESERVED +CVE-2021-44797 + RESERVED +CVE-2021-44796 + RESERVED +CVE-2021-4102 (Use after free in V8 in Google Chrome prior to 96.0.4664.110 allowed a ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4101 (Heap buffer overflow in Swiftshader in Google Chrome prior to 96.0.466 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4100 (Object lifecycle issue in ANGLE in Google Chrome prior to 96.0.4664.11 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4099 (Use after free in Swiftshader in Google Chrome prior to 96.0.4664.110 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4098 (Insufficient data validation in Mojo in Google Chrome prior to 96.0.46 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4097 (phpservermon is vulnerable to Improper Neutralization of CRLF Sequence ...) + NOT-FOR-US: phpservermon +CVE-2021-4096 + RESERVED +CVE-2021-44795 (Single Connect does not perform an authorization check when using the ...) + NOT-FOR-US: Single Connect +CVE-2021-44794 (Single Connect does not perform an authorization check when using the ...) + NOT-FOR-US: Single Connect +CVE-2021-44793 (Single Connect does not perform an authorization check when using the ...) + NOT-FOR-US: Single Connect +CVE-2021-44792 (Single Connect does not perform an authorization check when using the ...) + NOT-FOR-US: Kron Single Connect +CVE-2021-44791 + RESERVED +CVE-2021-44790 (A carefully crafted request body can cause a buffer overflow in the mo ...) + {DSA-5035-1 DLA-2907-1} + - apache2 2.4.52-1 + NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-44790 + NOTE: Fixed by: https://svn.apache.org/r1896039 +CVE-2021-4095 + RESERVED + - linux <unfixed> + NOTE: https://lore.kernel.org/kvm/CAFcO6XOmoS7EacN_n6v4Txk7xL7iqRa2gABg3F7E3Naf5uG94g@mail.gmail.com/ + NOTE: https://patchwork.kernel.org/project/kvm/patch/20211121125451.9489-12-dwmw2@infradead.org/ + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2031194 +CVE-2021-4094 + RESERVED +CVE-2021-4093 (A flaw was found in the KVM's AMD code for supporting the Secure Encry ...) + - linux 5.14.16-1 + [bullseye] - linux <not-affected> (Vulnerable code not present) + [buster] - linux <not-affected> (Vulnerable code not present) + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/95e16b4792b0429f1933872f743410f00e590c55 (5.15-rc7) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2028584 +CVE-2021-4092 (yetiforcecrm is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: yetiforcecrm +CVE-2021-4091 (A double-free was found in the way 389-ds-base handles virtual attribu ...) + - 389-ds-base <unfixed> + [stretch] - 389-ds-base <not-affected> (Vulnerable code introduced later) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2030307 + NOTE: Introduced by: https://github.com/389ds/389-ds-base/commit/74c666b83e3e1789c2ef3f7935c327bd7555193e (389-ds-base-1.3.6.4) +CVE-2021-4090 (An out-of-bounds (OOB) memory write flaw was found in the NFSD in the ...) + - linux 5.15.5-1 + [bullseye] - linux <not-affected> (Vulnerable code introduced later) + [buster] - linux <not-affected> (Vulnerable code introduced later) + [stretch] - linux <not-affected> (Vulnerable code introduced later) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2025101 + NOTE: https://git.kernel.org/linus/c0019b7db1d7ac62c711cda6b357a659d46428fe (5.16-rc2) +CVE-2021-44789 + RESERVED +CVE-2021-44788 + RESERVED +CVE-2021-44787 + RESERVED +CVE-2021-44786 + RESERVED +CVE-2021-44785 + RESERVED +CVE-2021-44784 + RESERVED +CVE-2021-44783 + RESERVED +CVE-2021-44782 + RESERVED +CVE-2021-44781 + RESERVED +CVE-2021-44780 + RESERVED +CVE-2021-44764 + RESERVED +CVE-2021-4089 (snipe-it is vulnerable to Improper Access Control ...) + NOT-FOR-US: snipe-it +CVE-2021-37408 + RESERVED +CVE-2021-31565 + RESERVED +CVE-2021-26261 + RESERVED +CVE-2021-26255 + RESERVED +CVE-2021-23189 + RESERVED +CVE-2021-23175 (NVIDIA GeForce Experience contains a vulnerability in user authorizati ...) + NOT-FOR-US: NVIDIA GeForce Experience +CVE-2021-23171 + RESERVED +CVE-2021-23170 + RESERVED +CVE-2021-23148 + RESERVED +CVE-2021-44759 + RESERVED +CVE-2021-4088 (SQL injection vulnerability in Data Loss Protection (DLP) ePO extensio ...) + NOT-FOR-US: McAfee +CVE-2021-4087 + RESERVED +CVE-2021-4086 + RESERVED +CVE-2021-4085 + RESERVED +CVE-2021-4084 (pimcore is vulnerable to Improper Neutralization of Input During Web P ...) + NOT-FOR-US: Pimcore +CVE-2021-4083 (A read-after-free memory flaw was found in the Linux kernel's garbage ...) + - linux 5.15.5-2 + [bullseye] - linux 5.10.84-1 + NOTE: https://git.kernel.org/linus/054aa8d439b9185d4f5eb9a90282d1ce74772969 (5.16-rc4) +CVE-2021-4082 (pimcore is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: Pimcore +CVE-2021-4081 (pimcore is vulnerable to Improper Neutralization of Input During Web P ...) + NOT-FOR-US: Pimcore +CVE-2021-44758 + RESERVED +CVE-2021-44757 (Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Centr ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-44756 + RESERVED +CVE-2021-44755 + RESERVED +CVE-2021-44754 + RESERVED +CVE-2021-44753 + RESERVED +CVE-2021-44752 + RESERVED +CVE-2021-44751 + RESERVED +CVE-2021-44750 + RESERVED +CVE-2021-44749 + RESERVED +CVE-2021-44748 + RESERVED +CVE-2021-44747 + RESERVED +CVE-2021-44746 (UNIVERGE DT 820 V3.2.7.0 and prior, UNIVERGE DT 830 V5.2.7.0 and prior ...) + NOT-FOR-US: UNIVERGE +CVE-2021-44745 + RESERVED +CVE-2021-44744 + RESERVED +CVE-2021-44743 (Adobe Bridge version 11.1.2 (and earlier) and version 12.0 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2021-44742 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44741 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44740 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44739 (Acrobat Reader DC ActiveX Control versions 21.007.20099 (and earlier), ...) + NOT-FOR-US: Adobe +CVE-2021-44545 + RESERVED +CVE-2021-44457 + RESERVED +CVE-2021-44454 (Improper input validation in a third-party component for Intel(R) Quar ...) + NOT-FOR-US: Intel +CVE-2021-43351 + RESERVED +CVE-2021-4080 (crater is vulnerable to Unrestricted Upload of File with Dangerous Typ ...) + NOT-FOR-US: Crater +CVE-2021-26946 + RESERVED +CVE-2021-26254 + RESERVED +CVE-2021-23188 + RESERVED +CVE-2021-23168 + RESERVED +CVE-2021-23152 (Improper access control in the Intel(R) Advisor software before versio ...) + NOT-FOR-US: Intel +CVE-2021-23145 + RESERVED +CVE-2021-XXXX [Rainloop stores passwords in cleartext in logfile] + - rainloop 1.14.0-1 (bug #962629) + [buster] - rainloop <no-dsa> (Minor issue) + NOTE: https://github.com/RainLoop/rainloop-webmail/issues/1872 +CVE-2021-44738 (Buffer overflow vulnerability has been identified in Lexmark devices t ...) + NOT-FOR-US: Lexmark +CVE-2021-44737 (PJL directory traversal vulnerability in Lexmark devices through 2021- ...) + NOT-FOR-US: Lexmark +CVE-2021-44736 (The initial admin account setup wizard on Lexmark devices allow unauth ...) + NOT-FOR-US: Lexmark +CVE-2021-44735 (Embedded web server command injection vulnerability in Lexmark devices ...) + NOT-FOR-US: Lexmark +CVE-2021-44734 (Embedded web server input sanitization vulnerability in Lexmark device ...) + NOT-FOR-US: Lexmark +CVE-2021-44733 (A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem ...) + - linux 5.15.15-1 + [bullseye] - linux 5.10.92-1 + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2030747 +CVE-2021-44732 (Mbed TLS before 3.0.1 has a double free in certain out-of-memory condi ...) + [experimental] - mbedtls 2.28.0-0.1 + - mbedtls 2.28.0-0.3 (bug #1002631) + NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2021-12 + NOTE: https://github.com/ARMmbed/mbedtls/commit/eb490aabf6a9f47c074ec476d0d4997c2362cdbc (mbedtls-2.16.12) +CVE-2021-44731 (A race condition existed in the snapd 2.54.2 snap-confine binary when ...) + {DSA-5080-1} + - snapd <unfixed> + NOTE: https://www.openwall.com/lists/oss-security/2022/02/17/2 +CVE-2021-44730 (snapd 2.54.2 did not properly validate the location of the snap-confin ...) + {DSA-5080-1} + - snapd <unfixed> + NOTE: https://www.openwall.com/lists/oss-security/2022/02/17/2 +CVE-2021-44729 + RESERVED +CVE-2021-44728 + RESERVED +CVE-2021-44727 + RESERVED +CVE-2021-44726 (KNIME Server before 4.13.4 allows XSS via the old WebPortal login page ...) + NOT-FOR-US: KNIME Server +CVE-2021-44725 (KNIME Server before 4.13.4 allows directory traversal in a request for ...) + NOT-FOR-US: KNIME Server +CVE-2021-44724 + RESERVED +CVE-2021-44723 + RESERVED +CVE-2021-44722 + RESERVED +CVE-2021-44721 + RESERVED +CVE-2021-44720 + RESERVED +CVE-2021-44719 + RESERVED +CVE-2021-44718 + RESERVED +CVE-2021-44717 (Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operat ...) + {DLA-2892-1 DLA-2891-1} + - golang-1.17 1.17.5-1 + - golang-1.15 1.15.15-5 + [bullseye] - golang-1.15 1.15.15-1~deb11u2 + - golang-1.11 <removed> + [buster] - golang-1.11 <no-dsa> (Minor issue) + - golang-1.8 <removed> + - golang-1.7 <removed> + NOTE: https://github.com/golang/go/issues/50057 + NOTE: https://groups.google.com/g/golang-announce/c/hcmEScgc00k/m/ZWnOjeY4CQAJ + NOTE: https://github.com/golang/go/commit/e46abcb816fb20663483f84fe52e370790a99bee (go1.17.5) + NOTE: https://github.com/golang/go/commit/44a3fb49d99cc8a4de4925b69650f97bb07faf1d (go1.16.12) +CVE-2021-44716 (net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontro ...) + {DLA-2892-1 DLA-2891-1} + - golang-1.17 1.17.5-1 + - golang-1.15 1.15.15-5 + [bullseye] - golang-1.15 1.15.15-1~deb11u2 + - golang-1.11 <removed> + - golang-1.8 <removed> + - golang-1.7 <removed> + - golang-golang-x-net 1:0.0+git20211209.491a49a+dfsg-1 + - golang-golang-x-net-dev <removed> + [stretch] - golang-golang-x-net-dev <postponed> (Limited support in stretch) + NOTE: https://github.com/golang/go/issues/50058 + NOTE: https://groups.google.com/g/golang-announce/c/hcmEScgc00k/m/ZWnOjeY4CQAJ + NOTE: https://github.com/golang/go/commit/48d948963c5ce7add72af5665a871caff6c1d35a (go1.17.5) + NOTE: https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a (go1.16.12) + NOTE: https://github.com/golang/net/commit/491a49abca63de5e07ef554052d180a1b5fe2d70 +CVE-2021-44715 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44714 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44713 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44712 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44711 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44710 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44709 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44708 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44707 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44706 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44705 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44704 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44703 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44702 (Acrobat Reader DC ActiveX Control versions 21.007.20099 (and earlier), ...) + NOT-FOR-US: Adobe +CVE-2021-44701 (Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (an ...) + NOT-FOR-US: Adobe +CVE-2021-44700 (Adobe Illustrator versions 25.4.2 (and earlier) and 26.0.1 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2021-44699 (Adobe Audition versions 14.4 (and earlier), and 22.0 (and earlier)are ...) + NOT-FOR-US: Adobe +CVE-2021-44698 (Adobe Audition versions 14.4 (and earlier), and 22.0 (and earlier)are ...) + NOT-FOR-US: Adobe +CVE-2021-44697 (Adobe Audition versions 14.4 (and earlier), and 22.0 (and earlier)are ...) + NOT-FOR-US: Adobe +CVE-2021-44696 + RESERVED +CVE-2021-44695 + RESERVED +CVE-2021-44694 + RESERVED +CVE-2021-44693 + RESERVED +CVE-2021-4079 (Out of bounds write in WebRTC in Google Chrome prior to 96.0.4664.93 a ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4078 (Type confusion in V8 in Google Chrome prior to 96.0.4664.93 allowed a ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4077 + RESERVED +CVE-2021-4076 [keys: move signing part out of find_by_thp() and to find_jws()] + RESERVED + {DSA-5025-1} + - tang 11-1 + [buster] - tang <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/latchset/tang/pull/81 + NOTE: Introduced by: https://github.com/latchset/tang/commit/609050586e4863329d2db9b7cb73da5c09eeea2b (v8) + NOTE: Fixed by: https://github.com/latchset/tang/commit/e82459fda10f0630c3414ed2afbc6320bb9ea7c9 (v11) +CVE-2021-44692 (BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the ...) + NOT-FOR-US: BuddyBoss Platform +CVE-2021-44691 + RESERVED +CVE-2021-44690 + RESERVED +CVE-2021-44689 + RESERVED +CVE-2021-44688 + RESERVED +CVE-2021-44687 + RESERVED +CVE-2021-44686 (calibre before 5.32.0 contains a regular expression that is vulnerable ...) + - calibre 5.33.0+dfsg-1 + [bullseye] - calibre <no-dsa> (Minor issue) + [buster] - calibre <no-dsa> (Minor issue) + [stretch] - calibre <no-dsa> (Minor issue) + NOTE: https://bugs.launchpad.net/calibre/+bug/1951979 + NOTE: https://github.com/kovidgoyal/calibre/commit/235b7e38c197ba4a3c17531e516610af8795e348 (v5.33.0) +CVE-2021-44685 (Git-it through 4.4.0 allows OS command injection at the Branches Aren' ...) + NOT-FOR-US: git-it +CVE-2021-44684 (naholyr github-todos 3.1.0 is vulnerable to command injection. The ran ...) + NOT-FOR-US: naholyr github-todos +CVE-2021-44683 + RESERVED +CVE-2021-44682 (An issue (6 of 6) was discovered in Veritas Enterprise Vault through 1 ...) + NOT-FOR-US: Veritas +CVE-2021-44681 (An issue (5 of 6) was discovered in Veritas Enterprise Vault through 1 ...) + NOT-FOR-US: Veritas +CVE-2021-44680 (An issue (4 of 6) was discovered in Veritas Enterprise Vault through 1 ...) + NOT-FOR-US: Veritas +CVE-2021-44679 (An issue (3 of 6) was discovered in Veritas Enterprise Vault through 1 ...) + NOT-FOR-US: Veritas +CVE-2021-44678 (An issue (2 of 6) was discovered in Veritas Enterprise Vault through 1 ...) + NOT-FOR-US: Veritas +CVE-2021-44677 (An issue (1 of 6) was discovered in Veritas Enterprise Vault through 1 ...) + NOT-FOR-US: Veritas +CVE-2021-44676 (Zoho ManageEngine Access Manager Plus before 4203 allows anyone to vie ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-44675 (Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vuln ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-4075 (snipe-it is vulnerable to Server-Side Request Forgery (SSRF) ...) + NOT-FOR-US: snipe-it +CVE-2021-4074 (The WHMCS Bridge WordPress plugin is vulnerable to Stored Cross-Site S ...) + NOT-FOR-US: WordPress plugin +CVE-2021-4073 (The RegistrationMagic WordPress plugin made it possible for unauthenti ...) + NOT-FOR-US: WordPress plugin +CVE-2021-4072 (elgg is vulnerable to Improper Neutralization of Input During Web Page ...) + NOT-FOR-US: elgg +CVE-2021-4071 + RESERVED +CVE-2021-44674 (An information exposure issue has been discovered in Opmantek Open-Aud ...) + NOT-FOR-US: Open-AudIT +CVE-2021-44673 + RESERVED +CVE-2021-44672 + RESERVED +CVE-2021-44671 + RESERVED +CVE-2021-44670 + RESERVED +CVE-2021-44669 + RESERVED +CVE-2021-44668 + RESERVED +CVE-2021-44667 + RESERVED +CVE-2021-44666 + RESERVED +CVE-2021-44665 + RESERVED +CVE-2021-44664 + RESERVED +CVE-2021-44663 + RESERVED +CVE-2021-44662 + RESERVED +CVE-2021-44661 + RESERVED +CVE-2021-44660 + RESERVED +CVE-2021-44659 (Adding a new pipeline in GoCD server version 21.3.0 has a functionalit ...) + NOT-FOR-US: GoCD server +CVE-2021-44658 + RESERVED +CVE-2021-44657 (In StackStorm versions prior to 3.6.0, the jinja interpreter was not r ...) + NOT-FOR-US: StackStorm +CVE-2021-44656 + RESERVED +CVE-2021-44655 (Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQ ...) + NOT-FOR-US: Online Pre-owned/Used Car Showroom Management System +CVE-2021-44654 + RESERVED +CVE-2021-44653 (Online Magazine Management System 1.0 contains a SQL injection authent ...) + NOT-FOR-US: Online Magazine Management System +CVE-2021-44652 (Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote co ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-44651 (Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote co ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-44650 (Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote co ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-44649 (Django CMS 3.7.3 does not validate the plugin_type parameter while gen ...) + - python-django-cms <itp> (bug #516183) +CVE-2021-44648 (GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulner ...) + - gdk-pixbuf <unfixed> + [buster] - gdk-pixbuf <not-affected> (Vulnerable code introduced later) + [stretch] - gdk-pixbuf <not-affected> (Vulnerable code introduced later) + NOTE: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/136 + NOTE: https://sahildhar.github.io/blogpost/GdkPixbuf-Heap-Buffer-Overflow-in-lzw_decoder_new/ + NOTE: Introduced by: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/b88f1ce91a610a4e491a4ad6352183791e78afac (2.39.2) +CVE-2021-44647 (Lua 5.4.4 and 5.4.2 are affected by SEGV by type confusion in funcname ...) + - lua5.4 5.4.4-1 (bug #1004189) + NOTE: http://lua-users.org/lists/lua-l/2021-11/msg00195.html + NOTE: http://lua-users.org/lists/lua-l/2021-11/msg00204.html + NOTE: Fixed by: https://github.com/lua/lua/commit/1de95e97ef65632a88e08b6184bd9d1ceba7ec2f + TODO: check older versions if issue is present, reproducer do not crash, but needs inspection of the code yet +CVE-2021-44646 + RESERVED +CVE-2021-44645 + RESERVED +CVE-2021-44644 + RESERVED +CVE-2021-44643 + RESERVED +CVE-2021-44642 + RESERVED +CVE-2021-44641 + RESERVED +CVE-2021-44640 + RESERVED +CVE-2021-44639 + RESERVED +CVE-2021-44638 + RESERVED +CVE-2021-44637 + RESERVED +CVE-2021-44636 + RESERVED +CVE-2021-44635 + RESERVED +CVE-2021-44634 + RESERVED +CVE-2021-44633 + RESERVED +CVE-2021-44632 + RESERVED +CVE-2021-44631 + RESERVED +CVE-2021-44630 + RESERVED +CVE-2021-44629 + RESERVED +CVE-2021-44628 + RESERVED +CVE-2021-44627 + RESERVED +CVE-2021-44626 + RESERVED +CVE-2021-44625 + RESERVED +CVE-2021-44624 + RESERVED +CVE-2021-44623 + RESERVED +CVE-2021-44622 + RESERVED +CVE-2021-44621 + RESERVED +CVE-2021-44620 RESERVED -CVE-2021-44228 +CVE-2021-44619 RESERVED -CVE-2021-4024 [podman: podman machine spawns gvproxy with port binded to all IPs] +CVE-2021-44618 RESERVED - - libpod <unfixed> +CVE-2021-44617 + RESERVED +CVE-2021-44616 + RESERVED +CVE-2021-44615 + RESERVED +CVE-2021-44614 + RESERVED +CVE-2021-44613 + RESERVED +CVE-2021-44612 + RESERVED +CVE-2021-44611 + RESERVED +CVE-2021-44610 + RESERVED +CVE-2021-44609 + RESERVED +CVE-2021-44608 + RESERVED +CVE-2021-44607 + RESERVED +CVE-2021-44606 + RESERVED +CVE-2021-44605 + RESERVED +CVE-2021-44604 + RESERVED +CVE-2021-44603 + RESERVED +CVE-2021-44602 + RESERVED +CVE-2021-44601 + RESERVED +CVE-2021-44600 (The password parameter on Simple Online Mens Salon Management System ( ...) + NOT-FOR-US: Simple Online Mens Salon Management System (MSMS) +CVE-2021-44599 (The id parameter from Online Enrollment Management System 1.0 system a ...) + NOT-FOR-US: Online Enrollment Management System +CVE-2021-44598 (Attendance Management System 1.0 is affected by a Cross Site Scripting ...) + NOT-FOR-US: Attendance Management System +CVE-2021-44597 + RESERVED +CVE-2021-44596 + RESERVED +CVE-2021-44595 + RESERVED +CVE-2021-44594 + RESERVED +CVE-2021-44593 (Simple College Website 1.0 is vulnerable to unauthenticated file uploa ...) + NOT-FOR-US: Simple College Website +CVE-2021-44592 + RESERVED +CVE-2021-44591 (In libming 0.4.8, the parseSWF_DEFINELOSSLESS2 function in util/parser ...) + - ming <removed> + NOTE: https://github.com/libming/libming/issues/235 +CVE-2021-44590 (In libming 0.4.8, a memory exhaustion vulnerability exist in the funct ...) + - ming <removed> + NOTE: https://github.com/libming/libming/issues/236 +CVE-2021-44589 + RESERVED +CVE-2021-44588 + RESERVED +CVE-2021-44587 + RESERVED +CVE-2021-44586 (An issue was discovered in dst-admin v1.3.0. The product has an unauth ...) + NOT-FOR-US: dst-admin +CVE-2021-44585 + RESERVED +CVE-2021-44584 (Cross-site scripting (XSS) vulnerability in index.php in emlog version ...) + NOT-FOR-US: emlog +CVE-2021-44583 + RESERVED +CVE-2021-44582 + RESERVED +CVE-2021-44581 + RESERVED +CVE-2021-44580 + RESERVED +CVE-2021-44579 + RESERVED +CVE-2021-44578 + RESERVED +CVE-2021-44577 (Two heap-overflow vulnerabilities exist in openSUSE libsolv through 13 ...) + - libsolv 0.7.17-1 (unimportant) + NOTE: https://github.com/openSUSE/libsolv/issues/428 + NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) + NOTE: Issue is fixed in the testcase; negligible security impact +CVE-2021-44576 (Two memory vulnerabilities exists in openSUSE libsolv through 13 Dec 2 ...) + - libsolv 0.7.17-1 (unimportant) + NOTE: https://github.com/openSUSE/libsolv/issues/426 + NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) + NOTE: Issue is fixed in the testcase; negligible security impact +CVE-2021-44575 (Two heap-overflow vulnerabilities exists in openSUSE libsolv through 1 ...) + - libsolv 0.7.17-1 (unimportant) + NOTE: https://github.com/openSUSE/libsolv/issues/427 + NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) + NOTE: Issue is fixed in the testcase; negligible security impact +CVE-2021-44574 (A heap-overflow vulnerability exists in openSUSE libsolv through 13 De ...) + - libsolv 0.7.17-1 (unimportant) + NOTE: https://github.com/openSUSE/libsolv/issues/429 + NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) + NOTE: Issue is fixed in the testcase; negligible security impact +CVE-2021-44573 (Two heap overflow vulnerabilities exist in oenSUSE libsolv through 13 ...) + - libsolv 0.7.17-1 (unimportant) + NOTE: https://github.com/openSUSE/libsolv/issues/430 + NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) + NOTE: Issue is fixed in the testcase; negligible security impact +CVE-2021-44572 + RESERVED +CVE-2021-44571 (A heap overflow vulnerability exisfts in openSUSE libsolv through 13 D ...) + - libsolv 0.7.17-1 (unimportant) + NOTE: https://github.com/openSUSE/libsolv/issues/421 + NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) + NOTE: Issue is fixed in the testcase; negligible security impact +CVE-2021-44570 (Two heap-overflow vulnerabilities exists in openSUSE/libsolv through 1 ...) + - libsolv 0.7.17-1 (unimportant) + NOTE: https://github.com/openSUSE/libsolv/issues/424 + NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) + NOTE: Issue is fixed in the testcase; negligible security impact +CVE-2021-44569 (A heap-buffer openSUSE libsolv through 13 Dec 2020 exists in the solve ...) + - libsolv 0.7.17-1 (unimportant) + NOTE: https://github.com/openSUSE/libsolv/issues/423 + NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) + NOTE: Issue is fixed in the testcase; negligible security impact +CVE-2021-44568 (Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv th ...) + - libsolv 0.7.17-1 (unimportant) + NOTE: https://github.com/openSUSE/libsolv/issues/425 + NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) + NOTE: Issue is fixed in the testcase; negligible security impact +CVE-2021-44567 + RESERVED +CVE-2021-44566 + RESERVED +CVE-2021-44565 + RESERVED +CVE-2021-44564 (A security vulnerability originally reported in the SYNC2101 product, ...) + NOT-FOR-US: SYNC2101 +CVE-2021-44563 + RESERVED +CVE-2021-44562 + RESERVED +CVE-2021-44561 + RESERVED +CVE-2021-44560 + RESERVED +CVE-2021-44559 + RESERVED +CVE-2021-44558 + RESERVED +CVE-2021-44557 (National Library of the Netherlands multiNER <= c0440948057afc6e3d6 ...) + NOT-FOR-US: National Library of the Netherlands multiNER +CVE-2021-44556 (National Library of the Netherlands digger < 6697d1269d981e35e11f24 ...) + NOT-FOR-US: National Library of the Netherlands digger +CVE-2021-44555 + RESERVED +CVE-2021-44554 (Thinfinity VirtualUI before 3.0 allows a malicious actor to enumerate ...) + NOT-FOR-US: Thinfinity VirtualUI +CVE-2021-44553 + RESERVED +CVE-2021-44552 + RESERVED +CVE-2021-44551 + RESERVED +CVE-2021-44550 + RESERVED +CVE-2021-4070 + RESERVED +CVE-2021-44549 (Apache Sling Commons Messaging Mail provides a simple layer on top of ...) + NOT-FOR-US: Apache Sling +CVE-2021-4069 (vim is vulnerable to Use After Free ...) + - vim 2:8.2.3995-1 + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/0efd6d23-2259-4081-9ff1-3ade26907d74/ + NOTE: https://github.com/vim/vim/commit/e031fe90cf2e375ce861ff5e5e281e4ad229ebb9 (v8.2.3741) +CVE-2021-44548 (An Improper Input Validation vulnerability in DataImportHandler of Apa ...) + - lucene-solr <not-affected> (Issue only affects Windows) + NOTE: https://issues.apache.org/jira/browse/SOLR-15826 +CVE-2021-4068 (Insufficient data validation in new tab page in Google Chrome prior to ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4067 (Use after free in window manager in Google Chrome on ChromeOS prior to ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4066 (Integer underflow in ANGLE in Google Chrome prior to 96.0.4664.93 allo ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4065 (Use after free in autofill in Google Chrome prior to 96.0.4664.93 allo ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4064 (Use after free in screen capture in Google Chrome on ChromeOS prior to ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4063 (Use after free in developer tools in Google Chrome prior to 96.0.4664. ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4062 (Heap buffer overflow in BFCache in Google Chrome prior to 96.0.4664.93 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4061 (Type confusion in V8 in Google Chrome prior to 96.0.4664.93 allowed a ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4060 + RESERVED +CVE-2021-4059 (Insufficient data validation in loader in Google Chrome prior to 96.0. ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4058 (Heap buffer overflow in ANGLE in Google Chrome prior to 96.0.4664.93 a ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4057 (Use after free in file API in Google Chrome prior to 96.0.4664.93 allo ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4056 (Type confusion in loader in Google Chrome prior to 96.0.4664.93 allowe ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4055 (Heap buffer overflow in extensions in Google Chrome prior to 96.0.4664 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4054 (Incorrect security UI in autofill in Google Chrome prior to 96.0.4664. ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4053 (Use after free in UI in Google Chrome on Linux prior to 96.0.4664.93 a ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4052 (Use after free in web apps in Google Chrome prior to 96.0.4664.93 allo ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-4051 + RESERVED +CVE-2021-44543 (An XSS vulnerability was found in Privoxy which was fixed in cgi_error ...) + {DLA-2844-1} + - privoxy 3.0.33-1 + [bullseye] - privoxy 3.0.32-2+deb11u1 + [buster] - privoxy <no-dsa> (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2021/12/09/1 + NOTE: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=0e668e9409cbf4ab8bf2d79be204bd4e81a00d85 (v_3_0_33) +CVE-2021-44542 (A memory leak vulnerability was found in Privoxy when handling errors. ...) + - privoxy 3.0.33-1 + [bullseye] - privoxy 3.0.32-2+deb11u1 + [buster] - privoxy <not-affected> (Vulnerable code introduced in 3.0.29) + [stretch] - privoxy <not-affected> (Vulnerable code introduced in 3.0.29) + NOTE: https://www.openwall.com/lists/oss-security/2021/12/09/1 + NOTE: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=c48d1d6d08996116cbcea55cd3fc6c2a558e499a (v_3_0_33) +CVE-2021-44541 (A vulnerability was found in Privoxy which was fixed in process_encryp ...) + - privoxy 3.0.33-1 + [bullseye] - privoxy 3.0.32-2+deb11u1 + [buster] - privoxy <not-affected> (Vulnerable code introduced in 3.0.29) + [stretch] - privoxy <not-affected> (Vulnerable code introduced in 3.0.29) + NOTE: https://www.openwall.com/lists/oss-security/2021/12/09/1 + NOTE: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=0509c58045b26463844188e07c5e87c74ea21044 (v_3_0_33) +CVE-2021-44540 (A vulnerability was found in Privoxy which was fixed in get_url_spec_p ...) + {DLA-2844-1} + - privoxy 3.0.33-1 + [bullseye] - privoxy 3.0.32-2+deb11u1 + [buster] - privoxy <no-dsa> (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2021/12/09/1 + NOTE: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=652b4b7cb07592c0912cf938a50fcd009fa29a0a (v_3_0_33) +CVE-2021-43353 (The Crisp Live Chat WordPress plugin is vulnerable to Cross-Site Reque ...) + NOT-FOR-US: WordPress plugin +CVE-2021-41836 (The Fathom Analytics WordPress plugin is vulnerable to Stored Cross-Si ...) + NOT-FOR-US: WordPress plugin +CVE-2021-4050 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) + NOT-FOR-US: livehelperchat +CVE-2021-4049 (livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: livehelperchat +CVE-2021-44539 + RESERVED +CVE-2021-44538 (The olm_session_describe function in Matrix libolm before 3.2.7 is vul ...) + {DSA-5034-1 DLA-2874-1} + - element-web <itp> (bug #866502) + - olm 3.2.8~dfsg-1 (bug #1001664) + [bullseye] - olm <no-dsa> (Minor issue) + [buster] - olm <not-affected> (Vulnerable code introduced later) + - thunderbird 1:91.4.1-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-55/#CVE-2021-44538 + NOTE: https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk/ + NOTE: Introduced by: https://gitlab.matrix.org/matrix-org/olm/-/commit/39a1ee0b18f0fced6d7bc293cc9a46ea70ec9e96 (3.1.4) + NOTE: Fixed by: https://gitlab.matrix.org/matrix-org/olm/-/commit/c23ce70fc66c26db5839ddb5a3b46d4c3d3abed6 (3.2.8) +CVE-2021-44537 (ownCloud owncloud/client before 2.9.2 allows Resource Injection by a s ...) + - owncloud-client <unfixed> + NOTE: https://owncloud.com/security-advisories/cve-2021-44537/ +CVE-2021-44536 + RESERVED +CVE-2021-44535 + RESERVED +CVE-2021-44534 + RESERVED +CVE-2021-44533 [Incorrect handling of certificate subject and issuer fields] + RESERVED + - nodejs <unfixed> (bug #1004177) + [stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support) + NOTE: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#incorrect-handling-of-certificate-subject-and-issuer-fields-medium-cve-2021-44533 + NOTE: https://github.com/nodejs/node/commit/8c2db2c86baff110a1d905ed1e0dd4e1c4fd2dd1 (v12.x) +CVE-2021-44532 [Certificate Verification Bypass via String Injection] + RESERVED + - nodejs <unfixed> (bug #1004177) + [stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support) + NOTE: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#certificate-verification-bypass-via-string-injection-medium-cve-2021-44532 + NOTE: https://github.com/nodejs/node/commit/19873abfb24dce75ffff042efe76dc5633052677 (v12.x) +CVE-2021-44531 [Improper handling of URI Subject Alternative Names] + RESERVED + - nodejs <unfixed> (bug #1004177) + [stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support) + NOTE: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#improper-handling-of-uri-subject-alternative-names-medium-cve-2021-44531 + NOTE: https://github.com/nodejs/node/commit/e0fe6a635e5929a364986a6c39dc3585b9ddcd85 (v12.x) + NOTE: https://github.com/nodejs/node/commit/a5c7843cab6fdb9c845edadc2a7b9b30e02c8bf2 (v12.x) +CVE-2021-44530 (An injection vulnerability exists in a third-party library used in Uni ...) + NOT-FOR-US: UniFi Network +CVE-2021-44529 (A code injection vulnerability in the Ivanti EPM Cloud Services Applia ...) + NOT-FOR-US: Ivanti +CVE-2021-44528 (A open redirect vulnerability exists in Action Pack >= 6.0.0 that c ...) + - rails <unfixed> (bug #1001817) + [buster] - rails <not-affected> (Vulnerable code introduced later) + [stretch] - rails <not-affected> (Vulnerable code introduced later) + NOTE: https://www.openwall.com/lists/oss-security/2021/12/14/5 + NOTE: https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815 (master) + NOTE: https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107 (v6.1.4.2) + NOTE: https://github.com/rails/rails/commit/fd6a64fef1d0f7f40a8d4b046da882e83163299c (v6.0.4.2) + NOTE: Introduced by: https://github.com/rails/rails/commit/07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f (v6.0.0.beta1) +CVE-2021-44527 (A vulnerability found in UniFi Switch firmware Version 5.43.35 and ear ...) + NOT-FOR-US: UniFi Switch firmware +CVE-2021-44526 (Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-44525 (Zoho ManageEngine PAM360 before build 5303 allows attackers to modify ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-44524 (A vulnerability has been identified in SiPass integrated V2.76 (All ve ...) + NOT-FOR-US: SiPass +CVE-2021-44523 (A vulnerability has been identified in SiPass integrated V2.76 (All ve ...) + NOT-FOR-US: SiPass +CVE-2021-44522 (A vulnerability has been identified in SiPass integrated V2.76 (All ve ...) + NOT-FOR-US: SiPass +CVE-2021-44477 + RESERVED +CVE-2021-4048 (An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, an ...) + - lapack 3.10.0-2 (bug #1001902) + [bullseye] - lapack <no-dsa> (Minor issue) + [buster] - lapack <no-dsa> (Minor issue) + [stretch] - lapack <no-dsa> (Minor issue) + - openblas 0.3.18+ds-1 + [bullseye] - openblas <no-dsa> (Minor issue) + [buster] - openblas <no-dsa> (Minor issue) + [stretch] - openblas <no-dsa> (Minor issue) + NOTE: https://github.com/Reference-LAPACK/lapack/pull/625 + NOTE: https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781 + NOTE: https://github.com/JuliaLang/julia/issues/42415 + NOTE: OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/337b65133df174796794871b3988cd03426e6d41 (v0.3.18) + NOTE: OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/2be5ee3cca97a597f2ee2118808a2d5eacea050c (v0.3.18) + NOTE: OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/fe497efa0510466fd93578aaf9da1ad8ed4edbe7 (v0.3.18) + NOTE: OpenBLAS: https://github.com/xianyi/OpenBLAS/commit/ddb0ff5353637bb5f5ad060c9620e334c143e3d7 (v0.3.18) +CVE-2021-4047 + RESERVED + NOT-FOR-US: Red Hat OpenShift 4.9 incomplete fix for CVE-2021-39242 +CVE-2021-23198 (mySCADA myPRO: Versions 8.20.0 and prior has a feature where the passw ...) + NOT-FOR-US: mySCADA myPRO +CVE-2021-44521 (When running Apache Cassandra with the following configuration: enable ...) + - cassandra <itp> (bug #585905) +CVE-2021-4046 (The m_txtNom y m_txtCognoms parameters in TCMAN GIM v8.01 allow an att ...) + NOT-FOR-US: TCMAN GIM +CVE-2021-4045 + RESERVED +CVE-2021-4044 (Internally libssl in OpenSSL calls X509_verify_cert() on the client si ...) + [experimental] - openssl 3.0.1-1 + - openssl <not-affected> (Vulnerable code not present) + NOTE: https://www.openssl.org/news/secadv/20211214.txt +CVE-2021-4043 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 1.1.0 ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/d7a534cb-df7a-48ba-8ce3-46b1551a9c47 + NOTE: https://github.com/gpac/gpac/issues/2092 + NOTE: https://github.com/gpac/gpac/commit/64a2e1b799352ac7d7aad1989bc06e7b0f2b01db +CVE-2021-4042 + RESERVED +CVE-2021-4041 [Improper shell escaping in ansible-runner] + RESERVED + - ansible-runner 2.1.1-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2028074 + NOTE: https://github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd (2.1.0) +CVE-2021-4040 + RESERVED + NOT-FOR-US: Red Hat AMQ Broker +CVE-2021-4039 + RESERVED +CVE-2021-44520 + RESERVED +CVE-2021-44519 + RESERVED +CVE-2021-44518 (An issue was discovered in the eGeeTouch 3rd Generation Travel Padlock ...) + NOT-FOR-US: eGeeTouch 3rd Generation Travel Padlock application for Android +CVE-2021-44517 + RESERVED +CVE-2021-44516 + RESERVED +CVE-2021-44515 (Zoho ManageEngine Desktop Central is vulnerable to authentication bypa ...) + NOT-FOR-US: ManageEngine +CVE-2021-44514 (OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles a ...) + NOT-FOR-US: ManageEngine +CVE-2021-44513 (Insecure creation of temporary directories in tmate-ssh-server 2.3.0 a ...) + - tmate-ssh-server <unfixed> (bug #1001225) + [bullseye] - tmate-ssh-server <no-dsa> (Minor issue) + NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596 + NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2 + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189388 +CVE-2021-44512 (World-writable permissions on the /tmp/tmate/sessions directory in tma ...) + - tmate-ssh-server <unfixed> (bug #1001225) + [bullseye] - tmate-ssh-server <no-dsa> (Minor issue) + NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596 + NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2 + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189388 +CVE-2021-44511 + RESERVED +CVE-2021-44510 + RESERVED +CVE-2021-44509 + RESERVED +CVE-2021-44508 + RESERVED +CVE-2021-44507 + RESERVED +CVE-2021-44506 + RESERVED +CVE-2021-44505 + RESERVED +CVE-2021-44504 + RESERVED +CVE-2021-44503 + RESERVED +CVE-2021-44502 + RESERVED +CVE-2021-44501 + RESERVED +CVE-2021-44500 + RESERVED +CVE-2021-44499 + RESERVED +CVE-2021-44498 + RESERVED +CVE-2021-44497 + RESERVED +CVE-2021-44496 + RESERVED +CVE-2021-44495 + RESERVED +CVE-2021-44494 + RESERVED +CVE-2021-44493 + RESERVED +CVE-2021-44492 + RESERVED +CVE-2021-44491 + RESERVED +CVE-2021-44490 + RESERVED +CVE-2021-44489 + RESERVED +CVE-2021-44488 + RESERVED +CVE-2021-44487 + RESERVED +CVE-2021-44486 + RESERVED +CVE-2021-44485 + RESERVED +CVE-2021-44484 + RESERVED +CVE-2021-44483 + RESERVED +CVE-2021-44482 + RESERVED +CVE-2021-44481 + RESERVED +CVE-2021-44480 (Wokka Lokka Q50 devices through 2021-11-30 allow remote attackers (who ...) + NOT-FOR-US: Wokka Lokka Q50 devices +CVE-2021-44479 (NXP Kinetis K82 devices have a buffer over-read via a crafted wlength ...) + NOT-FOR-US: NXP Kinetis K82 devices +CVE-2021-44478 + RESERVED +CVE-2021-4038 (Cross Site Scripting (XSS) vulnerability in McAfee Network Security Ma ...) + NOT-FOR-US: McAfee +CVE-2021-44470 + RESERVED +CVE-2021-4037 [security regression for CVE-2018-13405] + RESERVED + - linux 5.14.6-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2027239 + NOTE: https://git.kernel.org/linus/01ea173e103edd5ec41acec65b9261b87e123fc2 (5.12-rc1) +CVE-2021-4036 + RESERVED +CVE-2021-37409 + RESERVED +CVE-2021-37405 + RESERVED +CVE-2021-33847 + RESERVED +CVE-2021-26950 + RESERVED +CVE-2021-26258 + RESERVED +CVE-2021-26257 + RESERVED +CVE-2021-26251 + RESERVED +CVE-2021-23223 + RESERVED +CVE-2021-23179 + RESERVED +CVE-2021-44464 (Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 contains ...) + NOT-FOR-US: Vigilant Software Suite (Mastermed Dashboard) +CVE-2021-44453 (mySCADA myPRO: Versions 8.20.0 and prior has a vulnerable debug interf ...) + NOT-FOR-US: mySCADA myPRO +CVE-2021-44451 (Apache Superset up to and including 1.3.2 allowed for registered datab ...) + NOT-FOR-US: Apache Superset +CVE-2021-44450 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44449 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44448 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44447 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44446 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44445 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44444 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44443 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44442 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44441 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44440 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44439 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44438 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44437 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44436 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44435 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44434 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44433 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44432 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44431 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-44430 (A vulnerability has been identified in JT Utilities (All versions < ...) + NOT-FOR-US: Siemens +CVE-2021-43355 (Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2 ...) + NOT-FOR-US: Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) +CVE-2021-41835 (Fresenius Kabi Agilia Link + version 3.0 does not enforce transport la ...) + NOT-FOR-US: Fresenius Kabi Agilia Link +CVE-2021-4035 (A stored cross site scripting have been identified at the comments in ...) + NOT-FOR-US: Wocu Monitoring +CVE-2021-33848 (Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2 ...) + NOT-FOR-US: Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) +CVE-2021-33846 (Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2 ...) + NOT-FOR-US: Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) +CVE-2021-33843 (Fresenius Kabi Agilia SP MC WiFi vD25 and prior has a default configur ...) + NOT-FOR-US: Fresenius Kabi Agilia Link +CVE-2021-31562 (The SSL/TLS configuration of Fresenius Kabi Agilia Link + version 3.0 ...) + NOT-FOR-US: Fresenius Kabi Agilia Link +CVE-2021-23236 (Requests may be used to interrupt the normal operation of the device. ...) + NOT-FOR-US: Fresenius Kabi Agilia Link+ +CVE-2021-23233 (Sensitive endpoints in Fresenius Kabi Agilia Link+ v3.0 and prior can ...) + NOT-FOR-US: Fresenius Kabi Agilia Link +CVE-2021-23207 (An attacker with physical access to the host can extract the secrets f ...) + NOT-FOR-US: Fresenius Kabi Vigilant MasterMed +CVE-2021-23196 (The web application on Agilia Link+ version 3.0 implements authenticat ...) + NOT-FOR-US: Agilia Link+ +CVE-2021-23195 (Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2 ...) + NOT-FOR-US: Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) +CVE-2021-44429 (Serva 4.4.0 allows remote attackers to cause a denial of service (daem ...) + NOT-FOR-US: Serva +CVE-2021-44428 (Pinkie 2.15 allows remote attackers to cause a denial of service (daem ...) + NOT-FOR-US: Pinkie +CVE-2021-44427 (An unauthenticated SQL Injection vulnerability in Rosario Student Info ...) + NOT-FOR-US: Rosario Student Information System +CVE-2021-44426 + RESERVED +CVE-2021-44425 + RESERVED +CVE-2021-44424 + RESERVED +CVE-2021-44423 (An out-of-bounds read vulnerability exists when reading a BMP file usi ...) + NOT-FOR-US: Open Design Alliance (ODA) Drawings Explorer +CVE-2021-44422 (An Improper Input Validation Vulnerability exists when reading a BMP f ...) + NOT-FOR-US: Open Design Alliance Drawings SDK +CVE-2021-44421 + RESERVED +CVE-2021-44420 (In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, ...) + - python-django 2:3.2.10-1 + [bullseye] - python-django 2:2.2.25-1~deb11u1 + [buster] - python-django <no-dsa> (Minor issue) + [stretch] - python-django <not-affected> (Vulnerable code not present; path converters added later) + NOTE: https://www.openwall.com/lists/oss-security/2021/12/07/1 + NOTE: https://www.djangoproject.com/weblog/2021/dec/07/security-releases/ + NOTE: https://github.com/django/django/commit/333c65603032c377e682cdbd7388657a5463a05a (3.2.10) + NOTE: https://github.com/django/django/commit/7cf7d74e8a754446eeb85cacf2fef1247e0cb6d7 (2.2.25) +CVE-2021-44419 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44418 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44417 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44416 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44415 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44414 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44413 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44412 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44411 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44410 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44409 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44408 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44407 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44406 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44405 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44404 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44403 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44402 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44401 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44400 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44399 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44398 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44397 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44396 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44395 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44394 + RESERVED +CVE-2021-44393 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44392 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44391 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44390 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44389 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44388 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44387 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44386 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44385 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44384 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44383 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44382 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44381 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44380 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44379 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44378 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44377 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44376 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44375 + RESERVED +CVE-2021-44374 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44373 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44372 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44371 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44370 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44369 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44368 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44367 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44366 + RESERVED +CVE-2021-44365 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44364 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44363 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44362 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44361 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44360 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44359 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44358 (A denial of service vulnerability exists in the cgiserver.cgi JSON com ...) + NOT-FOR-US: Reolink +CVE-2021-44357 + RESERVED +CVE-2021-44356 + RESERVED +CVE-2021-44355 + RESERVED +CVE-2021-44354 + RESERVED +CVE-2021-4034 (A local privilege escalation vulnerability was found on polkit's pkexe ...) + {DSA-5059-1 DLA-2899-1} + - policykit-1 0.105-31.1 + NOTE: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt + NOTE: https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/25/11 +CVE-2021-4033 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: kimai2 +CVE-2021-44353 + RESERVED +CVE-2021-44352 (A Stack-based Buffer Overflow vulnerability exists in the Tenda AC15 V ...) + NOT-FOR-US: Tenda +CVE-2021-44351 (An arbitrary file read vulnerability exists in NavigateCMS 2.9 via /na ...) + NOT-FOR-US: NavigateCMS +CVE-2021-44350 (SQL Injection vulnerability exists in ThinkPHP5 5.0.x <=5.1.22 via ...) + NOT-FOR-US: ThinkPHP5 +CVE-2021-44349 (SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parame ...) + NOT-FOR-US: TuziCMS +CVE-2021-44348 (SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parame ...) + NOT-FOR-US: TuziCMS +CVE-2021-44347 (SQL Injection vulnerability exists in TuziCMS v2.0.6 in App\Manage\Con ...) + NOT-FOR-US: TuziCMS +CVE-2021-44346 + RESERVED +CVE-2021-44345 + RESERVED +CVE-2021-44344 + RESERVED +CVE-2021-44343 + RESERVED +CVE-2021-44342 + RESERVED +CVE-2021-44341 + RESERVED +CVE-2021-44340 + RESERVED +CVE-2021-44339 + RESERVED +CVE-2021-44338 + RESERVED +CVE-2021-44337 + RESERVED +CVE-2021-44336 + RESERVED +CVE-2021-44335 + RESERVED +CVE-2021-44334 + RESERVED +CVE-2021-44333 + RESERVED +CVE-2021-44332 + RESERVED +CVE-2021-44331 + RESERVED +CVE-2021-44330 + RESERVED +CVE-2021-44329 + RESERVED +CVE-2021-44328 + RESERVED +CVE-2021-44327 + RESERVED +CVE-2021-44326 + RESERVED +CVE-2021-44325 + RESERVED +CVE-2021-44324 + RESERVED +CVE-2021-44323 + RESERVED +CVE-2021-44322 + RESERVED +CVE-2021-44321 + RESERVED +CVE-2021-44320 + RESERVED +CVE-2021-44319 + RESERVED +CVE-2021-44318 + RESERVED +CVE-2021-44317 (In Bus Pass Management System v1.0, parameters 'pagedes' and `About Us ...) + NOT-FOR-US: Bus Pass Management System +CVE-2021-44316 + RESERVED +CVE-2021-44315 (In Bus Pass Management System v1.0, Directory Listing/Browsing is enab ...) + NOT-FOR-US: Bus Pass Management System +CVE-2021-44314 + RESERVED +CVE-2021-44313 + RESERVED +CVE-2021-44312 + RESERVED +CVE-2021-44311 + RESERVED +CVE-2021-44310 + RESERVED +CVE-2021-44309 + RESERVED +CVE-2021-44308 + RESERVED +CVE-2021-44307 + RESERVED +CVE-2021-44306 + RESERVED +CVE-2021-44305 + RESERVED +CVE-2021-44304 + RESERVED +CVE-2021-44303 + RESERVED +CVE-2021-44302 (BaiCloud-cms v2.5.7 was discovered to contain multiple SQL injection v ...) + NOT-FOR-US: BaiCloud-cms +CVE-2021-44301 + RESERVED +CVE-2021-44300 + RESERVED +CVE-2021-44299 (A reflected cross-site scripting (XSS) vulnerability in \lib\packages\ ...) + NOT-FOR-US: Navigate CMS +CVE-2021-44298 + RESERVED +CVE-2021-44297 + RESERVED +CVE-2021-44296 + RESERVED +CVE-2021-44295 + RESERVED +CVE-2021-44294 + RESERVED +CVE-2021-44293 + RESERVED +CVE-2021-44292 + RESERVED +CVE-2021-44291 + RESERVED +CVE-2021-44290 + RESERVED +CVE-2021-44289 + RESERVED +CVE-2021-44288 + RESERVED +CVE-2021-44287 + RESERVED +CVE-2021-44286 + RESERVED +CVE-2021-44285 + RESERVED +CVE-2021-44284 + RESERVED +CVE-2021-44283 + RESERVED +CVE-2021-44282 + RESERVED +CVE-2021-44281 + RESERVED +CVE-2021-44280 (attendance management system 1.0 is affected by a SQL injection vulner ...) + NOT-FOR-US: attendance management system +CVE-2021-44279 (Librenms 21.11.0 is affected by a Cross Site Scripting (XSS) vulnerabi ...) + NOT-FOR-US: LibreNMS +CVE-2021-44278 (Librenms 21.11.0 is affected by a path manipulation vulnerability in i ...) + NOT-FOR-US: LibreNMS +CVE-2021-44277 (Librenms 21.11.0 is affected by a Cross Site Scripting (XSS) vulnerabi ...) + NOT-FOR-US: LibreNMS +CVE-2021-44276 + RESERVED +CVE-2021-44275 + RESERVED +CVE-2021-44274 + RESERVED +CVE-2021-44273 (e2guardian v5.4.x <= v5.4.3r is affected by missing SSL certificate ...) + - e2guardian 5.3.5-3 (bug #1003125) + [bullseye] - e2guardian <no-dsa> (Minor issue) + [buster] - e2guardian <no-dsa> (Minor issue) + [stretch] - e2guardian <no-dsa> (Minor issue; can be fixed later) + NOTE: https://www.openwall.com/lists/oss-security/2021/12/23/2 + NOTE: https://github.com/e2guardian/e2guardian/issues/707 + NOTE: Fixed by: https://github.com/e2guardian/e2guardian/commit/eae46a7e2a57103aadca903c4a24cca94dc502a2 +CVE-2021-44272 + RESERVED +CVE-2021-44271 + RESERVED +CVE-2021-44270 + RESERVED +CVE-2021-44269 + RESERVED +CVE-2021-44268 + RESERVED +CVE-2021-44267 + RESERVED +CVE-2021-44266 + RESERVED +CVE-2021-44265 + RESERVED +CVE-2021-44264 + RESERVED +CVE-2021-44263 (Gurock TestRail before 7.2.4 mishandles HTML escaping. ...) + NOT-FOR-US: Gurock TestRail +CVE-2021-44262 + RESERVED +CVE-2021-44261 + RESERVED +CVE-2021-44260 + RESERVED +CVE-2021-44259 + RESERVED +CVE-2021-44258 + RESERVED +CVE-2021-44257 + RESERVED +CVE-2021-44256 + RESERVED +CVE-2021-44255 (Authenticated remote code execution in MotionEye <= 0.42.1 and Moti ...) + NOT-FOR-US: MotionEye +CVE-2021-44254 + RESERVED +CVE-2021-44253 + RESERVED +CVE-2021-44252 + RESERVED +CVE-2021-44251 + RESERVED +CVE-2021-44250 + RESERVED +CVE-2021-44249 (Online Motorcycle (Bike) Rental System 1.0 is vulnerable to a Blind Ti ...) + NOT-FOR-US: Online Motorcycle (Bike) Rental System +CVE-2021-44248 + RESERVED +CVE-2021-44247 (Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B201 ...) + NOT-FOR-US: Totolink +CVE-2021-44246 (Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B201 ...) + NOT-FOR-US: Totolink +CVE-2021-44245 (An SQL Injection vulnerability exists in Courcecodester COVID 19 Testi ...) + NOT-FOR-US: Sourcecodester COVID 19 Testing Management System (CTMS) +CVE-2021-44244 (An SQL Injection vulnerabiity exists in Sourcecodester Logistic Hub Pa ...) + NOT-FOR-US: Sourcecodester Logistic Hub Parcel's Management System +CVE-2021-44243 + RESERVED +CVE-2021-44242 + RESERVED +CVE-2021-44241 + RESERVED +CVE-2021-44240 + RESERVED +CVE-2021-44239 + RESERVED +CVE-2021-44238 + RESERVED +CVE-2021-44237 + RESERVED +CVE-2021-44236 + RESERVED +CVE-2021-4032 (A vulnerability was found in the Linux kernel's KVM subsystem in arch/ ...) + - linux <not-affected> (Vulnerable code introduced in 5.15-rc1; fixed in 5.15-rc7) + NOTE: https://git.kernel.org/linus/f7d8a19f9a056a05c5c509fa65af472a322abfee (5.15-rc7) +CVE-2021-4031 + RESERVED +CVE-2021-4030 + RESERVED +CVE-2021-4029 + RESERVED +CVE-2021-4028 [use-after-free in RDMA listen()] + RESERVED + - linux 5.14.12-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux <not-affected> (Vulnerable code not present) + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2027201 + NOTE: https://git.kernel.org/linus/bc0bdc5afaa740d782fbf936aaeebd65e5c2921d (5.15-rc4) +CVE-2021-4027 + RESERVED +CVE-2021-4026 (bookstack is vulnerable to Improper Access Control ...) + NOT-FOR-US: bookstack +CVE-2021-4025 + RESERVED +CVE-2021-44235 (Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700 ...) + NOT-FOR-US: SAP +CVE-2021-44234 (SAP Business One - version 10.0, extended log stores information that ...) + NOT-FOR-US: SAP +CVE-2021-44233 (SAP GRC Access Control - versions V1100_700, V1100_731, V1200_750, doe ...) + NOT-FOR-US: SAP +CVE-2021-44232 (SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insu ...) + NOT-FOR-US: SAP +CVE-2021-44231 (Internally used text extraction reports allow an attacker to inject co ...) + NOT-FOR-US: SAP +CVE-2021-44230 (PortSwigger Burp Suite Enterprise Edition before 2021.11 on Windows ha ...) + NOT-FOR-US: Burp Suite (different from src:burp) +CVE-2021-44229 + RESERVED +CVE-2021-44228 (Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2. ...) + {DSA-5020-1 DLA-2842-1} + - apache-log4j2 2.15.0-1 (bug #1001478) + - apache-log4j1.2 <not-affected> (Vulnerable code not present) + NOTE: https://github.com/advisories/GHSA-jfh8-c2jp-5v3q + NOTE: https://github.com/apache/logging-log4j2/pull/608 + NOTE: https://www.lunasec.io/docs/blog/log4j-zero-day/ + NOTE: https://issues.apache.org/jira/browse/LOG4J2-3198 + NOTE: https://github.com/apache/logging-log4j2/commit/c77b3cb39312b83b053d23a2158b99ac7de44dd3 + NOTE: The lookup is performed *after* formatting the message, which includes the user input. Hence + NOTE: the vulnerability can still be triggered using a ParametrizedMessage. +CVE-2021-4024 (A flaw was found in podman. The `podman machine` function (used to cre ...) + - libpod 3.4.3+ds1-1 (bug #1000844) + [bullseye] - libpod <not-affected> (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2026675 NOTE: https://twitter.com/discordianfish/status/1463462371675066371 -CVE-2021-44227 - RESERVED + NOTE: https://github.com/containers/podman/pull/12283 + NOTE: Introduced by: https://github.com/containers/podman/commit/7ef3981abe2412727840a2886489a08c03a05299 (v3.3.0-rc1) + NOTE: Fixed by: https://github.com/containers/podman/commit/295d87bb0b028e57dc2739791dee4820fe5fcc48 (main) + NOTE: Fixed by: https://github.com/containers/podman/commit/57c5e2246efeaf2fef820a482241f1cc43960c7a (v3.4.3) +CVE-2021-44227 (In GNU Mailman before 2.1.38, a list member or moderator can get a CSR ...) + - mailman <removed> + [buster] - mailman <no-dsa> (Minor issue) + [stretch] - mailman <no-dsa> (Minor issue; can be fixed with the next DLA) + NOTE: https://bugs.launchpad.net/mailman/+bug/1952384 + NOTE: Patch: https://launchpadlibrarian.net/570827498/patch.txt + NOTE: Regression: https://bugs.launchpad.net/mailman/+bug/1954694 + NOTE: Regression fixed by: https://launchpadlibrarian.net/573872803/patch.txt CVE-2021-44226 RESERVED CVE-2021-4023 @@ -35,13 +6580,17 @@ CVE-2021-4022 RESERVED CVE-2021-44225 (In Keepalived through 2.2.4, the D-Bus policy does not sufficiently re ...) - keepalived 1:2.2.4-0.2 - [bullseye] - keepalived <no-dsa> (Minor issue) + [bullseye] - keepalived 1:2.1.5-0.2+deb11u1 [buster] - keepalived <no-dsa> (Minor issue) [stretch] - keepalived <no-dsa> (Minor issue) NOTE: https://github.com/acassen/keepalived/pull/2063 NOTE: https://github.com/acassen/keepalived/commit/7977fec0be89ae6fe87405b3f8da2f0b5e415e3d -CVE-2021-44224 - RESERVED +CVE-2021-44224 (A crafted URI sent to httpd configured as a forward proxy (ProxyReques ...) + {DSA-5035-1 DLA-2907-1} + - apache2 2.4.52-1 + NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-44224 + NOTE: Fixed by: https://svn.apache.org/r1895955 + NOTE: Fixed by: https://svn.apache.org/r1896044 CVE-2021-44223 (WordPress before 5.8 lacks support for the Update URI plugin header. T ...) - wordpress 5.8.1+dfsg1-1 [bullseye] - wordpress <no-dsa> (Minor issue; workarounds/mitigation for older versions can be implemented) @@ -57,21 +6606,27 @@ CVE-2021-44221 RESERVED CVE-2021-4021 RESERVED + - radare2 <unfixed> + NOTE: https://github.com/radareorg/radare2/issues/19436 CVE-2021-4020 (janus-gateway is vulnerable to Improper Neutralization of Input During ...) - - janus <unfixed> + - janus 0.11.5-4 (unimportant; bug #1000831) NOTE: https://huntr.dev/bounties/9814baa8-7bdd-4e31-a132-d9d15653409e/ - NOTE: https://github.com/meetecho/janus-gateway/commit/d3fc00ec803d6c41d8f98908732f44e7f4911a1c - TODO: check, possibly to be marked unimportant -CVE-2021-4019 - RESERVED + NOTE: https://github.com/meetecho/janus-gateway/commit/ba166e9adebfe5343f826c6a9e02299d35414ffd + NOTE: Issues only in janus-demos built from src:janus +CVE-2021-4019 (vim is vulnerable to Heap-based Buffer Overflow ...) + - vim 2:8.2.3995-1 + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/d8798584-a6c9-4619-b18f-001b9a6fca92 + NOTE: https://github.com/vim/vim/commit/bd228fd097b41a798f90944b5d1245eddd484142 (v8.2.3669) CVE-2021-44220 RESERVED CVE-2021-44219 (Gin-Vue-Admin before 2.4.6 mishandles a SQL database. ...) NOT-FOR-US: Gin-Vue-Admin CVE-2021-44218 RESERVED -CVE-2021-44217 - RESERVED +CVE-2021-44217 (In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting ...) + NOT-FOR-US: Ericsson CVE-2021-44216 RESERVED CVE-2021-44215 @@ -90,38 +6645,38 @@ CVE-2021-44209 RESERVED CVE-2021-44208 RESERVED -CVE-2021-44207 - RESERVED -CVE-2021-4018 - RESERVED -CVE-2021-4017 - RESERVED -CVE-2021-44206 - RESERVED -CVE-2021-44205 - RESERVED -CVE-2021-44204 - RESERVED -CVE-2021-44203 - RESERVED -CVE-2021-44202 - RESERVED -CVE-2021-44201 - RESERVED -CVE-2021-44200 - RESERVED -CVE-2021-44199 - RESERVED -CVE-2021-44198 - RESERVED +CVE-2021-44207 (Acclaim USAHERDS through 7.4.0.1 uses hard-coded credentials. ...) + NOT-FOR-US: Acclaim USAHERDS +CVE-2021-4018 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...) + NOT-FOR-US: snipe-it +CVE-2021-4017 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: ShowDoc +CVE-2021-44206 (Local privilege escalation due to DLL hijacking vulnerability in Acron ...) + NOT-FOR-US: Acronis +CVE-2021-44205 (Local privilege escalation due to DLL hijacking vulnerability. The fol ...) + NOT-FOR-US: Acronis +CVE-2021-44204 (Local privilege escalation via named pipe due to improper access contr ...) + NOT-FOR-US: Acronis +CVE-2021-44203 (Stored cross-site scripting (XSS) was possible in protection plan deta ...) + NOT-FOR-US: Acronis +CVE-2021-44202 (Stored cross-site scripting (XSS) was possible in activity details. Th ...) + NOT-FOR-US: Acronis +CVE-2021-44201 (Cross-site scripting (XSS) was possible in notification pop-ups. The f ...) + NOT-FOR-US: Acronis +CVE-2021-44200 (Self cross-site scripting (XSS) was possible on devices page. The foll ...) + NOT-FOR-US: Acronis +CVE-2021-44199 (DLL hijacking could lead to denial of service. The following products ...) + NOT-FOR-US: Acronis +CVE-2021-44198 (DLL hijacking could lead to local privilege escalation. The following ...) + NOT-FOR-US: Acronis CVE-2021-44197 RESERVED CVE-2021-44196 RESERVED -CVE-2021-4016 - RESERVED -CVE-2021-4015 - RESERVED +CVE-2021-4016 (Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper ...) + NOT-FOR-US: Rapid7 Insight Agent +CVE-2021-4015 (firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: firefly-iii CVE-2021-4014 RESERVED CVE-2021-4013 @@ -144,30 +6699,30 @@ CVE-2021-44189 RESERVED CVE-2021-44188 RESERVED -CVE-2021-44187 - RESERVED -CVE-2021-44186 - RESERVED -CVE-2021-44185 - RESERVED +CVE-2021-44187 (Adobe Bridge version 11.1.2 (and earlier) and version 12.0 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2021-44186 (Adobe Bridge version 11.1.2 (and earlier) and version 12.0 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2021-44185 (Adobe Bridge version 11.1.2 (and earlier) and version 12.0 (and earlie ...) + NOT-FOR-US: Adobe CVE-2021-44184 RESERVED -CVE-2021-44183 - RESERVED -CVE-2021-44182 - RESERVED -CVE-2021-44181 - RESERVED -CVE-2021-44180 - RESERVED -CVE-2021-44179 - RESERVED -CVE-2021-44178 - RESERVED -CVE-2021-44177 - RESERVED -CVE-2021-44176 - RESERVED +CVE-2021-44183 (Adobe Dimension versions 3.4.3 (and earlier) are affected by an out-of ...) + NOT-FOR-US: Adobe +CVE-2021-44182 (Adobe Dimension versions 3.4.3 (and earlier) are affected by an out-of ...) + NOT-FOR-US: Adobe +CVE-2021-44181 (Adobe Dimension versions 3.4.3 (and earlier) are affected by an out-of ...) + NOT-FOR-US: Adobe +CVE-2021-44180 (Adobe Dimension versions 3.4.3 (and earlier) are affected by an out-of ...) + NOT-FOR-US: Adobe +CVE-2021-44179 (Adobe Dimension versions 3.4.3 (and earlier) is affected by a memory c ...) + NOT-FOR-US: Adobe +CVE-2021-44178 (AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) ...) + NOT-FOR-US: Adobe +CVE-2021-44177 (AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) ...) + NOT-FOR-US: Adobe +CVE-2021-44176 (AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) ...) + NOT-FOR-US: Adobe CVE-2021-44175 RESERVED CVE-2021-44174 @@ -182,68 +6737,85 @@ CVE-2021-44170 RESERVED CVE-2021-44169 RESERVED -CVE-2021-44168 - RESERVED +CVE-2021-44168 (A download of code without integrity check vulnerability in the "execu ...) + NOT-FOR-US: FortiGuard CVE-2021-44167 RESERVED CVE-2021-44166 RESERVED -CVE-2021-44165 - RESERVED -CVE-2021-44164 - RESERVED -CVE-2021-44163 - RESERVED -CVE-2021-44162 - RESERVED -CVE-2021-44161 - RESERVED -CVE-2021-44160 - RESERVED -CVE-2021-44159 - RESERVED -CVE-2021-44158 - RESERVED -CVE-2021-4011 - RESERVED -CVE-2021-4010 - RESERVED -CVE-2021-4009 - RESERVED -CVE-2021-4008 - RESERVED -CVE-2021-4007 - RESERVED +CVE-2021-44165 (A vulnerability has been identified in POWER METER SICAM Q100 (All ver ...) + NOT-FOR-US: Siemens +CVE-2021-44164 (Chain Sea ai chatbot system’s file upload function has insuffici ...) + NOT-FOR-US: Chain Sea +CVE-2021-44163 (Chain Sea ai chatbot backend has improper filtering of special charact ...) + NOT-FOR-US: Chain Sea +CVE-2021-44162 (Chain Sea ai chatbot system’s specific file download function ha ...) + NOT-FOR-US: Chain Sea +CVE-2021-44161 (Changing MOTP (Mobile One Time Password) system’s specific funct ...) + NOT-FOR-US: MOTP (Mobile One Time Password) system& +CVE-2021-44160 (Carinal Tien Hospital Health Report System’s login page has impr ...) + NOT-FOR-US: Carinal Tien Hospital Health Report System& +CVE-2021-44159 (4MOSAn GCB Doctor’s file upload function has improper user privi ...) + NOT-FOR-US: 4MOSAn GCB Doctor +CVE-2021-44158 (ASUS RT-AX56U Wi-Fi Router is vulnerable to stack-based buffer overflo ...) + NOT-FOR-US: ASUS +CVE-2021-4011 (A flaw was found in xorg-x11-server in versions before 21.1.2 and befo ...) + {DSA-5027-1 DLA-2869-1} + - xorg-server 2:1.20.13-3 + - xwayland 2:21.1.4-1 + NOTE: https://lists.x.org/archives/xorg-announce/2021-December/003122.html + NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/e56f61c79fc3cee26d83cda0f84ae56d5979f768 +CVE-2021-4010 (A flaw was found in xorg-x11-server in versions before 21.1.2 and befo ...) + {DSA-5027-1} + - xorg-server 2:1.20.13-3 + [stretch] - xorg-server <not-affected> (Vulnerable code introduced later) + - xwayland 2:21.1.4-1 + NOTE: https://lists.x.org/archives/xorg-announce/2021-December/003122.html + NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c4c53010772e3cb4cb8acd54950c8eec9c00d21 +CVE-2021-4009 (A flaw was found in xorg-x11-server in versions before 21.1.2 and befo ...) + {DSA-5027-1 DLA-2869-1} + - xorg-server 2:1.20.13-3 + - xwayland 2:21.1.4-1 + NOTE: https://lists.x.org/archives/xorg-announce/2021-December/003122.html + NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/b5196750099ae6ae582e1f46bd0a6dad29550e02 +CVE-2021-4008 (A flaw was found in xorg-x11-server in versions before 21.1.2 and befo ...) + {DSA-5027-1 DLA-2869-1} + - xorg-server 2:1.20.13-3 + - xwayland 2:21.1.4-1 + NOTE: https://lists.x.org/archives/xorg-announce/2021-December/003122.html + NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 +CVE-2021-4007 (Rapid7 Insight Agent, versions 3.0.1 to 3.1.2.34, suffer from a local ...) + NOT-FOR-US: Rapid7 Insight Agent CVE-2021-4006 RESERVED -CVE-2021-4005 - RESERVED +CVE-2021-4005 (firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: firefly-iii CVE-2021-44157 RESERVED CVE-2021-44156 RESERVED -CVE-2021-44155 - RESERVED -CVE-2021-44154 - RESERVED -CVE-2021-44153 - RESERVED -CVE-2021-44152 - RESERVED -CVE-2021-44151 - RESERVED +CVE-2021-44155 (An issue was discovered in /goform/login_process in Reprise RLM 14.2. ...) + NOT-FOR-US: Reprise RLM +CVE-2021-44154 (An issue was discovered in Reprise RLM 14.2. By using an admin account ...) + NOT-FOR-US: Reprise RLM +CVE-2021-44153 (An issue was discovered in Reprise RLM 14.2. When editing the license ...) + NOT-FOR-US: Reprise RLM +CVE-2021-44152 (An issue was discovered in Reprise RLM 14.2. Because /goform/change_pa ...) + NOT-FOR-US: Reprise RLM +CVE-2021-44151 (An issue was discovered in Reprise RLM 14.2. As the session cookies ar ...) + NOT-FOR-US: Reprise RLM CVE-2021-44150 (The client in tusdotnet through 2.5.0 relies on SHA-1 to prevent spoof ...) NOT-FOR-US: tusdotnet -CVE-2021-44149 - RESERVED -CVE-2021-44148 - RESERVED +CVE-2021-44149 (An issue was discovered in Trusted Firmware OP-TEE Trusted OS through ...) + NOT-FOR-US: Linaro/OP-TEE OP-TEE +CVE-2021-44148 (GL.iNet GL-AR150 2.x before 3.x devices, configured as repeaters, allo ...) + NOT-FOR-US: GL.iNet CVE-2021-44147 (An XML External Entity issue in Claris FileMaker Pro and Server (inclu ...) NOT-FOR-US: Claris CVE-2021-44146 RESERVED -CVE-2021-44145 - RESERVED +CVE-2021-44145 (In the TransformXML processor of Apache NiFi before 1.15.1 an authenti ...) + NOT-FOR-US: Apache NiFi CVE-2021-44144 (Croatia Control Asterix 2.8.1 has a heap-based buffer over-read, with ...) NOT-FOR-US: Croatia Control Asterix CVE-2021-4004 @@ -253,15 +6825,29 @@ CVE-2021-4003 CVE-2021-4002 [hugetlbfs: flush TLBs correctly after huge_pmd_unshare] RESERVED - linux 5.15.5-1 + [bullseye] - linux 5.10.84-1 NOTE: https://www.openwall.com/lists/oss-security/2021/11/25/1 NOTE: https://git.kernel.org/linus/a4a118f2eead1d6c49e00765de89878288d4b890 CVE-2021-44143 (A flaw was found in mbsync in isync 1.4.0 through 1.4.3. Due to an unc ...) - - isync <unfixed> (bug #999804) - [stretch] - isync <postponed> (revisit when/if fixed upstream) -CVE-2021-44142 - RESERVED -CVE-2021-44141 - RESERVED + - isync 1.4.4-1 (bug #999804) + [bullseye] - isync <not-affected> (Vulnerable code introduced later) + [buster] - isync <not-affected> (Vulnerable code introduced later) + [stretch] - isync <not-affected> (Vulnerable code introduced later) + NOTE: https://www.openwall.com/lists/oss-security/2021/12/03/2 +CVE-2021-44142 (The Samba vfs_fruit module uses extended file attributes (EA, xattr) t ...) + {DSA-5071-1} + - samba <unfixed> (bug #1004693) + NOTE: https://www.samba.org/samba/security/CVE-2021-44142.html + NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14914 + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-244/ + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-245/ + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-246/ +CVE-2021-44141 (All versions of Samba prior to 4.15.5 are vulnerable to a malicious cl ...) + - samba <unfixed> (bug #1004692) + [bullseye] - samba <ignored> (Minor issue; no backport to older versions, mitigations exists) + [buster] - samba <ignored> (Minor issue; no backport to older versions, mitigations exists) + NOTE: https://www.samba.org/samba/security/CVE-2021-44141.html + NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14911 CVE-2021-44140 (Remote attackers may delete arbitrary files in a system hosting a JSPW ...) - jspwiki <removed> CVE-2021-44139 @@ -296,32 +6882,49 @@ CVE-2021-44125 RESERVED CVE-2021-44124 RESERVED -CVE-2021-44123 - RESERVED -CVE-2021-44122 - RESERVED +CVE-2021-44123 (SPIP 4.0.0 is affected by a remote command execution vulnerability. To ...) + {DSA-5028-1 DLA-2867-1} + - spip 3.2.12-1 + NOTE: https://git.spip.net/spip/spip/commit/1cf91def15966406ddd0488cf9d1ecd1ae82d47a (master) + NOTE: https://git.spip.net/spip/spip/commit/97e2888e9c92ad4bd68e8f80079583249714fbfa (v4.0.1) + NOTE: https://blog.spip.net/SPIP-4-0-1_SPIP-3-1-12.html +CVE-2021-44122 (SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerab ...) + {DSA-5028-1 DLA-2867-1} + - spip 3.2.12-1 + NOTE: https://git.spip.net/spip/spip/commit/1b8e4f404c2441c15ca6540b9a6d8e50cff219db + NOTE: https://git.spip.net/spip/spip/commit/fea5b5b4507cc9c0b9e91bbfbf34fe40b0bea805 (v3.2.12) + NOTE: https://blog.spip.net/SPIP-4-0-1_SPIP-3-1-12.html CVE-2021-44121 - RESERVED -CVE-2021-44120 - RESERVED + REJECTED +CVE-2021-44120 (SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability i ...) + {DSA-5028-1 DLA-2867-1} + - spip 3.2.12-1 + NOTE: https://git.spip.net/spip/spip/commit/d548391d799387d1e93cf1a369d385c72f7d5c81 + NOTE: https://git.spip.net/spip/spip/commit/361cc26080d1377bc55d2cb80736e5cfaf5fd242 (v3.2.12) + NOTE: https://blog.spip.net/SPIP-4-0-1_SPIP-3-1-12.html CVE-2021-44119 RESERVED -CVE-2021-44118 - RESERVED +CVE-2021-44118 (SPIP 4.0.0 is affected by a Cross Site Scripting (XSS) vulnerability. ...) + {DSA-5028-1 DLA-2867-1} + - spip 3.2.12-1 + NOTE: https://git.spip.net/spip/medias/commit/13c293fabd35e2c152379522c29432423936cbba + NOTE: https://git.spip.net/spip/spip/commit/1cf91def15966406ddd0488cf9d1ecd1ae82d47a + NOTE: https://git.spip.net/spip/spip/commit/4ccf90a6912d7fab97e1bd5619770c9236cc7357 + NOTE: https://blog.spip.net/SPIP-4-0-1_SPIP-3-1-12.html CVE-2021-44117 RESERVED -CVE-2021-44116 - RESERVED +CVE-2021-44116 (Cross Site Scripting (XSS) vulnerability exits in Anchor CMS <=0.12 ...) + NOT-FOR-US: Anchor CMS CVE-2021-44115 RESERVED -CVE-2021-44114 - RESERVED +CVE-2021-44114 (Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Stoc ...) + NOT-FOR-US: Sourcecodester CVE-2021-44113 RESERVED CVE-2021-44112 RESERVED -CVE-2021-44111 - RESERVED +CVE-2021-44111 (A Directory Traversal vulnerability exists in S-Cart 6.7 via download ...) + NOT-FOR-US: S-Cart CVE-2021-44110 RESERVED CVE-2021-44109 @@ -358,12 +6961,12 @@ CVE-2021-44094 (ZrLog 2.2.2 has a remote command execution vulnerability at plug NOT-FOR-US: zrlog CVE-2021-44093 (A Remote Command Execution vulnerability on the background in zrlog 2. ...) NOT-FOR-US: zrlog -CVE-2021-44092 - RESERVED -CVE-2021-44091 - RESERVED -CVE-2021-44090 - RESERVED +CVE-2021-44092 (An SQL Injection vulnerability exists in code-projects Pharmacy Manage ...) + NOT-FOR-US: code-projects Pharmacy Management +CVE-2021-44091 (A Cross-Site Scripting (XSS) vulnerability exists in Courcecodester Mu ...) + NOT-FOR-US: Sourcecodester Multi Restaurant Table Reservation System +CVE-2021-44090 (An SQL Injection vulnerability exists in Sourcecodester Online Reviewe ...) + NOT-FOR-US: Sourcecodester Online Reviewer System CVE-2021-44089 RESERVED CVE-2021-44088 @@ -384,42 +6987,87 @@ CVE-2021-44081 RESERVED CVE-2021-44080 RESERVED -CVE-2021-4001 [race condition when the EBPF map is frozen] - RESERVED +CVE-2021-4001 (A race condition was found in the Linux kernel's ebpf verifier between ...) - linux 5.15.5-1 + [bullseye] - linux 5.10.84-1 [buster] - linux <not-affected> (Vulnerable code introduced later) [stretch] - linux <not-affected> (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/353050be4c19e102178ccc05988101887c25ae53 -CVE-2021-4000 - RESERVED -CVE-2021-3999 - RESERVED -CVE-2021-3998 +CVE-2021-4000 (showdoc is vulnerable to URL Redirection to Untrusted Site ...) + NOT-FOR-US: ShowDoc +CVE-2021-3999 [Off-by-one buffer overflow/underflow in getcwd()] RESERVED -CVE-2021-3997 + - glibc 2.33-4 + [bullseye] - glibc <no-dsa> (Minor issue) + [buster] - glibc <no-dsa> (Minor issue) + [stretch] - glibc <no-dsa> (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28769 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/4 + NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e + NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=472e799a5f2102bc0c3206dbd5a801765fceb39c +CVE-2021-3998 [Unexpected return value from realpath() for too long results] RESERVED -CVE-2021-44079 (In the wazuh-slack active response script in Wazuh before 4.2.5, untru ...) + - glibc 2.33-4 + [bullseye] - glibc <no-dsa> (Minor issue) + [buster] - glibc <no-dsa> (Minor issue) + [stretch] - glibc <no-dsa> (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28770 + NOTE: https://patchwork.sourceware.org/project/glibc/patch/20220113055920.3155918-1-siddhesh@sourceware.org/ + NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/4 + NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ee8d5e33adb284601c00c94687bc907e10aec9bb + NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f7a79879c0b2bef0dadd6caaaeeb0d26423e04e5 +CVE-2021-3997 [Uncontrolled recursion in systemd's systemd-tmpfiles] + RESERVED + - systemd 250.2-1 (bug #1003467) + [bullseye] - systemd <no-dsa> (Minor issue; can be fixed via point release) + [buster] - systemd <ignored> (Minor issue; not exploitable before upstream commit e535840) + [stretch] - systemd <ignored> (Minor issue; utility segfault; not exploitable before upstream commit e535840, PoC doesn't segfault on stretch) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2024639 + NOTE: https://github.com/systemd/systemd/pull/22070 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/10/2 + NOTE: Exploitable after (but present before): https://github.com/systemd/systemd/commit/e5358401b5df8d395e99815b7a69b8424887472c (v242-rc1) + NOTE: PoC still crashes on jessie/215-17+deb8u14 + NOTE: Prerequisite/Preparation: https://github.com/systemd/systemd/commit/3bac86abfa1b1720180840ffb9d06b3d54841c11 + NOTE: Prerequisite/Preparation: https://github.com/systemd/systemd/commit/84ced330020c0bae57bd4628f1f44eec91304e69 + NOTE: Fixed by: https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1 +CVE-2021-44079 (In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, ...) NOT-FOR-US: Wazuh CVE-2021-3996 RESERVED + {DSA-5055-1} + - util-linux 2.37.3-1 + [buster] - util-linux <not-affected> (Vulnerable code introduced later) + [stretch] - util-linux <not-affected> (Vulnerable code introduced later) + NOTE: Introduced by: https://github.com/util-linux/util-linux/commit/5fea669e9ef0a08804f72bb40f859f239f68c30a (v2.34-rc1) + NOTE: Fixed by: https://github.com/util-linux/util-linux/commit/018a10907fa9885093f6d87401556932c2d8bd2b (v2.37.3) + NOTE: https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.37/v2.37.3-ReleaseNotes + NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/2 CVE-2021-3995 RESERVED -CVE-2021-3994 - RESERVED -CVE-2021-3993 - RESERVED -CVE-2021-3992 - RESERVED -CVE-2021-44078 - RESERVED -CVE-2021-44077 (Zoho ManageEngine ServiceDesk Plus before 11306 is vulnerable to unaut ...) + {DSA-5055-1} + - util-linux 2.37.3-1 + [buster] - util-linux <not-affected> (Vulnerable code introduced later) + [stretch] - util-linux <not-affected> (Vulnerable code introduced later) + NOTE: Introduced by: https://github.com/util-linux/util-linux/commit/5fea669e9ef0a08804f72bb40f859f239f68c30a (v2.34-rc1) + NOTE: Fixed by: https://github.com/util-linux/util-linux/commit/f3db9bd609494099f0c1b95231c5dfe383346929 (v2.37.3) + NOTE: https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.37/v2.37.3-ReleaseNotes + NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/2 +CVE-2021-3994 (django-helpdesk is vulnerable to Improper Neutralization of Input Duri ...) + NOT-FOR-US: django-helpdesk +CVE-2021-3993 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: ShowDoc +CVE-2021-3992 (kimai2 is vulnerable to Improper Access Control ...) + NOT-FOR-US: kimai2 +CVE-2021-44078 (An issue was discovered in split_region in uc.c in Unicorn Engine befo ...) + NOT-FOR-US: Unicorn Engine +CVE-2021-44077 (Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP ...) NOT-FOR-US: Zoho ManageEngine CVE-2021-3991 RESERVED -CVE-2021-3990 - RESERVED -CVE-2021-3989 - RESERVED +CVE-2021-3990 (showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random N ...) + NOT-FOR-US: ShowDoc +CVE-2021-3989 (showdoc is vulnerable to URL Redirection to Untrusted Site ...) + NOT-FOR-US: ShowDoc CVE-2021-3988 RESERVED CVE-2021-3987 @@ -478,38 +7126,44 @@ CVE-2021-44052 RESERVED CVE-2021-44051 RESERVED -CVE-2021-44050 - RESERVED -CVE-2021-44049 - RESERVED -CVE-2021-44048 - RESERVED -CVE-2021-44047 - RESERVED -CVE-2021-44046 - RESERVED -CVE-2021-44045 - RESERVED -CVE-2021-44044 - RESERVED -CVE-2021-44043 - RESERVED -CVE-2021-44042 - RESERVED -CVE-2021-44041 - RESERVED -CVE-2021-3985 - RESERVED -CVE-2021-3984 - RESERVED -CVE-2021-3983 - RESERVED +CVE-2021-44050 (CA Network Flow Analysis (NFA) 21.2.1 and earlier contain a SQL inject ...) + NOT-FOR-US: CA Network Flow Analysis (NFA) +CVE-2021-44049 (CyberArk Endpoint Privilege Manager (EPM) through 11.5.3.328 before 20 ...) + NOT-FOR-US: CyberArk Endpoint Privilege Manager (EPM) +CVE-2021-44048 (An out-of-bounds write vulnerability exists when reading a TIF file us ...) + NOT-FOR-US: Open Design Alliance (ODA) Drawings Explorer +CVE-2021-44047 (A use-after-free vulnerability exists when reading a DWF/DWFX file usi ...) + NOT-FOR-US: Open Design Alliance Drawings SDK +CVE-2021-44046 (An out-of-bounds write vulnerability exists when reading U3D files in ...) + NOT-FOR-US: Open Design Alliance Drawings SDK +CVE-2021-44045 (An out-of-bounds write vulnerability exists when reading a DGN file us ...) + NOT-FOR-US: Open Design Alliance Drawings SDK +CVE-2021-44044 (An out-of-bounds write vulnerability exists when reading a JPG file us ...) + NOT-FOR-US: Open Design Alliance Drawings SDK +CVE-2021-44043 (An issue was discovered in UiPath App Studio 21.4.4. There is a persis ...) + NOT-FOR-US: UiPath +CVE-2021-44042 (An issue was discovered in UiPath Assistant 21.4.4. User-controlled da ...) + NOT-FOR-US: UiPath +CVE-2021-44041 (UiPath Assistant 21.4.4 will load and execute attacker controlled data ...) + NOT-FOR-US: UiPath +CVE-2021-3985 (kimai2 is vulnerable to Improper Neutralization of Input During Web Pa ...) + NOT-FOR-US: kimai2 +CVE-2021-3984 (vim is vulnerable to Heap-based Buffer Overflow ...) + - vim 2:8.2.3995-1 (bug #1001896) + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/b114b5a2-18e2-49f0-b350-15994d71426a + NOTE: https://github.com/vim/vim/commit/2de9b7c7c8791da8853a9a7ca9c467867465b655 (v8.2.3625) +CVE-2021-3983 (kimai2 is vulnerable to Improper Neutralization of Input During Web Pa ...) + NOT-FOR-US: kimai2 CVE-2021-44040 RESERVED CVE-2021-44039 RESERVED CVE-2021-44038 (An issue was discovered in Quagga through 1.2.4. Unsafe chown/chmod op ...) - quagga <removed> + [buster] - quagga <no-dsa> (Minor issue) + [stretch] - quagga <postponed> (revisit when/if fixed upstream) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1191890 NOTE: Debian installed systemd unit files install the problematic redhat/*.service NOTE: files with the unsafe chmod/chown calls in the Debian packaging. @@ -517,91 +7171,106 @@ CVE-2021-44037 (Team Password Manager (aka TeamPasswordManager) before 10.135.23 NOT-FOR-US: Team Password Manager (aka TeamPasswordManager) CVE-2021-44036 (Team Password Manager (aka TeamPasswordManager) before 10.135.236 has ...) NOT-FOR-US: Team Password Manager (aka TeamPasswordManager) -CVE-2021-44035 - RESERVED +CVE-2021-44035 (Wolters Kluwer TeamMate AM 12.4 Update 1 mishandles attachment uploads ...) + NOT-FOR-US: Wolters Kluwer TeamMate AM CVE-2021-3982 [Distributions using CAP_SYS_NICE in gnome-shell may be exposed to privilege escalation] RESERVED - - gnome-shell <unfixed> + - gnome-shell <not-affected> (Debian packaging does not set cap_sys_nice+ep on gnome-shell binary) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2024174 - TODO: recheck classification when RH provides more information -CVE-2021-3981 - RESERVED -CVE-2021-3980 - RESERVED -CVE-2021-3979 - RESERVED + NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/4711 + NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2284 +CVE-2021-3981 [Incorrect permission in grub.cfg allow unprivileged user to read the file content] + RESERVED + - grub2 <unfixed> (bug #1001414) + [bullseye] - grub2 <not-affected> (Vulnerable code introduced later) + [buster] - grub2 <not-affected> (Vulnerable code introduced later) + [stretch] - grub2 <not-affected> (Vulnerable code introduced later) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2024170 + NOTE: Introduced by: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=ab2e53c8a196a595e50f1c836bf756b9db1ae68d (grub-2.06-rc1) + NOTE: https://lists.gnu.org/archive/html/grub-devel/2021-12/msg00013.html +CVE-2021-3980 (elgg is vulnerable to Exposure of Private Personal Information to an U ...) + - elgg <itp> (bug #526197) +CVE-2021-3979 [ceph: Ceph volume does not honour osd_dmcrypt_key_size] + RESERVED + - ceph <unfixed> + [bullseye] - ceph <no-dsa> (Minor issue) + [buster] - ceph <no-dsa> (Minor issue) + [stretch] - ceph <no-dsa> (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/11/5 CVE-2021-44034 RESERVED CVE-2021-44033 (In Ionic Identity Vault before 5.0.5, the protection mechanism for inv ...) NOT-FOR-US: Ionic Identity Vault CVE-2021-44032 RESERVED -CVE-2021-44031 - RESERVED -CVE-2021-44030 - RESERVED -CVE-2021-44029 - RESERVED -CVE-2021-44028 - RESERVED +CVE-2021-44031 (An issue was discovered in Quest KACE Desktop Authority before 11.2. / ...) + NOT-FOR-US: Quest KACE Desktop Authority +CVE-2021-44030 (Quest KACE Desktop Authority before 11.2 allows XSS because it does no ...) + NOT-FOR-US: Quest KACE Desktop Authority +CVE-2021-44029 (An issue was discovered in Quest KACE Desktop Authority before 11.2. T ...) + NOT-FOR-US: Quest KACE Desktop Authority +CVE-2021-44028 (XXE can occur in Quest KACE Desktop Authority before 11.2 because the ...) + NOT-FOR-US: Quest KACE Desktop Authority CVE-2021-44027 RESERVED -CVE-2021-44024 - RESERVED -CVE-2021-44023 - RESERVED -CVE-2021-44022 - RESERVED -CVE-2021-44021 - RESERVED -CVE-2021-44020 - RESERVED -CVE-2021-44019 - RESERVED +CVE-2021-44024 (A link following denial-of-service vulnerability in Trend Micro Apex O ...) + NOT-FOR-US: Trend Micro +CVE-2021-44023 (A link following denial-of-service (DoS) vulnerability in the Trend Mi ...) + NOT-FOR-US: Trend Micro +CVE-2021-44022 (A reachable assertion vulnerability in Trend Micro Apex One could allo ...) + NOT-FOR-US: Trend Micro +CVE-2021-44021 (An unnecessary privilege vulnerability in Trend Micro Worry-Free Busin ...) + NOT-FOR-US: Trend Micro +CVE-2021-44020 (An unnecessary privilege vulnerability in Trend Micro Worry-Free Busin ...) + NOT-FOR-US: Trend Micro +CVE-2021-44019 (An unnecessary privilege vulnerability in Trend Micro Worry-Free Busin ...) + NOT-FOR-US: Trend Micro CVE-2021-3978 RESERVED -CVE-2021-3977 - RESERVED -CVE-2021-44018 - RESERVED -CVE-2021-44017 - RESERVED -CVE-2021-44016 - RESERVED -CVE-2021-44015 - RESERVED -CVE-2021-44014 - RESERVED -CVE-2021-44013 - RESERVED -CVE-2021-44012 - RESERVED -CVE-2021-44011 - RESERVED -CVE-2021-44010 - RESERVED -CVE-2021-44009 - RESERVED -CVE-2021-44008 - RESERVED -CVE-2021-44007 - RESERVED -CVE-2021-44006 - RESERVED -CVE-2021-44005 - RESERVED -CVE-2021-44004 - RESERVED -CVE-2021-44003 - RESERVED -CVE-2021-44002 - RESERVED -CVE-2021-44001 - RESERVED -CVE-2021-44000 - RESERVED -CVE-2021-43999 - RESERVED +CVE-2021-3977 (invoiceninja is vulnerable to Improper Neutralization of Input During ...) + NOT-FOR-US: invoiceninja +CVE-2021-44018 (A vulnerability has been identified in JT2Go (All versions), Solid Edg ...) + NOT-FOR-US: JT2Go / Siemens +CVE-2021-44017 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44016 (A vulnerability has been identified in JT2Go (All versions), Solid Edg ...) + NOT-FOR-US: JT2Go / Siemens +CVE-2021-44015 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44014 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44013 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44012 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44011 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44010 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44009 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44008 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44007 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44006 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44005 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44004 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44003 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44002 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44001 (A vulnerability has been identified in JT2Go (All versions < V13.2. ...) + NOT-FOR-US: Siemens +CVE-2021-44000 (A vulnerability has been identified in JT2Go (All versions), Solid Edg ...) + NOT-FOR-US: JT2Go / Siemens +CVE-2021-43999 (Apache Guacamole 1.2.0 and 1.3.0 do not properly validate responses re ...) + - guacamole-client <unfixed> + [stretch] - guacamole-client <not-affected> (SAML is not supported) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/11/7 CVE-2021-3976 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: kimai2 CVE-2021-3975 [segmentation fault during VM shutdown can lead to vdsm hung] @@ -613,22 +7282,22 @@ CVE-2021-3975 [segmentation fault during VM shutdown can lead to vdsm hung] NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2024326 NOTE: Fixed by: https://github.com/libvirt/libvirt/commit/1ac703a7d0789e46833f4013a3876c2e3af18ec7 (v7.1.0-rc2) CVE-2021-44025 (Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in han ...) - {DSA-5013-1} + {DSA-5013-1 DLA-2840-1} - roundcube 1.5.0+dfsg.1-1 (bug #1000156) NOTE: https://github.com/roundcube/roundcubemail/issues/8193 NOTE: https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a (1.4.12) NOTE: https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7 (1.3.17) CVE-2021-44026 (Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potentia ...) - {DSA-5013-1} + {DSA-5013-1 DLA-2840-1} - roundcube 1.5.0+dfsg.1-1 (bug #1000156) NOTE: https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1 (1.4.12) NOTE: https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa (1.3.17) -CVE-2021-43998 - RESERVED +CVE-2021-43998 (HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 temp ...) + NOT-FOR-US: HashiCorp Vault CVE-2021-43997 (Amazon FreeRTOS 10.2.0 through 10.4.5 on the ARMv7-M and ARMv8-M MPU p ...) NOT-FOR-US: Amazon FreeRTOS CVE-2021-43996 (The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Lar ...) - NOT-FOR-US: Laravel component + NOT-FOR-US: Laravel Ignition component CVE-2021-43995 RESERVED CVE-2021-43994 @@ -637,50 +7306,51 @@ CVE-2021-43993 RESERVED CVE-2021-43992 RESERVED -CVE-2021-43991 - RESERVED +CVE-2021-43991 (The Kentico Xperience CMS version 13.0 – 13.0.43 is vulnerable t ...) + NOT-FOR-US: Kentico Xperience CMS CVE-2021-43990 RESERVED -CVE-2021-43989 - RESERVED +CVE-2021-43989 (mySCADA myPRO Versions 8.20.0 and prior stores passwords using MD5, wh ...) + NOT-FOR-US: mySCADA myPRO CVE-2021-43988 RESERVED -CVE-2021-43987 - RESERVED +CVE-2021-43987 (An additional, nondocumented administrative account exists in mySCADA ...) + NOT-FOR-US: mySCADA myPRO CVE-2021-43986 RESERVED -CVE-2021-43985 - RESERVED -CVE-2021-43984 - RESERVED -CVE-2021-43983 - RESERVED -CVE-2021-43982 - RESERVED -CVE-2021-43981 - RESERVED +CVE-2021-43985 (An unauthenticated remote attacker can access mySCADA myPRO Versions 8 ...) + NOT-FOR-US: mySCADA myPRO +CVE-2021-43984 (mySCADA myPRO: Versions 8.20.0 and prior has a feature where the firmw ...) + NOT-FOR-US: mySCADA myPRO +CVE-2021-43983 (WECON LeviStudioU Versions 2019-09-21 and prior are vulnerable to mult ...) + NOT-FOR-US: WECON LeviStudioU +CVE-2021-43982 (Delta Electronics CNCSoft Versions 1.01.30 and prior are vulnerable to ...) + NOT-FOR-US: Delta +CVE-2021-43981 (mySCADA myPRO: Versions 8.20.0 and prior has a feature to send emails, ...) + NOT-FOR-US: mySCADA myPRO CVE-2021-43980 RESERVED CVE-2021-43979 (** DISPUTED ** Styra Open Policy Agent (OPA) Gatekeeper through 3.7.0 ...) NOT-FOR-US: Styra Open Policy Agent (OPA) Gatekeeper -CVE-2021-43978 - RESERVED +CVE-2021-43978 (Allegro WIndows 3.3.4152.0, embeds software administrator database cre ...) + NOT-FOR-US: Allegro WIndows CVE-2021-43977 (SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows X ...) NOT-FOR-US: SmarterTools CVE-2021-43976 (In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wi ...) - - linux <unfixed> + - linux 5.15.15-2 NOTE: https://patchwork.kernel.org/project/linux-wireless/patch/YX4CqjfRcTa6bVL+@Zekuns-MBP-16.fios-router.home/ CVE-2021-43975 (In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in driver ...) - - linux <unfixed> + - linux 5.15.5-2 + [bullseye] - linux 5.10.84-1 NOTE: https://lore.kernel.org/netdev/163698540868.13805.17800408021782408762.git-patchwork-notify@kernel.org/T/ -CVE-2021-43974 - RESERVED -CVE-2021-43973 - RESERVED -CVE-2021-43972 - RESERVED -CVE-2021-43971 - RESERVED +CVE-2021-43974 (An issue was discovered in SysAid ITIL 20.4.74 b10. The /enduserreg en ...) + NOT-FOR-US: SysAid ITIL +CVE-2021-43973 (An unrestricted file upload vulnerability in /UploadPsIcon.jsp in SysA ...) + NOT-FOR-US: SysAid ITIL +CVE-2021-43972 (An unrestricted file copy vulnerability in /UserSelfServiceSettings.js ...) + NOT-FOR-US: SysAid ITIL +CVE-2021-43971 (A SQL injection vulnerability in /mobile/SelectUsers.jsp in SysAid ITI ...) + NOT-FOR-US: SysAid ITIL CVE-2021-43970 RESERVED CVE-2021-43969 @@ -695,23 +7365,23 @@ CVE-2021-43965 RESERVED CVE-2021-43964 RESERVED -CVE-2021-43963 - RESERVED +CVE-2021-43963 (An issue was discovered in Couchbase Sync Gateway 2.7.0 through 2.8.2. ...) + NOT-FOR-US: Couchbase Sync Gateway CVE-2021-43962 RESERVED CVE-2021-43961 RESERVED -CVE-2021-43960 - RESERVED +CVE-2021-43960 (** DISPUTED ** Lorensbergs Connect2 3.13.7647.20190 is affected by an ...) + NOT-FOR-US: Lorensbergs Connect2 CVE-2021-3974 (vim is vulnerable to Use After Free ...) - - vim <unfixed> + - vim 2:8.2.3995-1 (bug #1001897) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) [stretch] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/e402cb2c-8ec4-4828-a692-c95f8e0de6d4 NOTE: https://github.com/vim/vim/commit/64066b9acd9f8cffdf4840f797748f938a13f2d6 (v8.2.3612) CVE-2021-3973 (vim is vulnerable to Heap-based Buffer Overflow ...) - - vim <unfixed> + - vim 2:8.2.3995-1 (bug #1001899) [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) [stretch] - vim <no-dsa> (Minor issue) @@ -726,7 +7396,9 @@ CVE-2021-3970 CVE-2021-3969 RESERVED CVE-2021-3968 (vim is vulnerable to Heap-based Buffer Overflow ...) - - vim <unfixed> + - vim 2:8.2.3995-1 (bug #1001900) + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) [stretch] - vim <not-affected> (Vulnerable code not present) NOTE: https://huntr.dev/bounties/00d62924-a7b4-4a61-ba29-acab2eaa1528/ NOTE: https://github.com/vim/vim/commit/a062006b9de0b2947ab5fb376c6e67ef92a8cd69 (v8.2.3610) @@ -742,64 +7414,64 @@ CVE-2021-43955 RESERVED CVE-2021-43954 RESERVED -CVE-2021-43953 - RESERVED -CVE-2021-43952 - RESERVED -CVE-2021-43951 - RESERVED -CVE-2021-43950 - RESERVED -CVE-2021-43949 - RESERVED -CVE-2021-43948 - RESERVED -CVE-2021-43947 - RESERVED -CVE-2021-43946 - RESERVED +CVE-2021-43953 (Affected versions of Atlassian Jira Server and Data Center allow unaut ...) + NOT-FOR-US: Atlassian +CVE-2021-43952 (Affected versions of Atlassian Jira Server and Data Center allow unaut ...) + NOT-FOR-US: Atlassian +CVE-2021-43951 (Affected versions of Atlassian Jira Service Management Server and Data ...) + NOT-FOR-US: Atlassian +CVE-2021-43950 (Affected versions of Atlassian Jira Service Management Server and Data ...) + NOT-FOR-US: Atlassian +CVE-2021-43949 (Affected versions of Atlassian Jira Service Management Server and Data ...) + NOT-FOR-US: Atlassian +CVE-2021-43948 (Affected versions of Atlassian Jira Service Management Server and Data ...) + NOT-FOR-US: Atlassian +CVE-2021-43947 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) + NOT-FOR-US: Atlassian +CVE-2021-43946 (Affected versions of Atlassian Jira Server and Data Center allow authe ...) + NOT-FOR-US: Atlassian CVE-2021-43945 RESERVED CVE-2021-43944 RESERVED CVE-2021-43943 RESERVED -CVE-2021-43942 - RESERVED -CVE-2021-43941 - RESERVED -CVE-2021-43940 - RESERVED +CVE-2021-43942 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) + NOT-FOR-US: Atlassian +CVE-2021-43941 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) + NOT-FOR-US: Atlassian +CVE-2021-43940 (Affected versions of Atlassian Confluence Server and Data Center allow ...) + NOT-FOR-US: Atlassian Confluence CVE-2021-43939 RESERVED CVE-2021-43938 RESERVED CVE-2021-43937 RESERVED -CVE-2021-43936 - RESERVED -CVE-2021-43935 - RESERVED +CVE-2021-43936 (The software allows the attacker to upload or transfer files of danger ...) + NOT-FOR-US: Distributed Data Systems +CVE-2021-43935 (The impacted products, when configured to use SSO, are affected by an ...) + NOT-FOR-US: Hillrom CVE-2021-43934 RESERVED CVE-2021-43933 RESERVED CVE-2021-43932 RESERVED -CVE-2021-43931 - RESERVED +CVE-2021-43931 (The authentication algorithm of the WebHMI portal is sound, but the im ...) + NOT-FOR-US: Distributed Data Systems CVE-2021-43930 RESERVED -CVE-2021-43929 - RESERVED -CVE-2021-43928 - RESERVED -CVE-2021-43927 - RESERVED -CVE-2021-43926 - RESERVED -CVE-2021-43925 - RESERVED +CVE-2021-43929 (Improper neutralization of special elements in output used by a downst ...) + NOT-FOR-US: Synology +CVE-2021-43928 (Improper neutralization of special elements used in an OS command ('OS ...) + NOT-FOR-US: Synology +CVE-2021-43927 (Improper neutralization of special elements used in an SQL command ('S ...) + NOT-FOR-US: Synology +CVE-2021-43926 (Improper neutralization of special elements used in an SQL command ('S ...) + NOT-FOR-US: Synology +CVE-2021-43925 (Improper neutralization of special elements used in an SQL command ('S ...) + NOT-FOR-US: Synology CVE-2021-43924 RESERVED CVE-2021-43923 @@ -832,14 +7504,14 @@ CVE-2021-43910 RESERVED CVE-2021-43909 RESERVED -CVE-2021-43908 - RESERVED -CVE-2021-43907 - RESERVED +CVE-2021-43908 (Visual Studio Code Spoofing Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43907 (Visual Studio Code WSL Extension Remote Code Execution Vulnerability ...) + NOT-FOR-US: Microsoft CVE-2021-43906 RESERVED -CVE-2021-43905 - RESERVED +CVE-2021-43905 (Microsoft Office app Remote Code Execution Vulnerability ...) + NOT-FOR-US: Microsoft CVE-2021-43904 RESERVED CVE-2021-43903 @@ -850,30 +7522,30 @@ CVE-2021-43901 RESERVED CVE-2021-43900 RESERVED -CVE-2021-43899 - RESERVED +CVE-2021-43899 (Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerabil ...) + NOT-FOR-US: Microsoft CVE-2021-43898 RESERVED CVE-2021-43897 RESERVED -CVE-2021-43896 - RESERVED +CVE-2021-43896 (Microsoft PowerShell Spoofing Vulnerability ...) + NOT-FOR-US: Microsoft CVE-2021-43895 RESERVED CVE-2021-43894 RESERVED -CVE-2021-43893 - RESERVED -CVE-2021-43892 - RESERVED -CVE-2021-43891 - RESERVED -CVE-2021-43890 - RESERVED -CVE-2021-43889 - RESERVED -CVE-2021-43888 - RESERVED +CVE-2021-43893 (Windows Encrypting File System (EFS) Elevation of Privilege Vulnerabil ...) + NOT-FOR-US: Microsoft +CVE-2021-43892 (Microsoft BizTalk ESB Toolkit Spoofing Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43891 (Visual Studio Code Remote Code Execution Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43890 (Windows AppX Installer Spoofing Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43889 (Microsoft Defender for IoT Remote Code Execution Vulnerability This CV ...) + NOT-FOR-US: Microsoft +CVE-2021-43888 (Microsoft Defender for IoT Information Disclosure Vulnerability ...) + NOT-FOR-US: Microsoft CVE-2021-43887 RESERVED CVE-2021-43886 @@ -882,24 +7554,24 @@ CVE-2021-43885 RESERVED CVE-2021-43884 RESERVED -CVE-2021-43883 - RESERVED -CVE-2021-43882 - RESERVED +CVE-2021-43883 (Windows Installer Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43882 (Microsoft Defender for IoT Remote Code Execution Vulnerability This CV ...) + NOT-FOR-US: Microsoft CVE-2021-43881 RESERVED -CVE-2021-43880 - RESERVED +CVE-2021-43880 (Windows Mobile Device Management Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft CVE-2021-43879 RESERVED CVE-2021-43878 RESERVED -CVE-2021-43877 - RESERVED -CVE-2021-43876 - RESERVED -CVE-2021-43875 - RESERVED +CVE-2021-43877 (ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability ...) + NOT-FOR-US: .NET core +CVE-2021-43876 (Microsoft SharePoint Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2021-43875 (Microsoft Office Graphics Remote Code Execution Vulnerability ...) + NOT-FOR-US: Microsoft CVE-2021-43874 RESERVED CVE-2021-43873 @@ -922,176 +7594,238 @@ CVE-2021-43865 RESERVED CVE-2021-43864 RESERVED -CVE-2021-43863 - RESERVED -CVE-2021-43862 - RESERVED -CVE-2021-43861 - RESERVED -CVE-2021-43860 - RESERVED -CVE-2021-43859 - RESERVED -CVE-2021-43858 - RESERVED -CVE-2021-43857 - RESERVED -CVE-2021-43856 - RESERVED -CVE-2021-43855 - RESERVED -CVE-2021-43854 - RESERVED -CVE-2021-43853 - RESERVED -CVE-2021-43852 - RESERVED -CVE-2021-43851 - RESERVED -CVE-2021-43850 - RESERVED -CVE-2021-43849 - RESERVED -CVE-2021-43848 - RESERVED -CVE-2021-43847 - RESERVED -CVE-2021-43846 - RESERVED -CVE-2021-43845 - RESERVED -CVE-2021-43844 - RESERVED -CVE-2021-43843 - RESERVED -CVE-2021-43842 - RESERVED -CVE-2021-43841 - RESERVED -CVE-2021-43840 - RESERVED -CVE-2021-43839 - RESERVED -CVE-2021-43838 - RESERVED -CVE-2021-43837 - RESERVED -CVE-2021-43836 - RESERVED -CVE-2021-43835 - RESERVED -CVE-2021-43834 - RESERVED -CVE-2021-43833 - RESERVED -CVE-2021-43832 - RESERVED -CVE-2021-43831 - RESERVED -CVE-2021-43830 - RESERVED -CVE-2021-43829 - RESERVED -CVE-2021-43828 - RESERVED -CVE-2021-43827 - RESERVED +CVE-2021-43863 (The Nextcloud Android app is the Android client for Nextcloud, a self- ...) + NOT-FOR-US: Nextcloud Android app +CVE-2021-43862 (jQuery Terminal Emulator is a plugin for creating command line interpr ...) + NOT-FOR-US: jQuery Terminal Emulator +CVE-2021-43861 (Mermaid is a Javascript based diagramming and charting tool that uses ...) + - node-mermaid 8.13.8+~cs10.4.16-1 + [bullseye] - node-mermaid <no-dsa> (Minor issue) + NOTE: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v + NOTE: https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83 +CVE-2021-43860 (Flatpak is a Linux application sandboxing and distribution framework. ...) + {DSA-5049-1} + - flatpak 1.12.3-1 + [buster] - flatpak <ignored> (Intrusive and risky to backport) + [stretch] - flatpak <ignored> (Intrusive and risky to backport) + NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j + NOTE: https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e + NOTE: https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee + NOTE: https://github.com/flatpak/flatpak/commit/93357d357119093804df05acc32ff335839c6451 + NOTE: https://github.com/flatpak/flatpak/commit/65cbfac982cb1c83993a9e19aa424daee8e9f042 +CVE-2021-43859 (XStream is an open source java library to serialize objects to XML and ...) + {DLA-2924-1} + - libxstream-java <unfixed> + NOTE: https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf + NOTE: https://x-stream.github.io/CVE-2021-43859.html + NOTE: https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846 +CVE-2021-43858 (MinIO is a Kubernetes native application for cloud storage. Prior to v ...) + NOT-FOR-US: MinIO +CVE-2021-43857 (Gerapy is a distributed crawler management framework. Gerapy prior to ...) + NOT-FOR-US: Gerapy +CVE-2021-43856 (Wiki.js is a wiki app built on Node.js. Wiki.js 2.5.263 and earlier is ...) + NOT-FOR-US: Wiki.js +CVE-2021-43855 (Wiki.js is a wiki app built on node.js. Wiki.js 2.5.263 and earlier is ...) + NOT-FOR-US: Wiki.js +CVE-2021-43854 (NLTK (Natural Language Toolkit) is a suite of open source Python modul ...) + - nltk 3.6.7-1 (bug #1002623) + [bullseye] - nltk <no-dsa> (Minor issue) + [buster] - nltk <no-dsa> (Minor issue) + [stretch] - nltk <no-dsa> (Minor issue) + NOTE: https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x + NOTE: https://github.com/nltk/nltk/issues/2866 + NOTE: https://github.com/nltk/nltk/pull/2869 + NOTE: https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341 (3.6.6) +CVE-2021-43853 (Ajax.NET Professional (AjaxPro) is an AJAX framework available for Mic ...) + NOT-FOR-US: Ajax.NET Professional +CVE-2021-43852 (OroPlatform is a PHP Business Application Platform. In affected versio ...) + NOT-FOR-US: OroPlatform +CVE-2021-43851 (Anuko Time Tracker is an open source, web-based time tracking applicat ...) + NOT-FOR-US: Anuko Time Tracker +CVE-2021-43850 (Discourse is an open source platform for community discussion. In affe ...) + NOT-FOR-US: Discourse +CVE-2021-43849 (cordova-plugin-fingerprint-aio is a plugin provides a single and simpl ...) + NOT-FOR-US: cordova-plugin-fingerprint-aio +CVE-2021-43848 (h2o is an open source http server. In code prior to the `8c0eca3` comm ...) + - h2o <not-affected> (Vulnerable code not yet uploaded) + NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-f9xw-j925-m4m4 + NOTE: Introduced by: https://github.com/h2o/h2o/commit/93af1383b248e9284ba5f63211b4fbb4c828d060 + NOTE: Fixed by: https://github.com/h2o/h2o/commit/8c0eca3d9bc1f08e7c6bdf57645f3d54aed7d844 +CVE-2021-43847 (HumHub is an open-source social network kit written in PHP. Prior to H ...) + NOT-FOR-US: HumHub Social Network Kit Enterprise +CVE-2021-43846 (`solidus_frontend` is the cart and storefront for the Solidus e-commer ...) + NOT-FOR-US: solidus_frontend +CVE-2021-43845 (PJSIP is a free and open source multimedia communication library. In v ...) + - asterisk <unfixed> + - pjproject <removed> + - ring <unfixed> + NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-r374-qrwv-86hh + NOTE: https://github.com/pjsip/pjproject/commit/f74c1fc22b760d2a24369aa72c74c4a9ab985859 + NOTE: https://github.com/pjsip/pjproject/pull/2924 +CVE-2021-43844 (MSEdgeRedirect is a tool to redirect news, search, widgets, weather, a ...) + NOT-FOR-US: MSEdgeRedirect +CVE-2021-43843 (jsx-slack is a package for building JSON objects for Slack block kit s ...) + NOT-FOR-US: jsx-slack +CVE-2021-43842 (Wiki.js is a wiki app built on Node.js. Wiki.js versions 2.5.257 and e ...) + NOT-FOR-US: Wiki.js +CVE-2021-43841 (XWiki is a generic wiki platform offering runtime services for applica ...) + NOT-FOR-US: XWiki +CVE-2021-43840 (message_bus is a messaging bus for Ruby processes and web clients. In ...) + NOT-FOR-US: Discourse Message Bus middleware +CVE-2021-43839 (Cronos is a commercial implementation of a blockchain. In Cronos nodes ...) + NOT-FOR-US: Cronos +CVE-2021-43838 (jsx-slack is a library for building JSON objects for Slack Block Kit s ...) + NOT-FOR-US: jsx-slack +CVE-2021-43837 (vault-cli is a configurable command-line interface tool (and python li ...) + NOT-FOR-US: Hashicorp vault-cli +CVE-2021-43836 (Sulu is an open-source PHP content management system based on the Symf ...) + NOT-FOR-US: Sulu +CVE-2021-43835 (Sulu is an open-source PHP content management system based on the Symf ...) + NOT-FOR-US: Sulu +CVE-2021-43834 (eLabFTW is an electronic lab notebook manager for research teams. In v ...) + NOT-FOR-US: eLabFTW +CVE-2021-43833 (eLabFTW is an electronic lab notebook manager for research teams. In v ...) + NOT-FOR-US: eLabFTW +CVE-2021-43832 (Spinnaker is an open source, multi-cloud continuous delivery platform. ...) + NOT-FOR-US: Spinnaker +CVE-2021-43831 (Gradio is an open source framework for building interactive machine le ...) + NOT-FOR-US: gradio +CVE-2021-43830 (OpenProject is a web-based project management software. OpenProject ve ...) + NOT-FOR-US: OpenProject +CVE-2021-43829 (PatrOwl is a free and open-source solution for orchestrating Security ...) + NOT-FOR-US: PatrOwl +CVE-2021-43828 (PatrOwl is a free and open-source solution for orchestrating Security ...) + NOT-FOR-US: PatrOwl +CVE-2021-43827 (discourse-footnote is a library providing footnotes for posts in Disco ...) + NOT-FOR-US: discourse-footnote CVE-2021-43826 RESERVED CVE-2021-43825 RESERVED CVE-2021-43824 RESERVED -CVE-2021-43823 - RESERVED -CVE-2021-43822 - RESERVED -CVE-2021-43821 - RESERVED -CVE-2021-43820 - RESERVED +CVE-2021-43823 (Sourcegraph is a code search and navigation engine. Sourcegraph prior ...) + NOT-FOR-US: Sourcegraph +CVE-2021-43822 (Jackalope Doctrine-DBAL is an implementation of the PHP Content Reposi ...) + NOT-FOR-US: Jackalope Doctrine-DBAL +CVE-2021-43821 (Opencast is an Open Source Lecture Capture & Video Management for ...) + NOT-FOR-US: Opencast +CVE-2021-43820 (Seafile is an open source cloud storage system. A sync token is used i ...) + - seafile-server <itp> (bug #865830) + NOTE: https://github.com/haiwen/seafile-server/security/advisories/GHSA-m3wc-jv6r-hvv8 + NOTE: https://github.com/haiwen/seafile-server/pull/520 CVE-2021-43819 RESERVED -CVE-2021-43818 - RESERVED -CVE-2021-43817 - RESERVED -CVE-2021-43816 - RESERVED -CVE-2021-43815 - RESERVED -CVE-2021-43814 - RESERVED -CVE-2021-43813 - RESERVED -CVE-2021-43812 - RESERVED -CVE-2021-43811 - RESERVED -CVE-2021-43810 - RESERVED -CVE-2021-43809 - RESERVED -CVE-2021-43808 - RESERVED -CVE-2021-43807 - RESERVED -CVE-2021-43806 - RESERVED -CVE-2021-43805 - RESERVED -CVE-2021-43804 - RESERVED -CVE-2021-43803 - RESERVED -CVE-2021-43802 - RESERVED -CVE-2021-43801 - RESERVED -CVE-2021-43800 - RESERVED -CVE-2021-43799 - RESERVED -CVE-2021-43798 - RESERVED -CVE-2021-43797 - RESERVED +CVE-2021-43818 (lxml is a library for processing XML and HTML in the Python language. ...) + {DSA-5043-1 DLA-2871-1} + - lxml 4.7.1-1 (bug #1001885) + NOTE: https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8 + NOTE: https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a (lxml-4.6.5) + NOTE: https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0 (lxml-4.6.5) +CVE-2021-43817 (Collabora Online is a collaborative online office suite based on Libre ...) + NOT-FOR-US: Collabora Online +CVE-2021-43816 (containerd is an open source container runtime. On installations using ...) + - containerd 1.5.9~ds1-1 + [bullseye] - containerd <not-affected> (Vulnerable code introduced in 1.5.0) + NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c + NOTE: Fixed by: https://github.com/containerd/containerd/commit/1407cab509ff0d96baa4f0eb6ff9980270e6e620 +CVE-2021-43815 (Grafana is an open-source platform for monitoring and observability. G ...) + - grafana <removed> +CVE-2021-43814 (Rizin is a UNIX-like reverse engineering framework and command-line to ...) + NOT-FOR-US: Rizin +CVE-2021-43813 (Grafana is an open-source platform for monitoring and observability. G ...) + - grafana <removed> +CVE-2021-43812 (The Auth0 Next.js SDK is a library for implementing user authenticatio ...) + NOT-FOR-US: Auth0 Next.js SDK +CVE-2021-43811 (Sockeye is an open-source sequence-to-sequence framework for Neural Ma ...) + NOT-FOR-US: Sockeye +CVE-2021-43810 (Admidio is a free open source user management system for websites of o ...) + NOT-FOR-US: Admidio +CVE-2021-43809 (`Bundler` is a package for managing application dependencies in Ruby. ...) + - rubygems 3.3.5-1 + NOTE: https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43 + NOTE: https://github.com/rubygems/rubygems/commit/90b1ed8b9f8b636aa8c913f7b5a764a2e03d179c (v3.3.0) + NOTE: https://github.com/rubygems/rubygems/pull/5142 +CVE-2021-43808 (Laravel is a web application framework. Laravel prior to versions 8.75 ...) + - php-laravel-framework 6.20.14+dfsg-3 (bug #1001333) + [bullseye] - php-laravel-framework <no-dsa> (Minor issue; can be fixed via point release) + NOTE: https://github.com/laravel/framework/security/advisories/GHSA-66hf-2p6w-jqfw + NOTE: https://github.com/laravel/framework/commit/b8174169b1807f36de1837751599e2828ceddb9b (v6.20.42) +CVE-2021-43807 (Opencast is an Open Source Lecture Capture & Video Management for ...) + NOT-FOR-US: Opencast +CVE-2021-43806 (Tuleap is a Libre and Open Source tool for end to end traceability of ...) + NOT-FOR-US: Tuleap +CVE-2021-43805 (Solidus is a free, open-source ecommerce platform built on Rails. Vers ...) + NOT-FOR-US: Solidus +CVE-2021-43804 (PJSIP is a free and open source multimedia communication library writt ...) + - asterisk <unfixed> + - pjproject <removed> + - ring <unfixed> + NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-3qx3-cg72-wrh9 + NOTE: https://github.com/pjsip/pjproject/commit/8b621f192cae14456ee0b0ade52ce6c6f258af1e +CVE-2021-43803 (Next.js is a React framework. In versions of Next.js prior to 12.0.5 o ...) + NOT-FOR-US: next.js +CVE-2021-43802 (Etherpad is a real-time collaborative editor. In versions prior to 1.8 ...) + - etherpad-lite <itp> (bug #576998) +CVE-2021-43801 (Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8 ...) + NOT-FOR-US: Mercurius +CVE-2021-43800 (Wiki.js is a wiki app built on Node.js. Prior to version 2.5.254, dire ...) + NOT-FOR-US: Wiki.js +CVE-2021-43799 (Zulip is an open-source team collaboration tool. Zulip Server installs ...) + - zulip-server <itp> (bug #800052) +CVE-2021-43798 (Grafana is an open-source platform for monitoring and observability. G ...) + - grafana <removed> +CVE-2021-43797 (Netty is an asynchronous event-driven network application framework fo ...) + - netty <unfixed> (bug #1001437) + [bullseye] - netty <no-dsa> (Minor issue) + [buster] - netty <no-dsa> (Minor issue) + [stretch] - netty <no-dsa> (Minor issue) + NOTE: https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq + NOTE: https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 (netty-4.1.71.Final) CVE-2021-43796 RESERVED -CVE-2021-43795 - RESERVED -CVE-2021-43794 - RESERVED -CVE-2021-43793 - RESERVED -CVE-2021-43792 - RESERVED -CVE-2021-43791 - RESERVED -CVE-2021-43790 - RESERVED -CVE-2021-43789 - RESERVED -CVE-2021-43788 - RESERVED -CVE-2021-43787 - RESERVED -CVE-2021-43786 - RESERVED +CVE-2021-43795 (Armeria is an open source microservice framework. In affected versions ...) + NOT-FOR-US: Armeria +CVE-2021-43794 (Discourse is an open source discussion platform. In affected versions ...) + NOT-FOR-US: Discourse +CVE-2021-43793 (Discourse is an open source discussion platform. In affected versions ...) + NOT-FOR-US: Discourse +CVE-2021-43792 (Discourse is an open source discussion platform. In affected versions ...) + NOT-FOR-US: Discourse +CVE-2021-43791 (Zulip is an open source group chat application that combines real-time ...) + - zulip-server <itp> (bug #800052) +CVE-2021-43790 (Lucet is a native WebAssembly compiler and runtime. There is a bug in ...) + NOT-FOR-US: Lucet +CVE-2021-43789 (PrestaShop is an Open Source e-commerce web application. Versions of P ...) + NOT-FOR-US: PrestaShop +CVE-2021-43788 (Nodebb is an open source Node.js based forum software. Prior to v1.18. ...) + NOT-FOR-US: Nodebb +CVE-2021-43787 (Nodebb is an open source Node.js based forum software. In affected ver ...) + NOT-FOR-US: Nodebb +CVE-2021-43786 (Nodebb is an open source Node.js based forum software. In affected ver ...) + NOT-FOR-US: Nodebb CVE-2021-43785 (@joeattardi/emoji-button is a Vanilla JavaScript emoji picker componen ...) - TODO: check -CVE-2021-43784 - RESERVED -CVE-2021-43783 - RESERVED -CVE-2021-43782 - RESERVED -CVE-2021-43781 - RESERVED + NOT-FOR-US: @joeattardi/emoji-button +CVE-2021-43784 (runc is a CLI tool for spawning and running containers on Linux accord ...) + {DLA-2841-1} + - runc 1.0.3+ds1-1 + [bullseye] - runc <ignored> (Minor issue; not exploitable in 1.0.0) + [buster] - runc <ignored> (Minor issue; not exploitable in 1.0.0) + NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f + NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/1 + NOTE: Fixed by: https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae +CVE-2021-43783 (@backstage/plugin-scaffolder-backend is the backend for the default Ba ...) + NOT-FOR-US: @backstage/plugin-scaffolder-backend +CVE-2021-43782 (Tuleap is a Libre and Open Source tool for end to end traceability of ...) + NOT-FOR-US: Tuleap +CVE-2021-43781 (Invenio-Drafts-Resources is a submission/deposit module for Invenio, a ...) + NOT-FOR-US: Invenio-Drafts-Resources CVE-2021-43780 (Redash is a package for data visualization and sharing. In versions 10 ...) NOT-FOR-US: Redash -CVE-2021-43779 - RESERVED +CVE-2021-43779 (GLPI is an open source IT Asset Management, issue tracking system and ...) + - glpi <removed> (unimportant) + NOTE: https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-q5fp-xpr8-77jh + NOTE: Only supported behind an authenticated HTTP zone CVE-2021-43778 (Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI inst ...) NOT-FOR-US: GLPI plugin CVE-2021-43777 (Redash is a package for data visualization and sharing. In Redash vers ...) @@ -1104,18 +7838,18 @@ CVE-2021-3967 RESERVED CVE-2021-3966 RESERVED -CVE-2021-3965 - RESERVED +CVE-2021-3965 (Certain HP DesignJet products may be vulnerable to unauthenticated HTT ...) + NOT-FOR-US: HP CVE-2021-43774 RESERVED CVE-2021-43773 RESERVED -CVE-2021-43772 - RESERVED -CVE-2021-43771 - RESERVED -CVE-2021-3964 - RESERVED +CVE-2021-43772 (Trend Micro Security 2021 v17.0 (Consumer) contains a vulnerability th ...) + NOT-FOR-US: Trend Micro +CVE-2021-43771 (Trend Micro Antivirus for Mac 2021 v11 (Consumer) is vulnerable to an ...) + NOT-FOR-US: Trend Micro +CVE-2021-3964 (elgg is vulnerable to Authorization Bypass Through User-Controlled Key ...) + - elgg <itp> (bug #526197) CVE-2021-3963 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: kimai2 CVE-2021-3962 (A flaw was found in ImageMagick where it did not properly sanitize cer ...) @@ -1132,16 +7866,16 @@ CVE-2021-43767 RESERVED CVE-2021-43766 RESERVED -CVE-2021-43765 - RESERVED -CVE-2021-43764 - RESERVED -CVE-2021-43763 - RESERVED -CVE-2021-43762 - RESERVED -CVE-2021-43761 - RESERVED +CVE-2021-43765 (AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) ...) + NOT-FOR-US: Adobe +CVE-2021-43764 (AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) ...) + NOT-FOR-US: Adobe +CVE-2021-43763 (Adobe Dimension versions 3.4.3 (and earlier) are affected by an out-of ...) + NOT-FOR-US: Adobe +CVE-2021-43762 (AEM's Cloud Service offering, as well as version 6.5.10.0 (and below) ...) + NOT-FOR-US: Adobe +CVE-2021-43761 (AEM's Cloud Service offering, as well as versions 6.5.7.0 (and below), ...) + NOT-FOR-US: Adobe CVE-2021-43760 RESERVED CVE-2021-43759 @@ -1158,26 +7892,26 @@ CVE-2021-43754 RESERVED CVE-2021-43753 RESERVED -CVE-2021-43752 - RESERVED +CVE-2021-43752 (Adobe Illustrator versions 25.4.2 (and earlier) and 26.0.1 (and earlie ...) + NOT-FOR-US: Adobe CVE-2021-43751 RESERVED -CVE-2021-43750 - RESERVED -CVE-2021-43749 - RESERVED -CVE-2021-43748 - RESERVED -CVE-2021-43747 - RESERVED -CVE-2021-43746 - RESERVED +CVE-2021-43750 (Adobe Premiere Rush versions 1.5.16 (and earlier) are affected by a Nu ...) + NOT-FOR-US: Adobe +CVE-2021-43749 (Adobe Premiere Rush versions 1.5.16 (and earlier) are affected by a Nu ...) + NOT-FOR-US: Adobe +CVE-2021-43748 (Adobe Premiere Rush versions 1.5.16 (and earlier) are affected by a Nu ...) + NOT-FOR-US: Adobe +CVE-2021-43747 (Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memo ...) + NOT-FOR-US: Adobe +CVE-2021-43746 (Adobe Premiere Rush versions 1.5.16 (and earlier) allows access to an ...) + NOT-FOR-US: Adobe CVE-2021-3961 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...) NOT-FOR-US: snipe-it -CVE-2021-3960 - RESERVED -CVE-2021-3959 - RESERVED +CVE-2021-3960 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) + NOT-FOR-US: Bitdefender +CVE-2021-3959 (A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateSer ...) + NOT-FOR-US: Bitdefender CVE-2021-3958 (Due to improper sanitization iPack SCADA Automation software suffers f ...) NOT-FOR-US: iPack SCADA Automation CVE-2021-43745 @@ -1202,8 +7936,8 @@ CVE-2021-43736 RESERVED CVE-2021-43735 RESERVED -CVE-2021-43734 - RESERVED +CVE-2021-43734 (kkFileview v4.0.0 has arbitrary file read through a directory traversa ...) + NOT-FOR-US: kkFileview CVE-2021-43733 RESERVED CVE-2021-43732 @@ -1248,8 +7982,8 @@ CVE-2021-43713 RESERVED CVE-2021-43712 RESERVED -CVE-2021-43711 - RESERVED +CVE-2021-43711 (The downloadFlile.cgi binary file in TOTOLINK EX200 V4.0.3c.7646_B2020 ...) + NOT-FOR-US: TOTOLINK CVE-2021-43710 RESERVED CVE-2021-43709 @@ -1264,8 +7998,8 @@ CVE-2021-43705 RESERVED CVE-2021-43704 RESERVED -CVE-2021-43703 - RESERVED +CVE-2021-43703 (An Incorrect Access Control vulnerability exists in zzcms less than or ...) + NOT-FOR-US: zzcms CVE-2021-43702 RESERVED CVE-2021-43701 @@ -1274,58 +8008,58 @@ CVE-2021-43700 RESERVED CVE-2021-43699 RESERVED -CVE-2021-43698 - RESERVED -CVE-2021-43697 - RESERVED -CVE-2021-43696 - RESERVED -CVE-2021-43695 - RESERVED +CVE-2021-43698 (phpWhois (last update Jun 30 2021) is affected by a Cross Site Scripti ...) + NOT-FOR-US: phpWhois +CVE-2021-43697 (Workerman-ThinkPHP-Redis (last update Mar 16, 2018) is affected by a C ...) + NOT-FOR-US: Workerman-ThinkPHP-Redis +CVE-2021-43696 (twmap v2.91_v4.33 is affected by a Cross Site Scripting (XSS) vulnerab ...) + NOT-FOR-US: twmap +CVE-2021-43695 (issabelPBX version 2.11 is affected by a Cross Site Scripting (XSS) vu ...) + NOT-FOR-US: issabelPBX CVE-2021-43694 RESERVED -CVE-2021-43693 - RESERVED -CVE-2021-43692 - RESERVED -CVE-2021-43691 - RESERVED -CVE-2021-43690 - RESERVED -CVE-2021-43689 - RESERVED +CVE-2021-43693 (vesta 0.9.8-24 is affected by a file inclusion vulnerability in file w ...) + NOT-FOR-US: Vesta Control Panel +CVE-2021-43692 (youtube-php-mirroring (last update Jun 9, 2017) is affected by a Cross ...) + NOT-FOR-US: youtube-php-mirroring +CVE-2021-43691 (tripexpress v1.1 is affected by a path manipulation vulnerability in f ...) + NOT-FOR-US: tripexpress +CVE-2021-43690 (YurunProxy v0.01 is affected by a Cross Site Scripting (XSS) vulnerabi ...) + NOT-FOR-US: YurunProxy +CVE-2021-43689 (manage (last update Oct 24, 2017) is affected by a Cross Site Scriptin ...) + NOT-FOR-US: thinkphp manage CVE-2021-43688 RESERVED -CVE-2021-43687 - RESERVED -CVE-2021-43686 - RESERVED -CVE-2021-43685 - RESERVED +CVE-2021-43687 (chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulne ...) + NOT-FOR-US: Chamilo LMS +CVE-2021-43686 (nZEDb v0.4.20 is affected by a Cross Site Scripting (XSS) vulnerabilit ...) + NOT-FOR-US: nZEDb +CVE-2021-43685 (libretime hv3.0.0-alpha.10 is affected by a path manipulation vulnerab ...) + - libretime <itp> (bug #888687) CVE-2021-43684 RESERVED -CVE-2021-43683 - RESERVED -CVE-2021-43682 - RESERVED -CVE-2021-43681 - RESERVED +CVE-2021-43683 (pictshare v1.5 is affected by a Cross Site Scripting (XSS) vulnerabili ...) + NOT-FOR-US: pictshare +CVE-2021-43682 (thinkphp-bjyblog (last update Jun 4 2021) is affected by a Cross Site ...) + NOT-FOR-US: ThinkPHP BJY Blog +CVE-2021-43681 (SakuraPanel v1.0.1.1 is affected by a Cross Site Scripting (XSS) vulne ...) + NOT-FOR-US: SakuraPanel CVE-2021-43680 RESERVED -CVE-2021-43679 - RESERVED -CVE-2021-43678 - RESERVED -CVE-2021-43677 - RESERVED -CVE-2021-43676 - RESERVED -CVE-2021-43675 - RESERVED -CVE-2021-43674 - RESERVED -CVE-2021-43673 - RESERVED +CVE-2021-43679 (ecshop v2.7.3 is affected by a SQL injection vulnerability in shopex\e ...) + NOT-FOR-US: ecshop +CVE-2021-43678 (Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vul ...) + NOT-FOR-US: Wechat-php-sdk +CVE-2021-43677 (Fluxbb v1.4.12 is affected by a Cross Site Scripting (XSS) vulnerabili ...) + NOT-FOR-US: Fluxbb +CVE-2021-43676 (matyhtf framework v3.0.5 is affected by a path manipulation vulnerabil ...) + NOT-FOR-US: matyhtf framework +CVE-2021-43675 (Lychee-v3 3.2.16 is affected by a Cross Site Scripting (XSS) vulnerabi ...) + NOT-FOR-US: Lychee-v3 +CVE-2021-43674 (** UNSUPPORTED WHEN ASSIGNED ** ThinkUp 2.0-beta.10 is affected by a p ...) + NOT-FOR-US: ThinkUp +CVE-2021-43673 (dzzoffice 2.02.1_SC_UTF8 is affected by a Cross Site Scripting (XSS) v ...) + NOT-FOR-US: dzzoffice CVE-2021-43672 RESERVED CVE-2021-43671 @@ -1395,28 +8129,28 @@ CVE-2021-43640 RESERVED CVE-2021-43639 RESERVED -CVE-2021-43638 - RESERVED -CVE-2021-43637 - RESERVED +CVE-2021-43638 (Amazon Amazon WorkSpaces agent is affected by Integer Overflow. IOCTL ...) + NOT-FOR-US: Amazon +CVE-2021-43637 (Amazon WorkSpaces agent is affected by Buffer Overflow. IOCTL Handler ...) + NOT-FOR-US: Amazon CVE-2021-43636 RESERVED -CVE-2021-43635 - RESERVED +CVE-2021-43635 (A Cross Site Scripting (XSS) vulnerability exists in Codex before 1.4. ...) + NOT-FOR-US: Codex CVE-2021-43634 RESERVED CVE-2021-43633 RESERVED CVE-2021-43632 RESERVED -CVE-2021-43631 - RESERVED -CVE-2021-43630 - RESERVED -CVE-2021-43629 - RESERVED -CVE-2021-43628 - RESERVED +CVE-2021-43631 (Projectworlds Hospital Management System v1.0 is vulnerable to SQL inj ...) + NOT-FOR-US: Projectworlds Hospital Management System +CVE-2021-43630 (Projectworlds Hospital Management System v1.0 is vulnerable to SQL inj ...) + NOT-FOR-US: Projectworlds Hospital Management System +CVE-2021-43629 (Projectworlds Hospital Management System v1.0 is vulnerable to SQL inj ...) + NOT-FOR-US: Projectworlds Hospital Management System +CVE-2021-43628 (Projectworlds Hospital Management System v1.0 is vulnerable to SQL inj ...) + NOT-FOR-US: Projectworlds Hospital Management System CVE-2021-43627 RESERVED CVE-2021-43626 @@ -1436,13 +8170,15 @@ CVE-2021-43620 (An issue was discovered in the fruity crate through 0.2.0 for Ru CVE-2021-43619 RESERVED CVE-2021-43618 (GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an m ...) + {DLA-2837-1} - gmp 2:6.2.1+dfsg-3 (bug #994405) - [bullseye] - gmp <no-dsa> (Minor issue) + [bullseye] - gmp 2:6.2.1+dfsg-1+deb11u1 [buster] - gmp <no-dsa> (Minor issue) NOTE: https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html NOTE: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e CVE-2021-43617 (Laravel Framework through 8.70.2 does not sufficiently block the uploa ...) - - php-laravel-framework <unfixed> + - php-laravel-framework 6.20.14+dfsg-3 (bug #1002728) + [bullseye] - php-laravel-framework <no-dsa> (Can be fixed via point release) NOTE: https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b CVE-2021-3957 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: kimai2 @@ -1451,8 +8187,8 @@ CVE-2021-43616 (The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds wit [bullseye] - npm <no-dsa> (Minor issue) [buster] - npm <no-dsa> (Minor issue) NOTE: https://github.com/npm/cli/issues/2701 -CVE-2021-43615 - RESERVED +CVE-2021-43615 (An issue was discovered in HddPassword in Insyde InsydeH2O with kernel ...) + NOT-FOR-US: Insyde CVE-2021-43614 RESERVED CVE-2021-43613 @@ -1460,7 +8196,7 @@ CVE-2021-43613 CVE-2021-43612 [crash in SONMP decoder] RESERVED - lldpd 1.0.13-1 - [bullseye] - lldpd <no-dsa> (Minor issue) + [bullseye] - lldpd 1.0.11-1+deb11u1 [buster] - lldpd <no-dsa> (Minor issue) [stretch] - lldpd <no-dsa> (Minor issue) NOTE: https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7 (1.0.13) @@ -1470,8 +8206,7 @@ CVE-2021-43610 (Belledonne Belle-sip before 5.0.20 can crash applications such a NOT-FOR-US: Belledonne Belle-sip CVE-2021-43609 RESERVED -CVE-2021-43608 [SQL Injection Security Vulnerability] - RESERVED +CVE-2021-43608 (Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of o ...) - php-doctrine-dbal <not-affected> (Vulnerable code introduced in 3.0.0) NOTE: Bug was introduced in 3.0.0, and fixed in experimental in 3.1.4+dfsg-1 and NOTE: only present in experimental suite. @@ -1512,12 +8247,12 @@ CVE-2021-43591 RESERVED CVE-2021-43590 RESERVED -CVE-2021-43589 - RESERVED -CVE-2021-43588 - RESERVED -CVE-2021-43587 - RESERVED +CVE-2021-43589 (Dell EMC Unity, Dell EMC UnityVSA and Dell EMC Unity XT versions prior ...) + NOT-FOR-US: EMC +CVE-2021-43588 (Dell EMC Data Protection Central version 19.5 contains an Improper Inp ...) + NOT-FOR-US: EMC +CVE-2021-43587 (Dell PowerPath Management Appliance, versions 3.2, 3.1, 3.0 P01, 3.0, ...) + NOT-FOR-US: Dell CVE-2021-43586 RESERVED CVE-2021-43585 @@ -1544,8 +8279,9 @@ CVE-2021-43581 (An Out-of-Bounds Read vulnerability exists when reading a U3D fi NOT-FOR-US: Open Design Alliance PRC SDK CVE-2021-43580 RESERVED -CVE-2021-43579 (A stack-based buffer overflow in image_load_bmp() in HTMLDOC before 1. ...) +CVE-2021-43579 (A stack-based buffer overflow in image_load_bmp() in HTMLDOC <= 1.9 ...) - htmldoc 1.9.13-1 (unimportant) + [bullseye] - htmldoc 1.9.11-4+deb11u1 NOTE: https://github.com/michaelrsweet/htmldoc/commit/27d08989a5a567155d506ac870ae7d8cc88fa58b (v1.9.13) NOTE: https://github.com/michaelrsweet/htmldoc/issues/453 NOTE: Crash in CLI tool, no security impact @@ -1565,24 +8301,23 @@ CVE-2021-26248 (Philips MRI 1.5T and MRI 3T Version 5.x.x assigns an owner who i NOT-FOR-US: Philips CVE-2021-3949 RESERVED -CVE-2021-3948 - RESERVED +CVE-2021-3948 (An incorrect default permissions vulnerability was found in the mig-co ...) NOT-FOR-US: Migration Toolkit for Containers -CVE-2021-3947 [NVME: Arbitrary Memory Read] - RESERVED - - qemu <unfixed> +CVE-2021-3947 (A stack-buffer-overflow was found in QEMU in the NVME component. The f ...) + - qemu 1:6.2+dfsg-1 [bullseye] - qemu <not-affected> (Vulnerable code introduced later) [buster] - qemu <not-affected> (Vulnerable code introduced later) [stretch] - qemu <not-affected> (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2021869 NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/f432fdfa1215bc3a00468b2e711176be279b0fd2 (v6.0.0-rc0) NOTE: https://lore.kernel.org/qemu-devel/20211111153125.2258176-1-philmd@redhat.com/ + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/e2c57529c9306e4c9aac75d9879f6e7699584a22 (v6.2.0-rc3) CVE-2021-3946 RESERVED CVE-2021-3945 (django-helpdesk is vulnerable to Improper Neutralization of Input Duri ...) NOT-FOR-US: django-helpdesk -CVE-2021-3944 - RESERVED +CVE-2021-3944 (bookstack is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: bookstack CVE-2021-3943 (A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, ...) - moodle <removed> CVE-2021-43575 (** DISPUTED ** KNX ETS6 through 6.0.0 uses the hard-coded password ETS ...) @@ -1591,7 +8326,7 @@ CVE-2021-43574 (** UNSUPPORTED WHEN ASSIGNED ** WebAdmin Control Panel in Atmail - atmailopen <removed> CVE-2021-43573 (A buffer overflow was discovered on Realtek RTL8195AM devices before 2 ...) NOT-FOR-US: Realtek -CVE-2021-43572 (The verify function in the Stark Bank Python ECDSA library (ecdsa-pyth ...) +CVE-2021-43572 (The verify function in the Stark Bank Python ECDSA library (aka starkb ...) NOT-FOR-US: Stark bank libraries CVE-2021-43571 (The verify function in the Stark Bank Node.js ECDSA library (ecdsa-nod ...) NOT-FOR-US: Stark bank libraries @@ -1603,10 +8338,18 @@ CVE-2021-43568 (The verify function in the Stark Bank Elixir ECDSA library (ecds NOT-FOR-US: Stark bank libraries CVE-2021-43567 RESERVED -CVE-2021-43566 - RESERVED -CVE-2021-43565 - RESERVED +CVE-2021-43566 (All versions of Samba prior to 4.13.16 are vulnerable to a malicious c ...) + - samba <unfixed> (bug #1004691) + [bullseye] - samba <ignored> (Minor issue; no backport to older versions, mitigations exists) + [buster] - samba <ignored> (Minor issue; no backport to older versions, mitigations exists) + NOTE: https://www.samba.org/samba/security/CVE-2021-43566.html + NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13979 +CVE-2021-43565 [x/crypto/ssh: empty plaintext packet causes panic] + RESERVED + - golang-go.crypto 1:0.0~git20211202.5770296-1 + [stretch] - golang-go.crypto <postponed> (Limited support in stretch) + NOTE: https://github.com/golang/crypto/commit/5770296d904e90f15f38f77dfc2e43fdf5efc083 + NOTE: https://github.com/golang/go/issues/49932 CVE-2021-43564 (An issue was discovered in the jobfair (aka Job Fair) extension before ...) NOT-FOR-US: TYPO3 extension CVE-2021-43563 (An issue was discovered in the pixxio (aka pixx.io integration or DAM) ...) @@ -1635,66 +8378,152 @@ CVE-2021-3941 NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/a0cfa81153b2464b864c5fe39a53cb03339092ed CVE-2021-3940 RESERVED -CVE-2021-43556 - RESERVED +CVE-2021-43556 (FATEK WinProladder Versions 3.30_24518 and prior are vulnerable to a s ...) + NOT-FOR-US: FATEK WinProladder CVE-2021-43555 (mySCADA myDESIGNER Versions 8.20.0 and prior fails to properly validat ...) NOT-FOR-US: mySCADA myDESIGNER -CVE-2021-43554 - RESERVED +CVE-2021-43554 (FATEK WinProladder Versions 3.30_24518 and prior are vulnerable to an ...) + NOT-FOR-US: FATEK WinProladder CVE-2021-43553 (PI Vision could disclose information to a user with insufficient privi ...) NOT-FOR-US: OSIsoft -CVE-2021-43552 - RESERVED +CVE-2021-43552 (The use of a hard-coded cryptographic key significantly increases the ...) + NOT-FOR-US: Philips CVE-2021-43551 (A remote attacker with write access to PI Vision could inject code int ...) NOT-FOR-US: OSIsoft -CVE-2021-43550 - RESERVED +CVE-2021-43550 (The use of a broken or risky cryptographic algorithm is an unnecessary ...) + NOT-FOR-US: Philips CVE-2021-43549 (A remote authenticated attacker with write access to a PI Server could ...) NOT-FOR-US: OSIsoft -CVE-2021-43548 - RESERVED +CVE-2021-43548 (Patient Information Center iX (PIC iX) Versions C.02 and C.03 receives ...) + NOT-FOR-US: Philips CVE-2021-43547 RESERVED -CVE-2021-43546 - RESERVED -CVE-2021-43545 - RESERVED -CVE-2021-43544 - RESERVED -CVE-2021-43543 - RESERVED -CVE-2021-43542 - RESERVED -CVE-2021-43541 - RESERVED -CVE-2021-43540 - RESERVED -CVE-2021-43539 - RESERVED -CVE-2021-43538 - RESERVED -CVE-2021-43537 - RESERVED -CVE-2021-43536 - RESERVED -CVE-2021-43535 - RESERVED -CVE-2021-43534 - RESERVED -CVE-2021-43533 - RESERVED -CVE-2021-43532 - RESERVED -CVE-2021-43531 - RESERVED -CVE-2021-43530 - RESERVED +CVE-2021-43546 (It was possible to recreate previous cursor spoofing attacks against u ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} + - firefox 95.0-1 + - firefox-esr 91.4.0esr-1 + - thunderbird 1:91.4.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43546 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43546 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43546 +CVE-2021-43545 (Using the Location API in a loop could have caused severe application ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} + - firefox 95.0-1 + - firefox-esr 91.4.0esr-1 + - thunderbird 1:91.4.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43545 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43545 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43545 +CVE-2021-43544 (When receiving a URL through a SEND intent, Firefox would have searche ...) + - firefox <not-affected> (Only affects Android) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43544 +CVE-2021-43543 (Documents loaded with the CSP sandbox directive could have escaped the ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} + - firefox 95.0-1 + - firefox-esr 91.4.0esr-1 + - thunderbird 1:91.4.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43543 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43543 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43543 +CVE-2021-43542 (Using XMLHttpRequest, an attacker could have identified installed appl ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} + - firefox 95.0-1 + - firefox-esr 91.4.0esr-1 + - thunderbird 1:91.4.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43542 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43542 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43542 +CVE-2021-43541 (When invoking protocol handlers for external protocols, a supplied par ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} + - firefox 95.0-1 + - firefox-esr 91.4.0esr-1 + - thunderbird 1:91.4.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43541 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43541 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43541 +CVE-2021-43540 (WebExtensions with the correct permissions were able to create and ins ...) + - firefox 95.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43540 +CVE-2021-43539 (Failure to correctly record the location of live pointers across wasm ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} + - firefox 95.0-1 + - firefox-esr 91.4.0esr-1 + - thunderbird 1:91.4.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43539 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43539 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43539 +CVE-2021-43538 (By misusing a race in our notification code, an attacker could have fo ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} + - firefox 95.0-1 + - firefox-esr 91.4.0esr-1 + - thunderbird 1:91.4.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43538 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43538 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43538 +CVE-2021-43537 (An incorrect type conversion of sizes from 64bit to 32bit integers all ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} + - firefox 95.0-1 + - firefox-esr 91.4.0esr-1 + - thunderbird 1:91.4.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43537 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43537 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43537 +CVE-2021-43536 (Under certain circumstances, asynchronous functions could have caused ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} + - firefox 95.0-1 + - firefox-esr 91.4.0esr-1 + - thunderbird 1:91.4.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43536 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43536 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43536 +CVE-2021-43535 (A use-after-free could have occured when an HTTP2 session object was r ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} + - firefox 93.0-1 + - firefox-esr 91.3.0esr-1 + - thunderbird 1:91.3.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-43/#CVE-2021-43535 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-43535 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-43535 +CVE-2021-43534 (Mozilla developers and community members reported memory safety bugs p ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} + - firefox 94.0-1 + - firefox-esr 91.3.0esr-1 + - thunderbird 1:91.3.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-43534 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-43534 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-43534 +CVE-2021-43533 (When parsing internationalized domain names, high bits of the characte ...) + - firefox 94.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-43533 +CVE-2021-43532 (The 'Copy Image Link' context menu action would copy the final image U ...) + - firefox 94.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-43532 +CVE-2021-43531 (When a user loaded a Web Extensions context menu, the Web Extension co ...) + - firefox 94.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-43531 +CVE-2021-43530 (A Universal XSS vulnerability was present in Firefox for Android resul ...) + - firefox 94.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-43530 CVE-2021-43529 RESERVED -CVE-2021-43528 - RESERVED -CVE-2021-43527 - RESERVED + {DSA-5034-1 DLA-2874-1} + - thunderbird 1:91.3.0-1 + NOTE: https://www.openwall.com/lists/oss-security/2021/12/01/6 + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1738501 +CVE-2021-43528 (Thunderbird unexpectedly enabled JavaScript in the composition area. T ...) + {DSA-5034-1 DLA-2874-1} + - thunderbird 1:91.4.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43528 +CVE-2021-43527 (NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR a ...) + {DSA-5016-1 DLA-2836-1} + - nss 2:3.73-1 + NOTE: https://www.openwall.com/lists/oss-security/2021/12/01/4 + NOTE: https://hg.mozilla.org/projects/nss/rev/6b3dc97a8767d9dc5c4c181597d1341d0899aa58 (NSS_3_73_BRANCH) + NOTE: https://hg.mozilla.org/projects/nss/rev/dea71cbef9e03636f37c6cb120f8deccce6e17dd (NSS_3_68_1_BRANCH) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/#CVE-2021-43527 + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1737470 (not yet public) + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 + NOTE: https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html CVE-2021-43526 RESERVED CVE-2021-43525 @@ -1706,8 +8535,8 @@ CVE-2021-43523 (In uClibc and uClibc-ng before 1.0.39, incorrect handling of spe - uclibc-ng <itp> (bug #811275) NOTE: https://www.openwall.com/lists/oss-security/2021/11/09/1 NOTE: https://github.com/wbx-github/uclibc-ng/commit/0f822af0445e5348ce7b7bd8ce1204244f31d174 -CVE-2021-43522 - RESERVED +CVE-2021-43522 (An issue was discovered in Insyde InsydeH2O with kernel 5.1 through 20 ...) + NOT-FOR-US: Insyde CVE-2021-3939 (Ubuntu-specific modifications to accountsservice (in patch file debian ...) - accountsservice <not-affected> (Ubuntu specific patch) NOTE: https://ubuntu.com/security/CVE-2021-3939 @@ -1718,6 +8547,7 @@ CVE-2021-3937 CVE-2021-3936 RESERVED CVE-2021-3935 (When PgBouncer is configured to use "cert" authentication, a man-in-th ...) + {DLA-2922-1} - pgbouncer 1.16.1-1 [bullseye] - pgbouncer <no-dsa> (Minor issue; can be fixed via point release) [buster] - pgbouncer <no-dsa> (Minor issue; can be fixed via point release) @@ -1738,7 +8568,8 @@ CVE-2021-43521 CVE-2021-43520 RESERVED CVE-2021-43519 (Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 a ...) - - lua5.4 <unfixed> (bug #1000228) + - lua5.4 5.4.4-1 (bug #1000228) + [bullseye] - lua5.4 <no-dsa> (Minor issue) - lua5.3 <unfixed> [bullseye] - lua5.3 <no-dsa> (Minor issue) [buster] - lua5.3 <no-dsa> (Minor issue) @@ -1755,8 +8586,14 @@ CVE-2021-43519 (Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5 NOTE: http://lua-users.org/lists/lua-l/2021-10/msg00123.html NOTE: http://lua-users.org/lists/lua-l/2021-11/msg00015.html NOTE: Fixed by: https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868 -CVE-2021-43518 - RESERVED +CVE-2021-43518 (Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. ...) + - teeworlds <unfixed> + [bullseye] - teeworlds <no-dsa> (Minor issue) + [buster] - teeworlds <no-dsa> (Minor issue) + NOTE: https://github.com/teeworlds/teeworlds/issues/2981 + NOTE: https://github.com/teeworlds/teeworlds/pull/3018 + NOTE: https://github.com/teeworlds/teeworlds/commit/91e5492d4c210f82f1ca6b43a73417fef5463368 + NOTE: https://mmmds.pl/fuzzing-map-parser-part-1-teeworlds/ CVE-2021-43517 RESERVED CVE-2021-43516 @@ -1771,10 +8608,10 @@ CVE-2021-43512 RESERVED CVE-2021-43511 RESERVED -CVE-2021-43510 - RESERVED -CVE-2021-43509 - RESERVED +CVE-2021-43510 (SQL Injection vulnerability exists in Sourcecodester Simple Client Man ...) + NOT-FOR-US: Sourcecodester +CVE-2021-43509 (SQL Injection vulnerability exists in Sourcecodester Simple Client Man ...) + NOT-FOR-US: Sourcecodester CVE-2021-43508 RESERVED CVE-2021-43507 @@ -1849,12 +8686,12 @@ CVE-2021-43473 RESERVED CVE-2021-43472 RESERVED -CVE-2021-43471 - RESERVED +CVE-2021-43471 (In Canon LBP223 printers, the System Manager Mode login does not requi ...) + NOT-FOR-US: Canon CVE-2021-43470 RESERVED -CVE-2021-43469 - RESERVED +CVE-2021-43469 (VINGA WR-N300U 77.102.1.4853 is affected by a command execution vulner ...) + NOT-FOR-US: VINGA CVE-2021-43468 RESERVED CVE-2021-43467 @@ -1889,8 +8726,8 @@ CVE-2021-43453 RESERVED CVE-2021-43452 RESERVED -CVE-2021-43451 - RESERVED +CVE-2021-43451 (SQL Injection vulnerability exists in PHPGURUKUL Employee Record Manag ...) + NOT-FOR-US: PHPGURUKUL CVE-2021-43450 RESERVED CVE-2021-43449 @@ -1909,18 +8746,18 @@ CVE-2021-43443 RESERVED CVE-2021-43442 RESERVED -CVE-2021-43441 - RESERVED -CVE-2021-43440 - RESERVED -CVE-2021-43439 - RESERVED -CVE-2021-43438 - RESERVED -CVE-2021-43437 - RESERVED -CVE-2021-43436 - RESERVED +CVE-2021-43441 (An HTML Injection Vulnerability in iOrder 1.0 allows the remote attack ...) + NOT-FOR-US: iOrder +CVE-2021-43440 (Multiple Stored XSS Vulnerabilities in the Source Code of iOrder 1.0 a ...) + NOT-FOR-US: iOrder +CVE-2021-43439 (RCE in Add Review Function in iResturant 1.0 Allows remote attacker to ...) + NOT-FOR-US: iResturant +CVE-2021-43438 (Stored XSS in Signup Form in iResturant 1.0 Allows Remote Attacker to ...) + NOT-FOR-US: iResturant +CVE-2021-43437 (In sourcecodetester Engineers Online Portal as of 10-21-21, an attacke ...) + NOT-FOR-US: sourcecodetester Engineers Online Portal +CVE-2021-43436 (MartDevelopers Inc iResturant v1.0 allows Stored XSS by placing a payl ...) + NOT-FOR-US: MartDevelopers Inc iResturant CVE-2021-43435 RESERVED CVE-2021-43434 @@ -1951,8 +8788,8 @@ CVE-2021-43422 RESERVED CVE-2021-43421 RESERVED -CVE-2021-43420 - RESERVED +CVE-2021-43420 (SQL injection vulnerability in Login.php in Sourcecodester Online Paym ...) + NOT-FOR-US: Sourcecodester CVE-2021-43419 RESERVED CVE-2021-43418 @@ -1961,8 +8798,10 @@ CVE-2021-43417 RESERVED CVE-2021-43416 RESERVED -CVE-2021-43415 - RESERVED +CVE-2021-43415 (HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, w ...) + - nomad <undetermined> + NOTE: https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288 + TODO: check CVE-2021-43414 (An issue was discovered in GNU Hurd before 0.9 20210404-9. The use of ...) - hurd 1:0.9.git20210404-9 CVE-2021-43413 (An issue was discovered in GNU Hurd before 0.9 20210404-9. A single pa ...) @@ -1971,8 +8810,8 @@ CVE-2021-43412 (An issue was discovered in GNU Hurd before 0.9 20210404-9. libpo - hurd 1:0.9.git20210404-9 CVE-2021-43411 (An issue was discovered in GNU Hurd before 0.9 20210404-9. When trying ...) - hurd 1:0.9.git20210404-9 -CVE-2021-43410 - RESERVED +CVE-2021-43410 (Apache Airavata Django Portal allows CRLF log injection because of lac ...) + NOT-FOR-US: Apache Airavata CVE-2021-3932 (twill is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: twill CVE-2021-43409 (The “WPO365 | LOGIN” WordPress plugin (up to and including ...) @@ -1995,55 +8834,66 @@ CVE-2021-43401 RESERVED CVE-2021-3931 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: snipe-it -CVE-2021-3930 [off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c] - RESERVED - - qemu <unfixed> +CVE-2021-3930 (An off-by-one error was found in the SCSI device emulation in QEMU. It ...) + - qemu 1:6.2+dfsg-1 + [bullseye] - qemu <postponed> (Minor issue) + [buster] - qemu <postponed> (Minor issue) [stretch] - qemu <postponed> (Fix along with a future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020588 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/546 - NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 -CVE-2021-3929 + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 (v6.2.0-rc0) +CVE-2021-3929 [nvme: DMA reentrancy issue leads to use-after-free] RESERVED + - qemu <unfixed> + [stretch] - qemu <postponed> (Fix along with a future DLA) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020298 + NOTE: https://gitlab.com/qemu-project/qemu/-/issues/556 + NOTE: Proposed patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html + NOTE: No upstream patch as of 2022-01-28 CVE-2021-43400 (An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after- ...) - - bluez <unfixed> (bug #998626) + - bluez 5.62-1 (bug #998626) + [bullseye] - bluez <no-dsa> (Minor issue; can be fixed in point release) + [buster] - bluez <no-dsa> (Minor issue; can be fixed in point release) [stretch] - bluez <ignored> (invasive patch, requires post-stretch revamps) NOTE: Introduced by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=93b64d9ca8a2bb663e37904d4b2c702c58a36e4f (5.40) NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=838c0dc7641e1c991c0f3027bf94bee4606012f8 (5.62) -CVE-2021-43399 - RESERVED -CVE-2021-43398 (Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leakage in ...) - - libcrypto++ <unfixed> (bug #1000227) - [bullseye] - libcrypto++ <no-dsa> (Minor issue) - [buster] - libcrypto++ <no-dsa> (Minor issue) - [stretch] - libcrypto++ <no-dsa> (Minor issue) +CVE-2021-43399 (The Yubico YubiHSM YubiHSM2 library 2021.08, included in the yubihsm-s ...) + NOT-FOR-US: yubihsm-shell +CVE-2021-43398 (** DISPUTED ** Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a ti ...) + - libcrypto++ <unfixed> (unimportant; bug #1000227) NOTE: https://github.com/weidai11/cryptopp/issues/1080 + NOTE: As per upstream believed to be the expected behaviour: + NOTE: https://github.com/weidai11/cryptopp/issues/1080#issuecomment-996492222 CVE-2021-43397 (LiquidFiles before 3.6.3 allows remote attackers to elevate their priv ...) NOT-FOR-US: LiquidFiles CVE-2021-43395 RESERVED -CVE-2021-43394 - RESERVED +CVE-2021-43394 (Unisys OS 2200 Messaging Integration Services (NTSI) 7R3B IC3 and IC4, ...) + NOT-FOR-US: Unisys CVE-2021-43393 RESERVED CVE-2021-43392 RESERVED CVE-2021-43396 (** DISPUTED ** In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka ...) - - glibc <unfixed> (bug #998622) + - glibc 2.32-5 (unimportant; bug #998622) [buster] - glibc <not-affected> (Vulnerable code not present) [stretch] - glibc <not-affected> (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28524 NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=ff012870b2c02a62598c04daa1e54632e020fd7d NOTE: Introduced by the fix for CVE-2021-3326 / BZ#27256: https://sourceware.org/git/?p=glibc.git;a=commit;h=7d88c6142c6efc160c0ee5e4f85cde382c072888 + NOTE: No security impact per upstream assessment CVE-2021-43391 (An Out-of-Bounds Read vulnerability exists when reading a DXF file usi ...) NOT-FOR-US: Open Design Alliance Drawings SDK CVE-2021-43390 (An Out-of-Bounds Write vulnerability exists when reading a DGN file us ...) NOT-FOR-US: Open Design Alliance Drawings SDK CVE-2021-43389 (An issue was discovered in the Linux kernel before 5.14.15. There is a ...) + {DLA-2843-1} - linux 5.14.16-1 + [bullseye] - linux 5.10.84-1 NOTE: https://www.openwall.com/lists/oss-security/2021/10/19/1 NOTE: https://git.kernel.org/linus/1f3e2e97c003f80c4b087092b225c8787ff91e4d -CVE-2021-43388 - RESERVED +CVE-2021-43388 (Unisys Cargo Mobile Application before 1.2.29 uses cleartext to store ...) + NOT-FOR-US: Unisys Cargo Mobile Application CVE-2021-43387 RESERVED CVE-2021-43386 @@ -2098,19 +8948,23 @@ CVE-2021-43362 RESERVED CVE-2021-43361 RESERVED -CVE-2021-43360 - RESERVED -CVE-2021-43359 - RESERVED -CVE-2021-43358 - RESERVED -CVE-2021-3928 (vim is vulnerable to Stack-based Buffer Overflow ...) - - vim <unfixed> +CVE-2021-43360 (Sunnet eHRD e-mail delivery task schedule’s serialization functi ...) + NOT-FOR-US: Sunnet eHRD +CVE-2021-43359 (Sunnet eHRD has broken access control vulnerability, which allows a re ...) + NOT-FOR-US: Sunnet eHRD +CVE-2021-43358 (Sunnet eHRD has inadequate filtering for special characters in URLs, w ...) + NOT-FOR-US: Sunnet eHRD +CVE-2021-3928 (vim is vulnerable to Use of Uninitialized Variable ...) + - vim 2:8.2.3995-1 + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) [stretch] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/29c3ebd2-d601-481c-bf96-76975369d0cd NOTE: Fixed by: https://github.com/vim/vim/commit/15d9890eee53afc61eb0a03b878a19cb5672f732 (v8.2.3582) CVE-2021-3927 (vim is vulnerable to Heap-based Buffer Overflow ...) - - vim <unfixed> + - vim 2:8.2.3995-1 + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) [stretch] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/9c2b2c82-48bb-4be9-ab8f-a48ea252d1b0 NOTE: Fixed by: https://github.com/vim/vim/commit/0b5b06cb4777d1401fdf83e7d48d287662236e7e (v8.2.3581) @@ -2142,7 +8996,6 @@ CVE-2021-43339 (In Ericsson Network Location before 2021-07-31, it is possible f NOT-FOR-US: Ericsson CVE-2021-43338 REJECTED - NOT-FOR-US: Ericsson CVE-2021-43337 (SchedMD Slurm 21.08.* before 21.08.4 has Incorrect Access Control. On ...) - slurm-wlm <not-affected> (Affects only 21.08 series; vulnerable code introduced later) NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2021/000068.html @@ -2163,10 +9016,10 @@ CVE-2021-43336 (An Out-of-Bounds Write vulnerability exists when reading a DXF f NOT-FOR-US: Open Design Alliance Drawings SDK CVE-2021-43335 RESERVED -CVE-2021-43334 - RESERVED -CVE-2021-43333 - RESERVED +CVE-2021-43334 (BuddyBoss Platform through 1.8.0 allows XSS via the Group Name or Grou ...) + NOT-FOR-US: BuddyBoss +CVE-2021-43333 (The Datalogic DXU service on (for example) DL-Axist devices does not r ...) + NOT-FOR-US: Datalogic CVE-2021-43332 (In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py ad ...) - mailman <removed> (bug #1000367) [buster] - mailman <no-dsa> (Minor issue) @@ -2185,24 +9038,24 @@ CVE-2021-43329 RESERVED CVE-2021-43328 RESERVED -CVE-2021-43327 - RESERVED -CVE-2021-43326 - RESERVED -CVE-2021-43325 - RESERVED +CVE-2021-43327 (An issue was discovered on Renesas RX65 and RX65N devices. With a VCC ...) + NOT-FOR-US: Renesas +CVE-2021-43326 (Automox Agent before 32 on Windows incorrectly sets permissions on a t ...) + NOT-FOR-US: Automox Agent +CVE-2021-43325 (Automox Agent 33 on Windows incorrectly sets permissions on a temporar ...) + NOT-FOR-US: Automox Agent CVE-2021-43324 (LibreNMS through 21.10.2 allows XSS via a widget title. ...) NOT-FOR-US: LibreNMS -CVE-2021-43323 - RESERVED +CVE-2021-43323 (An issue was discovered in UsbCoreDxe in Insyde InsydeH2O with kernel ...) + NOT-FOR-US: Insyde CVE-2021-43322 RESERVED CVE-2021-43321 RESERVED CVE-2021-43320 - RESERVED -CVE-2021-43319 - RESERVED + REJECTED +CVE-2021-43319 (Zoho ManageEngine Network Configuration Manager before 125488 is vulne ...) + NOT-FOR-US: Zoho ManageEngine CVE-2021-43318 RESERVED CVE-2021-43317 @@ -2233,20 +9086,40 @@ CVE-2021-43305 RESERVED CVE-2021-43304 RESERVED -CVE-2021-43303 - RESERVED -CVE-2021-43302 - RESERVED -CVE-2021-43301 - RESERVED -CVE-2021-43300 - RESERVED -CVE-2021-43299 - RESERVED -CVE-2021-43298 - RESERVED -CVE-2021-43297 - RESERVED +CVE-2021-43303 (Buffer overflow in PJSUA API when calling pjsua_call_dump. An attacker ...) + - asterisk <unfixed> + - pjproject <removed> + - ring <unfixed> + NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 + NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 +CVE-2021-43302 (Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An ...) + - asterisk <unfixed> + - pjproject <removed> + - ring <unfixed> + NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 + NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 +CVE-2021-43301 (Stack overflow in PJSUA API when calling pjsua_playlist_create. An att ...) + - asterisk <unfixed> + - pjproject <removed> + - ring <unfixed> + NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 + NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 +CVE-2021-43300 (Stack overflow in PJSUA API when calling pjsua_recorder_create. An att ...) + - asterisk <unfixed> + - pjproject <removed> + - ring <unfixed> + NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 + NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 +CVE-2021-43299 (Stack overflow in PJSUA API when calling pjsua_player_create. An attac ...) + - asterisk <unfixed> + - pjproject <removed> + - ring <unfixed> + NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9 + NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337 +CVE-2021-43298 (The code that performs password matching when using 'Basic' HTTP authe ...) + NOT-FOR-US: GoAhead Web Server +CVE-2021-43297 (A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 a ...) + NOT-FOR-US: Apache Dubbo CVE-2021-3924 (grav is vulnerable to Improper Limitation of a Pathname to a Restricte ...) NOT-FOR-US: Grav CMS CVE-2021-23222 @@ -2267,12 +9140,12 @@ CVE-2021-23214 - postgresql-9.6 <removed> NOTE: https://www.postgresql.org/about/news/postgresql-141-135-129-1114-1019-and-9624-released-2349/ NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=046c2c846b741a12e7fd61d8d86bf324a20e3dfc (REL9_6_24) -CVE-2021-43296 - RESERVED -CVE-2021-43295 - RESERVED -CVE-2021-43294 - RESERVED +CVE-2021-43296 (Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-43295 (Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Ref ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2021-43294 (Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Ref ...) + NOT-FOR-US: Zoho ManageEngine CVE-2021-43293 (Sonatype Nexus Repository Manager 3.x before 3.36.0 allows a remote au ...) NOT-FOR-US: Sonatype CVE-2021-43292 @@ -2291,12 +9164,12 @@ CVE-2021-43286 RESERVED CVE-2021-43285 RESERVED -CVE-2021-43284 - RESERVED -CVE-2021-43283 - RESERVED -CVE-2021-43282 - RESERVED +CVE-2021-43284 (An issue was discovered on Victure WR1200 devices through 1.0.3. The r ...) + NOT-FOR-US: Victure WR1200 devices +CVE-2021-43283 (An issue was discovered on Victure WR1200 devices through 1.0.3. A com ...) + NOT-FOR-US: Victure WR1200 devices +CVE-2021-43282 (An issue was discovered on Victure WR1200 devices through 1.0.3. The d ...) + NOT-FOR-US: Victure WR1200 devices CVE-2021-43281 (MyBB before 1.8.29 allows Remote Code Injection by an admin with the " ...) NOT-FOR-US: MyBB CVE-2021-43280 (A stack-based buffer overflow vulnerability exists in the DWF file rea ...) @@ -2321,8 +9194,8 @@ CVE-2021-43271 RESERVED CVE-2021-43270 (Datalust Seq.App.EmailPlus (aka seq-app-htmlemail) 3.1.0-dev-00148, 3. ...) NOT-FOR-US: Datalust Seq.App.HtmlEmail (aka Seq.App.EmailPlus) -CVE-2021-43269 - RESERVED +CVE-2021-43269 (In Code42 app before 8.8.0, eval injection allows an attacker to chang ...) + NOT-FOR-US: Code42 app CVE-2021-43268 (An issue was discovered in VxWorks 6.9 through 7. In the IKE component ...) NOT-FOR-US: Wind River VxWorks CVE-2021-43266 (In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exporting col ...) @@ -2351,13 +9224,14 @@ CVE-2021-3922 RESERVED CVE-2021-43267 (An issue was discovered in net/tipc/crypto.c in the Linux kernel befor ...) - linux 5.14.16-1 + [bullseye] - linux 5.10.84-1 [buster] - linux <not-affected> (Vulnerable code introduced later) [stretch] - linux <not-affected> (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/fa40d9734a57bcbfa79a280189799f76c88f7bb0 (5.15) -CVE-2021-43256 - RESERVED -CVE-2021-43255 - RESERVED +CVE-2021-43256 (Microsoft Excel Remote Code Execution Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43255 (Microsoft Office Trust Center Spoofing Vulnerability ...) + NOT-FOR-US: Microsoft CVE-2021-43254 RESERVED CVE-2021-43253 @@ -2370,76 +9244,76 @@ CVE-2021-43250 RESERVED CVE-2021-43249 RESERVED -CVE-2021-43248 - RESERVED -CVE-2021-43247 - RESERVED -CVE-2021-43246 - RESERVED -CVE-2021-43245 - RESERVED -CVE-2021-43244 - RESERVED -CVE-2021-43243 - RESERVED -CVE-2021-43242 - RESERVED +CVE-2021-43248 (Windows Digital Media Receiver Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43247 (Windows TCP/IP Driver Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43246 (Windows Hyper-V Denial of Service Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43245 (Windows Digital TV Tuner Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43244 (Windows Kernel Information Disclosure Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43243 (VP9 Video Extensions Information Disclosure Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43242 (Microsoft SharePoint Server Spoofing Vulnerability This CVE ID is uniq ...) + NOT-FOR-US: Microsoft CVE-2021-43241 RESERVED -CVE-2021-43240 - RESERVED -CVE-2021-43239 - RESERVED -CVE-2021-43238 - RESERVED -CVE-2021-43237 - RESERVED -CVE-2021-43236 - RESERVED -CVE-2021-43235 - RESERVED -CVE-2021-43234 - RESERVED -CVE-2021-43233 - RESERVED -CVE-2021-43232 - RESERVED -CVE-2021-43231 - RESERVED -CVE-2021-43230 - RESERVED -CVE-2021-43229 - RESERVED -CVE-2021-43228 - RESERVED -CVE-2021-43227 - RESERVED -CVE-2021-43226 - RESERVED -CVE-2021-43225 - RESERVED -CVE-2021-43224 - RESERVED -CVE-2021-43223 - RESERVED -CVE-2021-43222 - RESERVED +CVE-2021-43240 (NTFS Set Short Name Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43239 (Windows Recovery Environment Agent Elevation of Privilege Vulnerabilit ...) + NOT-FOR-US: Microsoft +CVE-2021-43238 (Windows Remote Access Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43237 (Windows Setup Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43236 (Microsoft Message Queuing Information Disclosure Vulnerability This CV ...) + NOT-FOR-US: Microsoft +CVE-2021-43235 (Storage Spaces Controller Information Disclosure Vulnerability This CV ...) + NOT-FOR-US: Microsoft +CVE-2021-43234 (Windows Fax Service Remote Code Execution Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43233 (Remote Desktop Client Remote Code Execution Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43232 (Windows Event Tracing Remote Code Execution Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43231 (Windows NTFS Elevation of Privilege Vulnerability This CVE ID is uniqu ...) + NOT-FOR-US: Microsoft +CVE-2021-43230 (Windows NTFS Elevation of Privilege Vulnerability This CVE ID is uniqu ...) + NOT-FOR-US: Microsoft +CVE-2021-43229 (Windows NTFS Elevation of Privilege Vulnerability This CVE ID is uniqu ...) + NOT-FOR-US: Microsoft +CVE-2021-43228 (SymCrypt Denial of Service Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43227 (Storage Spaces Controller Information Disclosure Vulnerability This CV ...) + NOT-FOR-US: Microsoft +CVE-2021-43226 (Windows Common Log File System Driver Elevation of Privilege Vulnerabi ...) + NOT-FOR-US: Microsoft +CVE-2021-43225 (Bot Framework SDK Remote Code Execution Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-43224 (Windows Common Log File System Driver Information Disclosure Vulnerabi ...) + NOT-FOR-US: Microsoft +CVE-2021-43223 (Windows Remote Access Connection Manager Elevation of Privilege Vulner ...) + NOT-FOR-US: Microsoft +CVE-2021-43222 (Microsoft Message Queuing Information Disclosure Vulnerability This CV ...) + NOT-FOR-US: Microsoft CVE-2021-43221 (Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-43220 (Microsoft Edge for iOS Spoofing Vulnerability ...) NOT-FOR-US: Microsoft -CVE-2021-43219 - RESERVED +CVE-2021-43219 (DirectX Graphics Kernel File Denial of Service Vulnerability ...) + NOT-FOR-US: Microsoft CVE-2021-43218 RESERVED -CVE-2021-43217 - RESERVED -CVE-2021-43216 - RESERVED -CVE-2021-43215 - RESERVED -CVE-2021-43214 - RESERVED +CVE-2021-43217 (Windows Encrypting File System (EFS) Remote Code Execution Vulnerabili ...) + NOT-FOR-US: Microsoft +CVE-2021-43216 (Microsoft Local Security Authority Server (lsasrv) Information Disclos ...) + NOT-FOR-US: Microsoft +CVE-2021-43215 (iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Ex ...) + NOT-FOR-US: Microsoft +CVE-2021-43214 (Web Media Extensions Remote Code Execution Vulnerability ...) + NOT-FOR-US: Microsoft CVE-2021-43213 RESERVED CVE-2021-43212 @@ -2452,14 +9326,14 @@ CVE-2021-43209 (3D Viewer Remote Code Execution Vulnerability This CVE ID is uni NOT-FOR-US: Microsoft CVE-2021-43208 (3D Viewer Remote Code Execution Vulnerability This CVE ID is unique fr ...) NOT-FOR-US: Microsoft -CVE-2021-43207 - RESERVED +CVE-2021-43207 (Windows Common Log File System Driver Elevation of Privilege Vulnerabi ...) + NOT-FOR-US: Microsoft CVE-2021-43206 RESERVED CVE-2021-43205 RESERVED -CVE-2021-43204 - RESERVED +CVE-2021-43204 (A improper control of a resource through its lifetime in Fortinet Fort ...) + NOT-FOR-US: FortiGuard CVE-2021-3921 (firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: firefly-iii CVE-2021-3920 (grav-plugin-admin is vulnerable to Improper Neutralization of Input Du ...) @@ -2468,8 +9342,8 @@ CVE-2021-3919 RESERVED CVE-2021-43203 (In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 a ...) NOT-FOR-US: JetBrains Ktor -CVE-2021-43202 - RESERVED +CVE-2021-43202 (In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is m ...) + NOT-FOR-US: JetBrains TeamCity CVE-2021-43201 (In JetBrains TeamCity before 2021.1.3, a newly created project could t ...) NOT-FOR-US: JetBrains TeamCity CVE-2021-43200 (In JetBrains TeamCity before 2021.1.2, permission checks in the Agent ...) @@ -2520,24 +9394,39 @@ CVE-2021-43178 RESERVED CVE-2021-43177 RESERVED -CVE-2021-43176 - RESERVED -CVE-2021-43175 - RESERVED +CVE-2021-43176 (The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 ...) + NOT-FOR-US: GOautodial API +CVE-2021-43175 (The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 ...) + NOT-FOR-US: GOautodial API CVE-2021-3918 (json-schema is vulnerable to Improperly Controlled Modification of Obj ...) - node-json-schema 0.4.0+~7.0.9-1 (bug #999765) - [bullseye] - node-json-schema <no-dsa> (Minor issue) + [bullseye] - node-json-schema 0.3.0+~7.0.6-1+deb11u1 [buster] - node-json-schema <no-dsa> (Minor issue) NOTE: https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 (v0.4.0) CVE-2021-43174 (NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, suppo ...) + {DSA-5041-1} - routinator <itp> (bug #929024) + - cfrpki 1.4.0-1 NOTE: https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_CVE-2021-43174.txt + NOTE: https://github.com/NLnetLabs/routinator/pull/667 CVE-2021-43173 (In NLnet Labs Routinator prior to 0.10.2, a validation run can be dela ...) + {DSA-5041-1 DSA-5033-1} - routinator <itp> (bug #929024) + - cfrpki 1.4.0-1 + - fort-validator 1.5.3-1 + - rpki-client 7.5-1 NOTE: https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_CVE-2021-43174.txt + NOTE: https://github.com/NLnetLabs/routinator/pull/666 + NOTE: https://github.com/NLnetLabs/routinator/pull/612 CVE-2021-43172 (NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRD ...) - routinator <itp> (bug #929024) + - fort-validator <unfixed> + [bullseye] - fort-validator <postponed> (Minor issue, revisit when fixed upstream) + - cfrpki <unfixed> + [bullseye] - cfrpki <postponed> (Minor issue, revisit when fixed upstream) + - rpki-client 7.5-1 NOTE: https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_CVE-2021-43174.txt + NOTE: https://github.com/NLnetLabs/routinator/pull/665 CVE-2021-3917 RESERVED NOT-FOR-US: coreos-installer @@ -2567,14 +9456,14 @@ CVE-2021-43160 RESERVED CVE-2021-43159 RESERVED -CVE-2021-43158 - RESERVED -CVE-2021-43157 - RESERVED -CVE-2021-43156 - RESERVED -CVE-2021-43155 - RESERVED +CVE-2021-43158 (In ProjectWorlds Online Shopping System PHP 1.0, a CSRF vulnerability ...) + NOT-FOR-US: ProjectWorlds Online Shopping System PHP +CVE-2021-43157 (Projectsworlds Online Shopping System PHP 1.0 is vulnerable to SQL inj ...) + NOT-FOR-US: ProjectWorlds Online Shopping System PHP +CVE-2021-43156 (In ProjectWorlds Online Book Store PHP 1.0 a CSRF vulnerability in adm ...) + NOT-FOR-US: ProjectWorlds Online Book Store PHP +CVE-2021-43155 (Projectsworlds Online Book Store PHP v1.0 is vulnerable to SQL injecti ...) + NOT-FOR-US: ProjectWorlds Online Book Store PHP CVE-2021-43154 RESERVED CVE-2021-43153 @@ -2593,8 +9482,8 @@ CVE-2021-43147 RESERVED CVE-2021-43146 RESERVED -CVE-2021-43145 - RESERVED +CVE-2021-43145 (With certain LDAP configurations, Zammad 5.0.1 was found to be vulnera ...) + - zammad <itp> (bug #841355) CVE-2021-43144 RESERVED CVE-2021-43143 @@ -2609,8 +9498,8 @@ CVE-2021-43139 RESERVED CVE-2021-43138 RESERVED -CVE-2021-43137 - RESERVED +CVE-2021-43137 (Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulne ...) + NOT-FOR-US: hostel management system CVE-2021-43136 (An authentication bypass issue in FormaLMS <= 2.4.4 allows an attac ...) NOT-FOR-US: FormaLMS CVE-2021-43135 @@ -2649,16 +9538,17 @@ CVE-2021-43119 RESERVED CVE-2021-43118 RESERVED -CVE-2021-43117 - RESERVED +CVE-2021-43117 (fastadmin v1.2.1 is affected by a file upload vulnerability which allo ...) + NOT-FOR-US: fastadmin CVE-2021-43116 RESERVED CVE-2021-43115 RESERVED CVE-2021-43114 (FORT Validator versions prior to 1.5.2 will crash if an RPKI CA publis ...) + {DSA-5033-1} - fort-validator 1.5.2-1 -CVE-2021-43113 - RESERVED +CVE-2021-43113 (iTextPDF in iText 7 and up to 7.1.17 allows command injection via a Co ...) + NOT-FOR-US: iText CVE-2021-43112 RESERVED CVE-2021-43111 @@ -2671,8 +9561,8 @@ CVE-2021-43108 RESERVED CVE-2021-43107 RESERVED -CVE-2021-43106 - RESERVED +CVE-2021-43106 (A Header Injection vulnerability exists in Compass Plus TranzWare Onli ...) + NOT-FOR-US: Compass Plus TranzWare CVE-2021-43105 RESERVED CVE-2021-43104 @@ -2719,8 +9609,8 @@ CVE-2021-43084 RESERVED CVE-2021-3916 (bookstack is vulnerable to Improper Limitation of a Pathname to a Rest ...) NOT-FOR-US: bookstack -CVE-2021-43083 - RESERVED +CVE-2021-43083 (Apache PLC4X - PLC4C (Only the C language implementation was effected) ...) + NOT-FOR-US: Apache PLC4X CVE-2021-43082 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ...) - trafficserver 9.1.1+ds-1 [bullseye] - trafficserver <not-affected> (Vulnerable code not present, introduced in 9.x) @@ -2748,30 +9638,30 @@ CVE-2021-43075 RESERVED CVE-2021-43074 RESERVED -CVE-2021-43073 - RESERVED +CVE-2021-43073 (A improper neutralization of special elements used in an os command (' ...) + NOT-FOR-US: FortiGuard CVE-2021-43072 RESERVED -CVE-2021-43071 - RESERVED +CVE-2021-43071 (A heap-based buffer overflow in Fortinet FortiWeb version 6.4.1 and 6. ...) + NOT-FOR-US: FortiGuard CVE-2021-43070 RESERVED CVE-2021-43069 RESERVED -CVE-2021-43068 - RESERVED -CVE-2021-43067 - RESERVED +CVE-2021-43068 (A improper authentication in Fortinet FortiAuthenticator version 6.4.0 ...) + NOT-FOR-US: FortiGuard +CVE-2021-43067 (A exposure of sensitive information to an unauthorized actor in Fortin ...) + NOT-FOR-US: FortiGuard CVE-2021-43066 RESERVED -CVE-2021-43065 - RESERVED -CVE-2021-43064 - RESERVED -CVE-2021-43063 - RESERVED -CVE-2021-43062 - RESERVED +CVE-2021-43065 (A incorrect permission assignment for critical resource in Fortinet Fo ...) + NOT-FOR-US: FortiGuard +CVE-2021-43064 (A url redirection to untrusted site ('open redirect') in Fortinet Fort ...) + NOT-FOR-US: FortiGuard +CVE-2021-43063 (A improper neutralization of input during web page generation ('cross- ...) + NOT-FOR-US: FortiGuard +CVE-2021-43062 (A improper neutralization of input during web page generation ('cross- ...) + NOT-FOR-US: FortiGuard CVE-2021-43061 RESERVED CVE-2021-43060 @@ -2789,20 +9679,20 @@ CVE-2021-43057 (An issue was discovered in the Linux kernel before 5.14.8. A use [stretch] - linux <not-affected> (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/a3727a8bac0a9e77c70820655fd8715523ba3db7 (5.15-rc3) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2229 -CVE-2021-43055 - RESERVED -CVE-2021-43054 - RESERVED -CVE-2021-43053 - RESERVED -CVE-2021-43052 - RESERVED -CVE-2021-43051 - RESERVED -CVE-2021-43050 - RESERVED -CVE-2021-43049 - RESERVED +CVE-2021-43055 (The eFTL Server component of TIBCO Software Inc.'s TIBCO eFTL - Commun ...) + NOT-FOR-US: TIBCO +CVE-2021-43054 (The eFTL Server component of TIBCO Software Inc.'s TIBCO eFTL - Commun ...) + NOT-FOR-US: TIBCO +CVE-2021-43053 (The Realm Server component of TIBCO Software Inc.'s TIBCO FTL - Commun ...) + NOT-FOR-US: TIBCO +CVE-2021-43052 (The Realm Server component of TIBCO Software Inc.'s TIBCO FTL - Commun ...) + NOT-FOR-US: TIBCO +CVE-2021-43051 (The Spotfire Server component of TIBCO Software Inc.'s TIBCO Spotfire ...) + NOT-FOR-US: Spotfire Server component of TIBCO +CVE-2021-43050 (The Auth Server component of TIBCO Software Inc.'s TIBCO BusinessConne ...) + NOT-FOR-US: TIBCO +CVE-2021-43049 (The Database component of TIBCO Software Inc.'s TIBCO BusinessConnect ...) + NOT-FOR-US: TIBCO CVE-2021-43048 (The Interior Server and Gateway Server components of TIBCO Software In ...) NOT-FOR-US: TIBCO CVE-2021-43047 (The Interior Server and Gateway Server components of TIBCO Software In ...) @@ -2811,87 +9701,94 @@ CVE-2021-43046 (The Interior Server and Gateway Server components of TIBCO Softw NOT-FOR-US: TIBCO CVE-2021-43056 (An issue was discovered in the Linux kernel for powerpc before 5.14.15 ...) - linux 5.14.16-1 + [bullseye] - linux 5.10.84-1 [buster] - linux <not-affected> (Vulnerable code introduced later) [stretch] - linux <not-affected> (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/cdeb5d7d890e14f3b70e8087e745c4a6a7d9f337 (5.15-rc6) -CVE-2021-43045 - RESERVED +CVE-2021-43045 (A vulnerability in the .NET SDK of Apache Avro allows an attacker to a ...) + NOT-FOR-US: Apache Avro CVE-2021-3913 RESERVED -CVE-2021-43044 - RESERVED -CVE-2021-43043 - RESERVED -CVE-2021-43042 - RESERVED -CVE-2021-43041 - RESERVED -CVE-2021-43040 - RESERVED -CVE-2021-43039 - RESERVED -CVE-2021-43038 - RESERVED -CVE-2021-43037 - RESERVED -CVE-2021-43036 - RESERVED -CVE-2021-43035 - RESERVED -CVE-2021-43034 - RESERVED -CVE-2021-43033 - RESERVED +CVE-2021-43044 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) + NOT-FOR-US: Kaseya +CVE-2021-43043 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) + NOT-FOR-US: Kaseya +CVE-2021-43042 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) + NOT-FOR-US: Kaseya +CVE-2021-43041 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) + NOT-FOR-US: Kaseya +CVE-2021-43040 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) + NOT-FOR-US: Kaseya +CVE-2021-43039 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) + NOT-FOR-US: Kaseya +CVE-2021-43038 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) + NOT-FOR-US: Kaseya +CVE-2021-43037 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) + NOT-FOR-US: Kaseya +CVE-2021-43036 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) + NOT-FOR-US: Kaseya +CVE-2021-43035 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) + NOT-FOR-US: Kaseya +CVE-2021-43034 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) + NOT-FOR-US: Kaseya +CVE-2021-43033 (An issue was discovered in Kaseya Unitrends Backup Appliance before 10 ...) + NOT-FOR-US: Kaseya CVE-2021-3912 (OctoRPKI tries to load the entire contents of a repository in memory, ...) + {DSA-5041-1} + - routinator <itp> (bug #929024) - cfrpki 1.4.0-1 NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg - TODO: check correctness, there is distinction on github.com/cloudflare/cfrpki/cmd/octorpki and github.com/cloudflare/cfrpki/pki CVE-2021-3911 (If the ROA that a repository returns contains too many bits for the IP ...) + {DSA-5041-1} - cfrpki 1.4.0-1 NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-w6ww-fmfx-2x22 - TODO: check correctness, there is distinction on github.com/cloudflare/cfrpki/cmd/octorpki and github.com/cloudflare/cfrpki/pki CVE-2021-3910 (OctoRPKI crashes when encountering a repository that returns an invali ...) + {DSA-5041-1} - cfrpki 1.4.0-1 NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7j - TODO: check correctness, there is distinction on github.com/cloudflare/cfrpki/cmd/octorpki and github.com/cloudflare/cfrpki/pki CVE-2021-3909 (OctoRPKI does not limit the length of a connection, allowing for a slo ...) + {DSA-5041-1 DSA-5033-1} + - routinator <itp> (bug #929024) - cfrpki 1.4.0-1 + - fort-validator 1.5.3-1 + - rpki-client 7.5-1 NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-8cvr-4rrf-f244 - TODO: check correctness, there is distinction on github.com/cloudflare/cfrpki/cmd/octorpki and github.com/cloudflare/cfrpki/pki CVE-2021-3908 (OctoRPKI does not limit the depth of a certificate chain, allowing for ...) + {DSA-5041-1} - cfrpki 1.4.0-1 + - routinator <itp> (bug #929024) NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-g5gj-9ggf-9vmq - TODO: check correctness, there is distinction on github.com/cloudflare/cfrpki/cmd/octorpki and github.com/cloudflare/cfrpki/pki CVE-2021-3907 (OctoRPKI does not escape a URI with a filename containing "..", this a ...) + {DSA-5041-1 DSA-5033-1} - cfrpki 1.4.0-1 + - fort-validator 1.5.3-1 NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-cqh2-vc2f-q4fh - TODO: check correctness, there is distinction on github.com/cloudflare/cfrpki/cmd/octorpki and github.com/cloudflare/cfrpki/pki CVE-2021-3906 (bookstack is vulnerable to Unrestricted Upload of File with Dangerous ...) NOT-FOR-US: bookstack CVE-2021-43032 (In XenForo through 2.2.7, a threat actor with access to the admin pane ...) NOT-FOR-US: XenForo CVE-2021-43031 RESERVED -CVE-2021-43030 - RESERVED -CVE-2021-43029 - RESERVED -CVE-2021-43028 - RESERVED +CVE-2021-43030 (Adobe Premiere Rush versions 1.5.16 (and earlier) allows access to an ...) + NOT-FOR-US: Adobe +CVE-2021-43029 (Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memo ...) + NOT-FOR-US: Adobe +CVE-2021-43028 (Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memo ...) + NOT-FOR-US: Adobe CVE-2021-43027 RESERVED -CVE-2021-43026 - RESERVED -CVE-2021-43025 - RESERVED -CVE-2021-43024 - RESERVED -CVE-2021-43023 - RESERVED -CVE-2021-43022 - RESERVED -CVE-2021-43021 - RESERVED +CVE-2021-43026 (Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memo ...) + NOT-FOR-US: Adobe +CVE-2021-43025 (Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memo ...) + NOT-FOR-US: Adobe +CVE-2021-43024 (Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memo ...) + NOT-FOR-US: Adobe +CVE-2021-43023 (Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memo ...) + NOT-FOR-US: Adobe +CVE-2021-43022 (Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memo ...) + NOT-FOR-US: Adobe +CVE-2021-43021 (Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memo ...) + NOT-FOR-US: Adobe CVE-2021-43020 RESERVED CVE-2021-43019 (Adobe Creative Cloud version 5.5 (and earlier) are affected by a privi ...) @@ -2922,6 +9819,8 @@ CVE-2021-3904 (grav is vulnerable to Improper Neutralization of Input During Web NOT-FOR-US: Grav CMS CVE-2021-3903 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim 2:8.2.3565-1 + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) [stretch] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/35738a4f-55ce-446c-b836-2fb0b39625f8 NOTE: https://github.com/vim/vim/commit/777e7c21b7627be80961848ac560cb0a9978ff43 @@ -2934,76 +9833,76 @@ CVE-2021-43008 RESERVED CVE-2021-43007 RESERVED -CVE-2021-43006 - RESERVED +CVE-2021-43006 (AmZetta Amzetta zPortal DVM Tools is affected by Integer Overflow. IOC ...) + NOT-FOR-US: AmZetta Amzetta zPortal DVM Tools CVE-2021-43005 RESERVED CVE-2021-43004 RESERVED -CVE-2021-43003 - RESERVED -CVE-2021-43002 - RESERVED +CVE-2021-43003 (Amzetta zPortal Windows zClient is affected by Integer Overflow. IOCTL ...) + NOT-FOR-US: Amzetta +CVE-2021-43002 (Amzetta zPortal DVM Tools is affected by Buffer Overflow. IOCTL Handle ...) + NOT-FOR-US: Amzetta CVE-2021-43001 RESERVED -CVE-2021-43000 - RESERVED +CVE-2021-43000 (Amzetta zPortal Windows zClient is affected by Buffer Overflow. IOCTL ...) + NOT-FOR-US: Amzetta CVE-2021-42999 RESERVED CVE-2021-42998 RESERVED CVE-2021-42997 RESERVED -CVE-2021-42996 - RESERVED +CVE-2021-42996 (Donglify is affected by Integer Overflow. IOCTL Handler 0x22001B in th ...) + NOT-FOR-US: Donglify CVE-2021-42995 RESERVED -CVE-2021-42994 - RESERVED -CVE-2021-42993 - RESERVED +CVE-2021-42994 (Donglify is affected by Buffer Overflow. IOCTL Handler 0x22001B in the ...) + NOT-FOR-US: Donglify +CVE-2021-42993 (FlexiHub For Windows is affected by Integer Overflow. IOCTL Handler 0x ...) + NOT-FOR-US: FlexiHub For Windows CVE-2021-42992 RESERVED CVE-2021-42991 RESERVED -CVE-2021-42990 - RESERVED +CVE-2021-42990 (FlexiHub For Windows is affected by Buffer Overflow. IOCTL Handler 0x2 ...) + NOT-FOR-US: FlexiHub For Windows CVE-2021-42989 RESERVED -CVE-2021-42988 - RESERVED -CVE-2021-42987 - RESERVED -CVE-2021-42986 - RESERVED +CVE-2021-42988 (Eltima USB Network Gate is affected by Buffer Overflow. IOCTL Handler ...) + NOT-FOR-US: Eltima USB Network Gate +CVE-2021-42987 (Eltima USB Network Gate is affected by Integer Overflow. IOCTL Handler ...) + NOT-FOR-US: Eltima USB Network Gate +CVE-2021-42986 (NoMachine Enterprise Client is affected by Integer Overflow. IOCTL Han ...) + NOT-FOR-US: NoMachine CVE-2021-42985 RESERVED CVE-2021-42984 RESERVED -CVE-2021-42983 - RESERVED +CVE-2021-42983 (NoMachine Enterprise Client is affected by Buffer Overflow. IOCTL Hand ...) + NOT-FOR-US: NoMachine CVE-2021-42982 RESERVED CVE-2021-42981 RESERVED -CVE-2021-42980 - RESERVED -CVE-2021-42979 - RESERVED +CVE-2021-42980 (NoMachine Cloud Server is affected by Buffer Overflow. IOCTL Handler 0 ...) + NOT-FOR-US: NoMachine +CVE-2021-42979 (NoMachine Cloud Server is affected by Integer Overflow. IOCTL Handler ...) + NOT-FOR-US: NoMachine CVE-2021-42978 RESERVED -CVE-2021-42977 - RESERVED -CVE-2021-42976 - RESERVED +CVE-2021-42977 (NoMachine Enterprise Desktop is affected by Integer Overflow. IOCTL Ha ...) + NOT-FOR-US: NoMachine +CVE-2021-42976 (NoMachine Enterprise Desktop is affected by Buffer Overflow. IOCTL Han ...) + NOT-FOR-US: NoMachine CVE-2021-42975 RESERVED CVE-2021-42974 RESERVED -CVE-2021-42973 - RESERVED -CVE-2021-42972 - RESERVED +CVE-2021-42973 (NoMachine Server is affected by Integer Overflow. IOCTL Handler 0x2200 ...) + NOT-FOR-US: NoMachine +CVE-2021-42972 (NoMachine Server is affected by Buffer Overflow. IOCTL Handler 0x22001 ...) + NOT-FOR-US: NoMachine CVE-2021-42971 RESERVED CVE-2021-42970 @@ -3056,8 +9955,8 @@ CVE-2021-42947 RESERVED CVE-2021-42946 RESERVED -CVE-2021-42945 - RESERVED +CVE-2021-42945 (A SQL Injection vulnerability exists in ZZCMS 2021 via the askbigclass ...) + NOT-FOR-US: ZZCMS CVE-2021-42944 RESERVED CVE-2021-42943 @@ -3066,8 +9965,8 @@ CVE-2021-42942 RESERVED CVE-2021-42941 RESERVED -CVE-2021-42940 - RESERVED +CVE-2021-42940 (A Cross Site Scripting (XSS) vulnerability exists in Projeqtor 9.3.1 v ...) + NOT-FOR-US: Projeqtor CVE-2021-42939 RESERVED CVE-2021-42938 @@ -3114,7 +10013,7 @@ CVE-2021-42918 RESERVED CVE-2021-42917 (Buffer overflow vulnerability in Kodi xbmc up to 19.0, allows attacker ...) - kodi 2:19.3+dfsg1-1 (bug #998419) - [bullseye] - kodi <no-dsa> (Minor issue) + [bullseye] - kodi 2:19.1+dfsg2-2+deb11u1 [buster] - kodi <no-dsa> (Minor issue) [stretch] - kodi <postponed> (no point in fixing this when the more severe CVE-2017-5982 is ignored) - xbmc <removed> @@ -3127,10 +10026,10 @@ CVE-2021-42915 RESERVED CVE-2021-42914 RESERVED -CVE-2021-42913 - RESERVED -CVE-2021-42912 - RESERVED +CVE-2021-42913 (The SyncThru Web Service on Samsung SCX-6x55X printers allows an attac ...) + NOT-FOR-US: SyncThru Web Service on Samsung SCX-6x55X printers +CVE-2021-42912 (FiberHome ONU GPON AN5506-04-F RP2617 is affected by an OS command inj ...) + NOT-FOR-US: FiberHome ONU GPON AN5506-04-F RP2617 CVE-2021-42911 RESERVED CVE-2021-42910 @@ -3283,8 +10182,8 @@ CVE-2021-42843 RESERVED CVE-2021-42842 RESERVED -CVE-2021-42841 - RESERVED +CVE-2021-42841 (Insta HMS before 12.4.10 is vulnerable to XSS because of improper vali ...) + NOT-FOR-US: Insta HMS CVE-2021-42840 (SuiteCRM before 7.11.19 allows remote code execution via the system se ...) NOT-FOR-US: SuiteCRM CVE-2021-42839 (Grand Vice info Co. webopac7 file upload function fails to filter spec ...) @@ -3299,12 +10198,12 @@ CVE-2021-42836 (GJSON before 1.9.3 allows a ReDoS (regular expression denial of NOTE: https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96 NOTE: https://github.com/tidwall/gjson/issues/236 NOTE: https://github.com/tidwall/gjson/issues/237 -CVE-2021-42835 - RESERVED +CVE-2021-42835 (An issue was discovered in Plex Media Server through 1.24.4.5081-e362d ...) + NOT-FOR-US: Plex Media Server CVE-2021-42834 RESERVED -CVE-2021-42833 - RESERVED +CVE-2021-42833 (A Use of Hardcoded Credentials vulnerability exists in AquaView versio ...) + NOT-FOR-US: AquaView CVE-2021-42832 RESERVED CVE-2021-42831 @@ -3351,12 +10250,12 @@ CVE-2021-42812 RESERVED CVE-2021-42811 RESERVED -CVE-2021-42810 - RESERVED -CVE-2021-42809 - RESERVED -CVE-2021-42808 - RESERVED +CVE-2021-42810 (A flaw in the previous versions of the product may allow an authentica ...) + NOT-FOR-US: Thales SafeNet Agent +CVE-2021-42809 (Improper Access Control of Dynamically-Managed Code Resources (DLL) in ...) + NOT-FOR-US: ThalesThales Sentinel Protection Installer +CVE-2021-42808 (Improper Access Control in Thales Sentinel Protection Installer could ...) + NOT-FOR-US: Thales Sentinel Protection Installer CVE-2021-42807 RESERVED CVE-2021-42806 @@ -3389,8 +10288,8 @@ CVE-2021-42793 RESERVED CVE-2021-42792 RESERVED -CVE-2021-42791 - RESERVED +CVE-2021-42791 (An issue was discovered in VeridiumID VeridiumAD 2.5.3.0. The HTTP req ...) + NOT-FOR-US: VeridiumID CVE-2021-42790 RESERVED CVE-2021-42789 @@ -3402,7 +10301,7 @@ CVE-2021-42787 CVE-2021-42786 RESERVED CVE-2021-42785 (Buffer Overflow vulnerability in tvnviewer.exe of TightVNC Viewer allo ...) - TODO: check + NOT-FOR-US: TightVNC Viewer CVE-2021-42784 (OS Command Injection vulnerability in debug_fcgi of D-Link DWR-932C E1 ...) NOT-FOR-US: D-Link CVE-2021-42783 (Missing Authentication for Critical Function vulnerability in debug_po ...) @@ -3419,8 +10318,8 @@ CVE-2021-42778 RESERVED CVE-2021-42777 RESERVED -CVE-2021-42776 - RESERVED +CVE-2021-42776 (CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE ...) + NOT-FOR-US: CloverDX Server CVE-2021-42775 (Broadcom Emulex HBA Manager/One Command Manager versions before 11.4.4 ...) NOT-FOR-US: Broadcom Emulex HBA Manager/One Command Manager CVE-2021-42774 (Broadcom Emulex HBA Manager/One Command Manager versions before 11.4.4 ...) @@ -3430,7 +10329,7 @@ CVE-2021-42773 (Broadcom Emulex HBA Manager/One Command Manager versions before CVE-2021-42772 (Broadcom Emulex HBA Manager/One Command Manager versions before 11.4.4 ...) NOT-FOR-US: Broadcom Emulex HBA Manager/One Command Manager CVE-2021-42771 (Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary ...) - {DLA-2790-1} + {DSA-5018-1 DLA-2790-1} - python-babel 2.8.0+dfsg.1-7 (bug #987824) NOTE: https://www.tenable.com/security/research/tra-2021-14 NOTE: https://github.com/python-babel/babel/pull/782 @@ -3459,32 +10358,32 @@ CVE-2021-42762 (BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q CVE-2021-42761 RESERVED -CVE-2021-42760 - RESERVED -CVE-2021-42759 - RESERVED -CVE-2021-42758 - RESERVED -CVE-2021-42757 - RESERVED +CVE-2021-42760 (A improper neutralization of special elements used in an sql command ( ...) + NOT-FOR-US: FortiGuard +CVE-2021-42759 (A violation of secure design principles in Fortinet Meru AP version 8. ...) + NOT-FOR-US: FortiGuard +CVE-2021-42758 (An improper access control vulnerability [CWE-284] in FortiWLC 8.6.1 a ...) + NOT-FOR-US: FortiGuard +CVE-2021-42757 (A buffer overflow [CWE-121] in the TFTP client library of FortiOS befo ...) + NOT-FOR-US: FortiGuard CVE-2021-42756 RESERVED CVE-2021-42755 RESERVED CVE-2021-42754 (An improper control of generation of code vulnerability [CWE-94] in Fo ...) NOT-FOR-US: Fortiguard -CVE-2021-42753 - RESERVED -CVE-2021-42752 - RESERVED +CVE-2021-42753 (An improper limitation of a pathname to a restricted directory ('Path ...) + NOT-FOR-US: FortiGuard +CVE-2021-42752 (A improper neutralization of input during web page generation ('cross- ...) + NOT-FOR-US: FortiGuard CVE-2021-42751 RESERVED CVE-2021-42750 RESERVED -CVE-2021-42749 - RESERVED -CVE-2021-42748 - RESERVED +CVE-2021-42749 (In Beaver Themer, attackers can bypass conditional logic controls (for ...) + NOT-FOR-US: Beaver +CVE-2021-42748 (In Beaver Builder through 2.5.0.3, attackers can bypass the visibility ...) + NOT-FOR-US: Beaver CVE-2021-42747 RESERVED CVE-2021-42745 @@ -3510,10 +10409,12 @@ CVE-2021-42742 CVE-2021-42741 RESERVED CVE-2021-42740 (The shell-quote package before 1.7.3 for Node.js allows command inject ...) - - node-shell-quote <unfixed> (bug #998418) + - node-shell-quote 1.7.3+~1.7.1-1 (bug #998418) NOTE: https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe (1.7.3) CVE-2021-42739 (The firewire subsystem in the Linux kernel through 5.14.13 has a buffe ...) + {DLA-2843-1} - linux 5.14.16-1 + [bullseye] - linux 5.10.84-1 NOTE: https://seclists.org/oss-sec/2021/q2/46 NOTE: https://lore.kernel.org/linux-media/YHaulytonFcW+lyZ@mwanda/ CVE-2021-42738 (Adobe Prelude version 10.1 (and earlier) is affected by a memory corru ...) @@ -3558,15 +10459,22 @@ CVE-2021-42719 RESERVED CVE-2021-42718 RESERVED -CVE-2021-3894 - RESERVED -CVE-2021-42717 [ModSecurity DoS Vulnerability in JSON Parsing] +CVE-2021-3894 [sctp: local DoS: unprivileged user can cause BUG()] RESERVED + - linux 5.14.16-1 + [bullseye] - linux 5.10.84-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2014970 +CVE-2021-42717 (ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objec ...) + {DSA-5023-1} - modsecurity 3.0.6-1 + [bullseye] - modsecurity <no-dsa> (Minor issue; does not have connector packages in Debian) + [buster] - modsecurity <no-dsa> (Minor issue; does not have connector packages in Debian) - modsecurity-apache 2.9.5-1 [stretch] - modsecurity-apache <postponed> (revisit when/if fixed upstream) NOTE: https://github.com/SpiderLabs/ModSecurity/issues/2647 NOTE: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/ + NOTE: Fixed by: https://github.com/SpiderLabs/ModSecurity/commit/41918335fa4c74fba46a986771a5a6cb457070c4 (v2.9.5) + NOTE: Fixed by: https://github.com/SpiderLabs/ModSecurity/commit/ac79c1c29b7e6323e26cc984ad4f76ef62c731cd (v3.0.6) CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM loader incorr ...) - libstb <unfixed> [bullseye] - libstb <no-dsa> (Minor issue) @@ -3580,14 +10488,14 @@ CVE-2021-42715 (An issue was discovered in stb stb_image.h 1.33 through 2.27. Th [buster] - libstb <no-dsa> (Minor issue) NOTE: https://github.com/nothings/stb/issues/1224 NOTE: https://github.com/nothings/stb/pull/1223 -CVE-2021-42714 - RESERVED -CVE-2021-42713 - RESERVED -CVE-2021-42712 - RESERVED -CVE-2021-42711 - RESERVED +CVE-2021-42714 (Splashtop Remote Client (Business Edition) through 3.4.8.3 creates a T ...) + NOT-FOR-US: Splashtop Remote Client +CVE-2021-42713 (Splashtop Remote Client (Personal Edition) through 3.4.6.1 creates a T ...) + NOT-FOR-US: Splashtop Remote Client +CVE-2021-42712 (Splashtop Streamer through 3.4.8.3 creates a Temporary File in a Direc ...) + NOT-FOR-US: Splashtop Streamer +CVE-2021-42711 (Barracuda Network Access Client before 5.2.2 creates a Temporary File ...) + NOT-FOR-US: Barracuda Network Access Client CVE-2021-42710 RESERVED CVE-2021-42709 @@ -3632,22 +10540,22 @@ CVE-2021-42690 RESERVED CVE-2021-42689 RESERVED -CVE-2021-42688 - RESERVED -CVE-2021-42687 - RESERVED -CVE-2021-42686 - RESERVED -CVE-2021-42685 - RESERVED +CVE-2021-42688 (An Integer Overflow vulnerability exists in Accops HyWorks Windows Cli ...) + NOT-FOR-US: Accops HyWorks Windows Client +CVE-2021-42687 (A Buffer Overflow vulnerability exists in Accops HyWorks Windows Clien ...) + NOT-FOR-US: Accops HyWorks Windows Client +CVE-2021-42686 (An Integer Overflow exists in Accops HyWorks Windows Client prior to v ...) + NOT-FOR-US: Accops HyWorks Windows Client +CVE-2021-42685 (An Integer Overflow vulnerability exists in Accops HyWorks DVM Tools p ...) + NOT-FOR-US: Accops HyWorks DVM Tools CVE-2021-42684 RESERVED -CVE-2021-42683 - RESERVED -CVE-2021-42682 - RESERVED -CVE-2021-42681 - RESERVED +CVE-2021-42683 (A Buffer Overflow vulnerability exists in Accops HyWorks Windows Clien ...) + NOT-FOR-US: Accops HyWorks Windows Client +CVE-2021-42682 (An Integer Overflow vulnerability exists in Accops HyWorks DVM Tools p ...) + NOT-FOR-US: Accops HyWorks DVM Tools +CVE-2021-42681 (A Buffer Overflow vulnerability exists in Accops HyWorks DVM Tools pri ...) + NOT-FOR-US: Accops HyWorks DVM Tools CVE-2021-42680 RESERVED CVE-2021-42679 @@ -3724,30 +10632,30 @@ CVE-2021-42644 RESERVED CVE-2021-42643 RESERVED -CVE-2021-42642 - RESERVED -CVE-2021-42641 - RESERVED -CVE-2021-42640 - RESERVED -CVE-2021-42639 - RESERVED -CVE-2021-42638 - RESERVED -CVE-2021-42637 - RESERVED +CVE-2021-42642 (PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable ...) + NOT-FOR-US: PrinterLogic Web Stack +CVE-2021-42641 (PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable ...) + NOT-FOR-US: PrinterLogic Web Stack +CVE-2021-42640 (PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable ...) + NOT-FOR-US: PrinterLogic Web Stack +CVE-2021-42639 (PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable ...) + NOT-FOR-US: PrinterLogic Web Stack +CVE-2021-42638 (PrinterLogic Web Stack versions 19.1.1.13 SP9 and below do not sanitiz ...) + NOT-FOR-US: PrinterLogic Web Stack +CVE-2021-42637 (PrinterLogic Web Stack versions 19.1.1.13 SP9 and below use user-contr ...) + NOT-FOR-US: PrinterLogic Web Stack CVE-2021-42636 RESERVED -CVE-2021-42635 - RESERVED +CVE-2021-42635 (PrinterLogic Web Stack versions 19.1.1.13 SP9 and below use a hardcode ...) + NOT-FOR-US: PrinterLogic Web Stack CVE-2021-42634 RESERVED -CVE-2021-42633 - RESERVED +CVE-2021-42633 (PrinterLogic Web Stack versions 19.1.1.13 SP9 and below are vulnerable ...) + NOT-FOR-US: PrinterLogic Web Stack CVE-2021-42632 RESERVED -CVE-2021-42631 - RESERVED +CVE-2021-42631 (PrinterLogic Web Stack versions 19.1.1.13 SP9 and below deserializes a ...) + NOT-FOR-US: PrinterLogic Web Stack CVE-2021-42630 RESERVED CVE-2021-42629 @@ -3840,10 +10748,10 @@ CVE-2021-42586 RESERVED CVE-2021-42585 RESERVED -CVE-2021-42584 - RESERVED -CVE-2021-42583 - RESERVED +CVE-2021-42584 (A Stored Cross Site Scripting (XSS) issue exists in Convos-Chat before ...) + NOT-FOR-US: Convos-Chat +CVE-2021-42583 (A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy ...) + NOT-FOR-US: Max Mazurov Maddy CVE-2021-42582 RESERVED CVE-2021-42581 @@ -3857,13 +10765,16 @@ CVE-2021-42578 CVE-2021-42577 RESERVED CVE-2021-42576 (The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Py ...) - NOT-FOR-US: bluemonday sanitizer + - golang-github-microcosm-cc-bluemonday 1.0.16-1 + [bullseye] - golang-github-microcosm-cc-bluemonday <no-dsa> (Minor issue) + NOTE: https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/ CVE-2021-42575 (The OWASP Java HTML Sanitizer before 20211018.1 does not properly enfo ...) NOT-FOR-US: OWASP HTML Sanitizer CVE-2021-42574 (An issue was discovered in the Bidirectional Algorithm in the Unicode ...) - rustc <unfixed> [bullseye] - rustc <no-dsa> (Minor issue) [buster] - rustc <no-dsa> (Minor issue) + [stretch] - rustc <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/11/01/1 NOTE: https://github.com/rust-lang/rust/commit/dd61274930ec0cd17711fab52d2bc9ad3e9053de (1.56.1) CVE-2021-42573 @@ -3878,64 +10789,66 @@ CVE-2021-42569 RESERVED CVE-2021-42568 (Sonatype Nexus Repository Manager 3.x through 3.35.0 allows attackers ...) NOT-FOR-US: Sonatype -CVE-2021-42567 - RESERVED +CVE-2021-42567 (Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST ...) + NOT-FOR-US: Apereo CAS CVE-2021-42566 (myfactory.FMS before 7.1-912 allows XSS via the Error parameter. ...) NOT-FOR-US: myfactory.FMS CVE-2021-42565 (myfactory.FMS before 7.1-912 allows XSS via the UID parameter. ...) NOT-FOR-US: myfactory.FMS -CVE-2021-42564 - RESERVED +CVE-2021-42564 (An open redirect through HTML injection in confidential messages in Cr ...) + NOT-FOR-US: Cryptshare Server CVE-2021-42563 (There is an Unquoted Service Path in NI Service Locator (nisvcloc.exe) ...) NOT-FOR-US: NI Service Locator CVE-2021-3893 RESERVED -CVE-2021-42562 - RESERVED -CVE-2021-42561 - RESERVED -CVE-2021-42560 - RESERVED -CVE-2021-42559 - RESERVED -CVE-2021-42558 - RESERVED +CVE-2021-42562 (An issue was discovered in CALDERA 2.8.1. It does not properly segrega ...) + NOT-FOR-US: CALDERA +CVE-2021-42561 (An issue was discovered in CALDERA 2.8.1. When activated, the Human pl ...) + NOT-FOR-US: CALDERA +CVE-2021-42560 (An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives ...) + NOT-FOR-US: CALDERA +CVE-2021-42559 (An issue was discovered in CALDERA 2.8.1. It contains multiple startup ...) + NOT-FOR-US: CALDERA +CVE-2021-42558 (An issue was discovered in CALDERA 2.8.1. It contains multiple reflect ...) + NOT-FOR-US: CALDERA CVE-2021-42557 (In Jeedom through 4.1.19, a bug allows a remote attacker to bypass API ...) NOT-FOR-US: Jeedom CVE-2021-42556 (Rasa X before 0.42.4 allows Directory Traversal during archive extract ...) NOT-FOR-US: Rasa X -CVE-2021-42555 - RESERVED -CVE-2021-42554 - RESERVED -CVE-2021-3892 [memory leak in fib6_rule_suppress could result in DoS] - RESERVED - - linux <unfixed> - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2014623 -CVE-2021-26247 - RESERVED -CVE-2021-23225 - RESERVED +CVE-2021-42555 (Pexip Infinity before 26.2 allows temporary remote Denial of Service ( ...) + NOT-FOR-US: Pexip Infinity +CVE-2021-42554 (An issue was discovered in Insyde InsydeH2O with Kernel 5.0 before 05. ...) + NOT-FOR-US: Insyde +CVE-2021-3892 + REJECTED +CVE-2021-26247 (As an unauthenticated remote user, visit "http://<CACTI_SERVER>/ ...) + - cacti 0.8.7i-1 + NOTE: Fixed by: https://github.com/Cacti/cacti/commit/d94dbd985054ef1ba14278a932c67e3145ebb14b (0.8.7h) + NOTE: Addressed again as a side-note in the same issue and fix for CVE-2021-3816 + NOTE: https://github.com/Cacti/cacti/issues/1882 + NOTE: Fixed by: https://github.com/Cacti/cacti/commit/2b8097c06030ab72c5b3bdadb23dceb5332f0e94 (1.2.0-beta1) +CVE-2021-23225 (Cacti 1.1.38 allows authenticated users with User Management permissio ...) + - cacti 1.2.1+ds1-1 + [stretch] - cacti <postponed> (Minor issue; stored XSS requires prior admin access) + NOTE: https://github.com/Cacti/cacti/issues/1882 CVE-2021-42553 RESERVED CVE-2021-42552 RESERVED -CVE-2021-42551 - RESERVED -CVE-2021-42550 - RESERVED -CVE-2021-42549 - RESERVED -CVE-2021-42548 - RESERVED -CVE-2021-42547 - RESERVED -CVE-2021-42546 - RESERVED -CVE-2021-42545 - RESERVED -CVE-2021-42544 - RESERVED +CVE-2021-42551 (Cross-site Scripting (XSS) vulnerability in the search functionality o ...) + NOT-FOR-US: AlCoda NetBiblio WebOPAC +CVE-2021-42549 (Insufficient Input Validation in the search functionality of Wordpress ...) + NOT-FOR-US: Wordpress plugin +CVE-2021-42548 (Insufficient Input Validation in the search functionality of Wordpress ...) + NOT-FOR-US: Wordpress plugin +CVE-2021-42547 (Insufficient Input Validation in the search functionality of Wordpress ...) + NOT-FOR-US: Wordpress plugin +CVE-2021-42546 (Insufficient Input Validation in the search functionality of Wordpress ...) + NOT-FOR-US: Wordpress plugin +CVE-2021-42545 (An insufficient session expiration vulnerability exists in Business-DN ...) + NOT-FOR-US: Business-DNA Solutions +CVE-2021-42544 (Missing Rate Limiting in Web Applications operating on Business-DNA So ...) + NOT-FOR-US: Business-DNA Solutions CVE-2021-42543 (The affected application uses specific functions that could be abused ...) NOT-FOR-US: AzeoTech CVE-2021-42542 (The affected product is vulnerable to directory traversal due to misha ...) @@ -3981,9 +10894,13 @@ CVE-2021-3891 CVE-2021-3890 RESERVED CVE-2021-3889 (libmobi is vulnerable to Use of Out-of-range Pointer Offset ...) - - libmobi <itp> (bug #966677) + - libmobi <not-affected> (Fixed before initial upload to Debian) + NOTE: https://huntr.dev/bounties/efb3e261-3f7d-4a45-8114-e0ace6b21516/ + NOTE: https://github.com/bfabiszewski/libmobi/commit/bec783e6212439a335ba6e8df7ab8ed610ca9a21 (v0.8) CVE-2021-3888 (libmobi is vulnerable to Use of Out-of-range Pointer Offset ...) - - libmobi <itp> (bug #966677) + - libmobi <not-affected> (Fixed before initial upload to Debian) + NOTE: https://huntr.dev/bounties/722b3acb-792b-4429-a98d-bb80efb8938d/ + NOTE: https://github.com/bfabiszewski/libmobi/commit/c78e186739b50d156cb3da5d08d70294f0490853 (v0.8) CVE-2021-3887 RESERVED CVE-2021-42523 @@ -4248,8 +11165,13 @@ CVE-2021-42394 RESERVED CVE-2021-42393 RESERVED -CVE-2021-42392 - RESERVED +CVE-2021-42392 (The org.h2.util.JdbcUtils.getConnection method of the H2 database take ...) + {DSA-5076-1 DLA-2923-1} + - h2database 2.1.210-1 (bug #1003894) + NOTE: https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6 + NOTE: https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/ + NOTE: Fixed by https://github.com/h2database/h2database/commit/41dd2a4cf89da9dd18239debbf73f88da6184ec7 + NOTE: https://github.com/h2database/h2database/commit/956c6241868332c5b440f5d55ea8fdc1e51ae4fd CVE-2021-42391 RESERVED CVE-2021-42390 @@ -4350,14 +11272,14 @@ CVE-2021-42369 (Imagicle Application Suite (for Cisco UC) before 2021.Summer.2 a NOT-FOR-US: Imagicle Application Suite CVE-2021-42368 RESERVED -CVE-2021-42367 - RESERVED +CVE-2021-42367 (The Variation Swatches for WooCommerce WordPress plugin is vulnerable ...) + NOT-FOR-US: WordPress plugin CVE-2021-42366 RESERVED -CVE-2021-42365 - RESERVED -CVE-2021-42364 - RESERVED +CVE-2021-42365 (The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site ...) + NOT-FOR-US: WordPress plugin +CVE-2021-42364 (The Stetic WordPress plugin is vulnerable to Cross-Site Request Forger ...) + NOT-FOR-US: WordPress plugin CVE-2021-42363 (The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to ...) NOT-FOR-US: WordPress plugin CVE-2021-42362 (The WordPress Popular Posts WordPress plugin is vulnerable to arbitrar ...) @@ -4368,10 +11290,10 @@ CVE-2021-42360 (On sites that also had the Elementor plugin for WordPress instal NOT-FOR-US: Elementor plugin for WordPress CVE-2021-42359 (WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-di ...) NOT-FOR-US: WP DSGVO Tools (GDPR) -CVE-2021-42358 - RESERVED -CVE-2021-42357 - RESERVED +CVE-2021-42358 (The Contact Form With Captcha WordPress plugin is vulnerable to Cross- ...) + NOT-FOR-US: WordPress plugin +CVE-2021-42357 (When using Apache Knox SSO prior to 1.6.1, a request could be crafted ...) + NOT-FOR-US: Apache Knox CVE-2021-42356 RESERVED CVE-2021-42355 @@ -4455,6 +11377,7 @@ CVE-2021-42328 RESERVED CVE-2021-42327 (dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu ...) - linux 5.14.16-1 + [bullseye] - linux 5.10.84-1 [buster] - linux <not-affected> (Vulnerability introduced later) [stretch] - linux <not-affected> (Vulnerability introduced later) NOTE: https://lists.freedesktop.org/archives/amd-gfx/2021-October/070170.html @@ -4475,8 +11398,8 @@ CVE-2021-42322 (Visual Studio Code Elevation of Privilege Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-42321 (Microsoft Exchange Server Remote Code Execution Vulnerability ...) NOT-FOR-US: Microsoft -CVE-2021-42320 - RESERVED +CVE-2021-42320 (Microsoft SharePoint Server Spoofing Vulnerability This CVE ID is uniq ...) + NOT-FOR-US: Microsoft CVE-2021-42319 (Visual Studio Elevation of Privilege Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-42318 @@ -4485,20 +11408,20 @@ CVE-2021-42317 RESERVED CVE-2021-42316 (Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerabili ...) NOT-FOR-US: Microsoft -CVE-2021-42315 - RESERVED -CVE-2021-42314 - RESERVED -CVE-2021-42313 - RESERVED -CVE-2021-42312 - RESERVED -CVE-2021-42311 - RESERVED -CVE-2021-42310 - RESERVED -CVE-2021-42309 - RESERVED +CVE-2021-42315 (Microsoft Defender for IoT Remote Code Execution Vulnerability This CV ...) + NOT-FOR-US: Microsoft +CVE-2021-42314 (Microsoft Defender for IoT Remote Code Execution Vulnerability This CV ...) + NOT-FOR-US: Microsoft +CVE-2021-42313 (Microsoft Defender for IoT Remote Code Execution Vulnerability This CV ...) + NOT-FOR-US: Microsoft +CVE-2021-42312 (Microsoft Defender for IOT Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-42311 (Microsoft Defender for IoT Remote Code Execution Vulnerability This CV ...) + NOT-FOR-US: Microsoft +CVE-2021-42310 (Microsoft Defender for IoT Remote Code Execution Vulnerability This CV ...) + NOT-FOR-US: Microsoft +CVE-2021-42309 (Microsoft SharePoint Server Remote Code Execution Vulnerability This C ...) + NOT-FOR-US: Microsoft CVE-2021-42308 (Microsoft Edge (Chromium-based) Spoofing Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-42307 @@ -4525,12 +11448,12 @@ CVE-2021-42297 (Windows 10 Update Assistant Elevation of Privilege Vulnerability NOT-FOR-US: Microsoft CVE-2021-42296 (Microsoft Word Remote Code Execution Vulnerability ...) NOT-FOR-US: Microsoft -CVE-2021-42295 - RESERVED -CVE-2021-42294 - RESERVED -CVE-2021-42293 - RESERVED +CVE-2021-42295 (Visual Basic for Applications Information Disclosure Vulnerability ...) + NOT-FOR-US: Microsoft +CVE-2021-42294 (Microsoft SharePoint Server Remote Code Execution Vulnerability This C ...) + NOT-FOR-US: Microsoft +CVE-2021-42293 (Microsoft Jet Red Database Engine and Access Connectivity Engine Eleva ...) + NOT-FOR-US: Microsoft CVE-2021-42292 (Microsoft Excel Security Feature Bypass Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-42291 (Active Directory Domain Services Elevation of Privilege Vulnerability ...) @@ -4596,7 +11519,9 @@ CVE-2021-3882 (LedgerSMB does not set the 'Secure' attribute on the session auth NOTE: https://huntr.dev/bounties/7061d97a-98a5-495a-8ba0-3a4c66091e9d/ NOTE: https://ledgersmb.org/content/security-advisory-cve-2021-3882-non-secure-session-cookie CVE-2021-3881 (libmobi is vulnerable to Out-of-bounds Read ...) - - libmobi <itp> (bug #966677) + - libmobi <not-affected> (Fixed before initial upload to Debian) + NOTE: https://huntr.dev/bounties/540fd115-7de4-4e19-a918-5ee61f5157c1/ + NOTE: https://github.com/bfabiszewski/libmobi/commit/bec783e6212439a335ba6e8df7ab8ed610ca9a21 (v0.8) CVE-2021-3880 RESERVED CVE-2021-3879 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...) @@ -4606,7 +11531,10 @@ CVE-2021-42262 CVE-2021-42261 (Revisor Video Management System (VMS) before 2.0.0 has a directory tra ...) NOT-FOR-US: Revisor Video Management System (VMS) CVE-2021-42260 (TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp ...) - - tinyxml <unfixed> + - tinyxml 2.6.2-6 + [bullseye] - tinyxml <no-dsa> (Minor issue) + [buster] - tinyxml <no-dsa> (Minor issue) + [stretch] - tinyxml <no-dsa> (Minor issue; can be fixed with the next DLA) NOTE: https://sourceforge.net/p/tinyxml/bugs/141/ NOTE: https://sourceforge.net/p/tinyxml/git/merge-requests/1/ CVE-2021-42259 @@ -4694,16 +11622,16 @@ CVE-2021-42222 RESERVED CVE-2021-42221 RESERVED -CVE-2021-42220 - RESERVED +CVE-2021-42220 (A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 1 ...) + - dolibarr <removed> CVE-2021-42219 RESERVED CVE-2021-42218 RESERVED CVE-2021-42217 RESERVED -CVE-2021-42216 - RESERVED +CVE-2021-42216 (A Broken or Risky Cryptographic Algorithm exists in AnonAddy 0.8.5 via ...) + NOT-FOR-US: AnonAddy CVE-2021-42215 RESERVED CVE-2021-42214 @@ -4798,8 +11726,8 @@ CVE-2021-42170 RESERVED CVE-2021-42169 (The Simple Payroll System with Dynamic Tax Bracket in PHP using SQLite ...) NOT-FOR-US: Dynamic Tax Bracket in PHP using SQLite Free Source Code -CVE-2021-42168 - RESERVED +CVE-2021-42168 (Cross Site Scripting (XSS) in Sourcecodester Try My Recipe (Recipe Sha ...) + NOT-FOR-US: Sourcecodester CVE-2021-42167 RESERVED CVE-2021-42166 @@ -4860,8 +11788,8 @@ CVE-2021-42140 RESERVED CVE-2021-42139 (Deno Standard Modules before 0.107.0 allows Code Injection via an untr ...) NOT-FOR-US: Deno -CVE-2021-42138 - RESERVED +CVE-2021-42138 (A user of a machine protected by SafeNet Agent for Windows Logon may l ...) + NOT-FOR-US: SafeNet CVE-2021-42137 (An issue was discovered in Zammad before 5.0.1. In some cases, there i ...) - zammad <itp> (bug #841355) CVE-2021-42136 @@ -4880,56 +11808,56 @@ CVE-2021-3875 (vim is vulnerable to Heap-based Buffer Overflow ...) NOTE: https://huntr.dev/bounties/5cdbc168-6ba1-4bc2-ba6c-28be12166a53/ NOTE: Search from cursor position introduced in: https://github.com/vim/vim/commit/04db26b36000a4677b95403ec94bd11f6cc73975 (v8.2.3110) NOTE: Fixed by: https://github.com/vim/vim/commit/35a319b77f897744eec1155b736e9372c9c5575f (v8.2.3489) -CVE-2021-42133 - RESERVED -CVE-2021-42132 - RESERVED -CVE-2021-42131 - RESERVED -CVE-2021-42130 - RESERVED -CVE-2021-42129 - RESERVED -CVE-2021-42128 - RESERVED -CVE-2021-42127 - RESERVED -CVE-2021-42126 - RESERVED -CVE-2021-42125 - RESERVED -CVE-2021-42124 - RESERVED -CVE-2021-42123 - RESERVED -CVE-2021-42122 - RESERVED -CVE-2021-42121 - RESERVED -CVE-2021-42120 - RESERVED -CVE-2021-42119 - RESERVED -CVE-2021-42118 - RESERVED -CVE-2021-42117 - RESERVED -CVE-2021-42116 - RESERVED -CVE-2021-42115 - RESERVED +CVE-2021-42133 (An exposed dangerous function vulnerability exists in Ivanti Avalanche ...) + NOT-FOR-US: Ivanti +CVE-2021-42132 (A command Injection vulnerability exists in Ivanti Avalanche before 6. ...) + NOT-FOR-US: Ivanti +CVE-2021-42131 (A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 a ...) + NOT-FOR-US: Ivanti +CVE-2021-42130 (A deserialization of untrusted data vulnerability exists in Ivanti Ava ...) + NOT-FOR-US: Ivanti +CVE-2021-42129 (A command injection vulnerability exists in Ivanti Avalanche before 6. ...) + NOT-FOR-US: Ivanti +CVE-2021-42128 (An exposed dangerous function vulnerability exists in Ivanti Avalanche ...) + NOT-FOR-US: Ivanti +CVE-2021-42127 (A deserialization of untrusted data vulnerability exists in Ivanti Ava ...) + NOT-FOR-US: Ivanti +CVE-2021-42126 (An improper authorization control vulnerability exists in Ivanti Avala ...) + NOT-FOR-US: Ivanti +CVE-2021-42125 (An unrestricted file upload vulnerability exists in Ivanti Avalanche b ...) + NOT-FOR-US: Ivanti +CVE-2021-42124 (An improper access control vulnerability exists in Ivanti Avalanche be ...) + NOT-FOR-US: Ivanti +CVE-2021-42123 (Unrestricted File Upload in Web Applications operating on Business-DNA ...) + NOT-FOR-US: Business-DNA Solutions +CVE-2021-42122 (Insufficient Input Validation in Web Applications operating on Busines ...) + NOT-FOR-US: Business-DNA Solutions +CVE-2021-42121 (Insufficient Input Validation in Web Applications operating on Busines ...) + NOT-FOR-US: Business-DNA Solutions +CVE-2021-42120 (Insufficient Input Validation in Web Applications operating on Busines ...) + NOT-FOR-US: Business-DNA Solutions +CVE-2021-42119 (Persistent Cross Site Scripting in Web Applications operating on Busin ...) + NOT-FOR-US: Business-DNA Solutions +CVE-2021-42118 (Persistent Cross Site Scripting in Web Applications operating on Busin ...) + NOT-FOR-US: Business-DNA Solutions +CVE-2021-42117 (Insufficient Input Validation in Web Applications operating on Busines ...) + NOT-FOR-US: Business-DNA Solutions +CVE-2021-42116 (Incorrect Access Control in Web Applications operating on Business-DNA ...) + NOT-FOR-US: Business-DNA Solutions +CVE-2021-42115 (Missing HTTPOnly flag in Web Applications operating on Business-DNA So ...) + NOT-FOR-US: Business-DNA Solutions CVE-2021-42114 (Modern DRAM devices (PC-DDR4, LPDDR4X) are affected by a vulnerability ...) NOT-FOR-US: hardware vulnerability in DRAM devices (Blacksmith) NOTE: https://comsec.ethz.ch/wp-content/files/blacksmith_sp22.pdf NOTE: https://comsec.ethz.ch/research/dram/blacksmith/ -CVE-2021-42113 - RESERVED +CVE-2021-42113 (An issue was discovered in StorageSecurityCommandDxe in Insyde InsydeH ...) + NOT-FOR-US: Insyde CVE-2021-42112 (The "File upload question" functionality in LimeSurvey 3.x-LTS through ...) - limesurvey <itp> (bug #472802) CVE-2021-42111 (An issue was discovered in the RCDevs OpenOTP app 1.4.13 and 1.4.14 fo ...) NOT-FOR-US: RCDevs OpenOTP app -CVE-2021-42110 - RESERVED +CVE-2021-42110 (An issue was discovered in Allegro Windows (formerly Popsy Windows) be ...) + NOT-FOR-US: Allegro Windows CVE-2021-3874 (bookstack is vulnerable to Improper Limitation of a Pathname to a Rest ...) NOT-FOR-US: bookstack CVE-2021-3873 @@ -4984,8 +11912,8 @@ CVE-2021-41133 (Flatpak is a system for building, distributing, and running sand NOTE: https://github.com/flatpak/flatpak/commit/3fc8c672676ae016f8e7cc90481b2feecbad9861 CVE-2021-42100 RESERVED -CVE-2021-42099 - RESERVED +CVE-2021-42099 (Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file- ...) + NOT-FOR-US: Zoho ManageEngine CVE-2021-42098 (An incomplete permission check on entries in Devolutions Remote Deskto ...) NOT-FOR-US: Devolutions CVE-2021-42097 (GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csr ...) @@ -4995,6 +11923,8 @@ CVE-2021-42097 (GNU Mailman before 2.1.35 may allow remote Privilege Escalation. NOTE: https://bugs.launchpad.net/mailman/+bug/1947640 NOTE: https://mail.python.org/archives/list/mailman-announce@python.org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/ NOTE: https://www.openwall.com/lists/oss-security/2021/10/21/4 + NOTE: Regression: https://bugs.launchpad.net/mailman/+bug/1954694 + NOTE: Regression fixed by: https://launchpadlibrarian.net/573872803/patch.txt CVE-2021-42096 (GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A cer ...) {DSA-4991-1 DLA-2791-1} - mailman <removed> @@ -5054,36 +11984,37 @@ CVE-2021-42072 (An issue was discovered in Barrier before 2.4.0. The barriers co NOT-FOR-US: Barrier CVE-2021-42071 (In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can ach ...) NOT-FOR-US: Visual Tools DVR VX16 -CVE-2021-42070 - RESERVED -CVE-2021-42069 - RESERVED -CVE-2021-42068 - RESERVED -CVE-2021-42067 - RESERVED -CVE-2021-42066 - RESERVED +CVE-2021-42070 (When a user opens manipulated Jupiter Tessellation (.jt) file received ...) + NOT-FOR-US: SAP +CVE-2021-42069 (When a user opens manipulated Tagged Image File Format (.tif) file rec ...) + NOT-FOR-US: SAP +CVE-2021-42068 (When a user opens a manipulated GIF (.gif) file received from untruste ...) + NOT-FOR-US: SAP +CVE-2021-42067 (In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 71 ...) + NOT-FOR-US: SAP +CVE-2021-42066 (SAP Business One - version 10.0, allows an admin user to view DB passw ...) + NOT-FOR-US: SAP CVE-2021-42065 RESERVED -CVE-2021-42064 - RESERVED -CVE-2021-42063 - RESERVED +CVE-2021-42064 (If configured to use an Oracle database and if a query is created usin ...) + NOT-FOR-US: SAP +CVE-2021-42063 (A security vulnerability has been discovered in the SAP Knowledge Ware ...) + NOT-FOR-US: SAP CVE-2021-42062 (SAP ERP HCM Portugal does not perform necessary authorization checks f ...) NOT-FOR-US: SAP -CVE-2021-42061 - RESERVED +CVE-2021-42061 (SAP BusinessObjects Business Intelligence Platform (Web Intelligence) ...) + NOT-FOR-US: SAP CVE-2021-3868 RESERVED CVE-2021-3867 RESERVED -CVE-2021-3866 - RESERVED -CVE-2021-42060 - RESERVED -CVE-2021-42059 - RESERVED +CVE-2021-3866 (Cross-site Scripting (XSS) - Stored in GitHub repository zulip/zulip m ...) + - zulip-server <itp> (bug #800052) + NOTE: https://github.com/zulip/zulip/commit/3eb2791c3e9695f7d37ffe84e0c2184fae665cb6 +CVE-2021-42060 (An issue was discovered in Insyde InsydeH2O Kernel 5.0 through 05.08.4 ...) + NOT-FOR-US: Insyde +CVE-2021-42059 (An issue was discovered in Insyde InsydeH2O Kernel 5.0 before 05.08.41 ...) + NOT-FOR-US: Insyde CVE-2021-42058 RESERVED CVE-2021-42057 (Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The ev ...) @@ -5098,10 +12029,10 @@ CVE-2021-42053 (The Unicorn framework through 0.35.3 for Django allows XSS via c NOT-FOR-US: Django Unicorn, different from src:unicorn CVE-2021-42052 RESERVED -CVE-2021-42051 - RESERVED -CVE-2021-42050 - RESERVED +CVE-2021-42051 (An issue was discovered in AbanteCart before 1.3.2. Any low-privileged ...) + NOT-FOR-US: AbanteCart +CVE-2021-42050 (An issue was discovered in AbanteCart before 1.3.2. It allows DOM Base ...) + NOT-FOR-US: AbanteCart CVE-2021-42049 (An issue was discovered in the Translate extension in MediaWiki throug ...) NOT-FOR-US: Translate MediaWiki extension CVE-2021-42048 (An issue was discovered in the Growth extension in MediaWiki through 1 ...) @@ -5148,18 +12079,18 @@ CVE-2021-42029 RESERVED CVE-2021-42028 RESERVED -CVE-2021-42027 - RESERVED +CVE-2021-42027 (A vulnerability has been identified in SINUMERIK Edge (All versions &l ...) + NOT-FOR-US: Siemens CVE-2021-42026 (A vulnerability has been identified in Mendix Applications using Mendi ...) NOT-FOR-US: Siemens CVE-2021-42025 (A vulnerability has been identified in Mendix Applications using Mendi ...) NOT-FOR-US: Siemens -CVE-2021-42024 - RESERVED -CVE-2021-42023 - RESERVED -CVE-2021-42022 - RESERVED +CVE-2021-42024 (A vulnerability has been identified in Simcenter STAR-CCM+ Viewer (All ...) + NOT-FOR-US: Siemens +CVE-2021-42023 (A vulnerability has been identified in ModelSim Simulation (All versio ...) + NOT-FOR-US: Siemens +CVE-2021-42022 (A vulnerability has been identified in SIMATIC eaSie PCS 7 Skill Packa ...) + NOT-FOR-US: Siemens CVE-2021-42021 (A vulnerability has been identified in Siveillance Video DLNA Server ( ...) NOT-FOR-US: Siemens CVE-2021-42020 @@ -5184,8 +12115,10 @@ CVE-2021-42013 (It was found that the fix for CVE-2021-41773 in Apache HTTP Serv NOTE: https://www.openwall.com/lists/oss-security/2021/10/07/6 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013 NOTE: https://www.openwall.com/lists/oss-security/2021/10/08/1 -CVE-2021-3864 +CVE-2021-3864 [descendant's dumpable setting with certain SUID binaries] RESERVED + - linux <unfixed> + NOTE: https://www.openwall.com/lists/oss-security/2021/10/20/2 CVE-2021-42012 (A stack-based buffer overflow vulnerability in Trend Micro Apex One, A ...) NOT-FOR-US: Trend Micro CVE-2021-42011 (An incorrect permission assignment vulnerability in Trend Micro Apex O ...) @@ -5196,16 +12129,19 @@ CVE-2021-42010 RESERVED CVE-2021-42009 (An authenticated Apache Traffic Control Traffic Ops user with Portal-l ...) NOT-FOR-US: Apache Traffic Control -CVE-2021-3862 - RESERVED -CVE-2021-3861 - RESERVED -CVE-2021-3860 - RESERVED +CVE-2021-3862 (icecoder is vulnerable to Improper Neutralization of Input During Web ...) + NOT-FOR-US: icecoder +CVE-2021-3861 (The RNDIS USB device class includes a buffer overflow vulnerability. Z ...) + NOT-FOR-US: zephyr-rtos +CVE-2021-3860 (JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), is vul ...) + NOT-FOR-US: JFrog Artifactory CVE-2021-3859 RESERVED + - undertow <undetermined> + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2010378 + TODO: check details CVE-2021-42008 (The decode_data function in drivers/net/hamradio/6pack.c in the Linux ...) - {DLA-2785-1} + {DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 [bullseye] - linux 5.10.70-1 [buster] - linux 4.19.208-1 @@ -5214,6 +12150,7 @@ CVE-2021-42007 RESERVED CVE-2021-42006 (An out-of-bounds access in GffLine::GffLine in gff.cpp in GCLib 0.12.7 ...) - libgclib 0.12.7+ds-2 (bug #996591) + [bullseye] - libgclib <no-dsa> (Minor issue) NOTE: https://github.com/gpertea/gclib/issues/11 CVE-2021-42005 RESERVED @@ -5225,8 +12162,8 @@ CVE-2021-42002 (Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a NOT-FOR-US: Zoho ManageEngine CVE-2021-42001 RESERVED -CVE-2021-42000 - RESERVED +CVE-2021-42000 (When a password reset or password change flow with an authentication p ...) + NOT-FOR-US: pingidentity CVE-2021-41999 RESERVED CVE-2021-41998 @@ -5286,8 +12223,8 @@ CVE-2021-41974 (Tad Book3 editing book page does not perform identity verificati NOT-FOR-US: Tad Book3 CVE-2021-3858 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: snipe-it -CVE-2021-3857 - RESERVED +CVE-2021-3857 (chaskiq is vulnerable to Improper Neutralization of Input During Web P ...) + NOT-FOR-US: chaskiq CVE-2021-41973 (In Apache MINA, a specifically crafted, malformed HTTP request may cau ...) NOT-FOR-US: Apache MINA CVE-2021-41972 (Apache Superset up to and including 1.3.1 allowed for database connect ...) @@ -5323,8 +12260,8 @@ CVE-2021-41964 RESERVED CVE-2021-41963 RESERVED -CVE-2021-41962 - RESERVED +CVE-2021-41962 (Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehi ...) + NOT-FOR-US: Sourcecodester CVE-2021-41961 RESERVED CVE-2021-41960 @@ -5387,12 +12324,12 @@ CVE-2021-41932 RESERVED CVE-2021-41931 (The Company's Recruitment Management System in id=2 of the parameter f ...) NOT-FOR-US: Company's Recruitment Management System -CVE-2021-41930 - RESERVED -CVE-2021-41929 - RESERVED -CVE-2021-41928 - RESERVED +CVE-2021-41930 (Cross site scripting (XSS) vulnerability in Sourcecodester Online Covi ...) + NOT-FOR-US: Sourcecodester +CVE-2021-41929 (Cross Site Scripting (XSS) in Sourcecodester The Electric Billing Mana ...) + NOT-FOR-US: Sourcecodester +CVE-2021-41928 (SQL injection in Sourcecodester Try My Recipe (Recipe Sharing Website ...) + NOT-FOR-US: Sourcecodester CVE-2021-41927 RESERVED CVE-2021-41926 @@ -5505,10 +12442,10 @@ CVE-2021-41873 (Penguin Aurora TV Box 41502 is a high-end network HD set-top box NOT-FOR-US: Penguin Aurora TV Box 41502 CVE-2021-41872 (Skyworth Digital Technology Penguin Aurora Box 41502 has a denial of s ...) NOT-FOR-US: Skyworth Digital Technology Penguin Aurora Box 41502 -CVE-2021-41871 - RESERVED -CVE-2021-41870 - RESERVED +CVE-2021-41871 (An issue was discovered in Socomec REMOTE VIEW PRO 2.0.41.4. Improper ...) + NOT-FOR-US: Socomec +CVE-2021-41870 (An issue was discovered in the firmware update form in Socomec REMOTE ...) + NOT-FOR-US: Socomec CVE-2021-41869 (SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable ...) NOT-FOR-US: SuiteCRM CVE-2021-41868 (OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to u ...) @@ -5519,17 +12456,19 @@ CVE-2021-41867 (An information disclosure vulnerability in OnionShare 2.3 before TODO: check details, exact fixing commits unclear CVE-2021-41866 (MyBB before 1.8.28 allows stored XSS because the displayed Template Na ...) NOT-FOR-US: MyBB -CVE-2021-3853 - RESERVED -CVE-2021-3852 - RESERVED +CVE-2021-3853 (chaskiq is vulnerable to Improper Neutralization of Input During Web P ...) + NOT-FOR-US: chaskiq +CVE-2021-3852 (growi is vulnerable to Authorization Bypass Through User-Controlled Ke ...) + NOT-FOR-US: GROWI CVE-2021-41865 (HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authe ...) - nomad <not-affected> (Only affects 1.1.x) NOTE: https://discuss.hashicorp.com/t/hcsec-2021-26-nomad-denial-of-service-via-submission-of-incomplete-job-specification-using-consul-mesh-gateway-host-network/30311 NOTE: https://github.com/hashicorp/nomad/issues/11243 NOTE: https://github.com/hashicorp/nomad/pull/11257 CVE-2021-41864 (prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kern ...) + {DLA-2843-1} - linux 5.14.12-1 + [bullseye] - linux 5.10.84-1 NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=30e29a9a2bc6a4888335a6ede968b75cd329657a CVE-2021-41863 RESERVED @@ -5559,8 +12498,11 @@ CVE-2021-41851 RESERVED CVE-2021-3851 (firefly-iii is vulnerable to URL Redirection to Untrusted Site ...) NOT-FOR-US: firefly-iii -CVE-2021-3850 - RESERVED +CVE-2021-3850 (Authentication Bypass by Primary Weakness in GitHub repository adodb/a ...) + {DLA-2912-1} + - libphp-adodb <unfixed> (bug #1004376) + NOTE: https://github.com/adodb/adodb/commit/952de6c4273d9b1e91c2b838044f8c2111150c29 + NOTE: https://github.com/ADOdb/ADOdb/issues/793 CVE-2021-3849 RESERVED CVE-2021-41850 @@ -5575,22 +12517,22 @@ CVE-2021-41846 RESERVED CVE-2021-41845 (A SQL injection issue was discovered in ThycoticCentrify Secret Server ...) NOT-FOR-US: ThycoticCentrify Secret Server -CVE-2021-41844 - RESERVED -CVE-2021-41843 - RESERVED -CVE-2021-41842 - RESERVED -CVE-2021-41841 - RESERVED -CVE-2021-41840 - RESERVED -CVE-2021-41839 - RESERVED -CVE-2021-41838 - RESERVED -CVE-2021-41837 - RESERVED +CVE-2021-41844 (Crocoblock JetEngine before 2.9.1 does not properly validate and sanit ...) + NOT-FOR-US: Crocoblock JetEngine +CVE-2021-41843 (An authenticated SQL injection issue in the calendar search function o ...) + NOT-FOR-US: OpenEMR +CVE-2021-41842 (An issue was discovered in AtaLegacySmm in the kernel 5.0 before 05.08 ...) + NOT-FOR-US: Insyde +CVE-2021-41841 (An issue was discovered in AhciBusDxe in the kernel 5.0 through 5.5 in ...) + NOT-FOR-US: Insyde +CVE-2021-41840 (An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 ...) + NOT-FOR-US: Insyde +CVE-2021-41839 (An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 ...) + NOT-FOR-US: Insyde +CVE-2021-41838 (An issue was discovered in SdHostDriver in the kernel 5.0 through 5.5 ...) + NOT-FOR-US: Insyde +CVE-2021-41837 (An issue was discovered in AhciBusDxe in the kernel 5.0 through 5.5 in ...) + NOT-FOR-US: Insyde CVE-2021-41833 (Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to una ...) NOT-FOR-US: Zoho ManageEngine CVE-2021-3848 (An arbitrary file creation by privilege escalation vulnerability in Tr ...) @@ -5604,8 +12546,8 @@ CVE-2021-3846 (firefly-iii is vulnerable to Unrestricted Upload of File with Dan NOT-FOR-US: firefly-iii CVE-2021-23139 (A null pointer vulnerability in Trend Micro Apex One and Worry-Free Bu ...) NOT-FOR-US: Trend Micro -CVE-2021-3845 - RESERVED +CVE-2021-3845 (ws-scrcpy is vulnerable to External Control of File Name or Path ...) + NOT-FOR-US: ws-scrcpy CVE-2021-41832 (It is possible for an attacker to manipulate documents to appear to be ...) NOT-FOR-US: Apache OpenOffice CVE-2021-41831 (It is possible for an attacker to manipulate the timestamp of signed d ...) @@ -5616,8 +12558,13 @@ CVE-2021-3844 RESERVED CVE-2021-3843 (A potential vulnerability in the SMI function to access EEPROM in some ...) NOT-FOR-US: Lenovo -CVE-2021-3842 - RESERVED +CVE-2021-3842 (nltk is vulnerable to Inefficient Regular Expression Complexity ...) + - nltk 3.6.7-1 (bug #1003142) + [bullseye] - nltk <no-dsa> (Minor issue) + [buster] - nltk <no-dsa> (Minor issue) + [stretch] - nltk <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a/ + NOTE: https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d (3.6.6) CVE-2021-3841 RESERVED CVE-2021-41829 (Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the ...) @@ -5640,14 +12587,39 @@ CVE-2021-41821 (Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Int NOT-FOR-US: Wazuh CVE-2021-41820 RESERVED -CVE-2021-41819 - RESERVED +CVE-2021-41819 (CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes i ...) + {DSA-5067-1 DSA-5066-1 DLA-2853-1} + - ruby3.0 <unfixed> (bug #1002995) + - ruby2.7 2.7.5-1 + - ruby2.5 <removed> + - ruby2.3 <removed> + NOTE: Fixed in Ruby 3.0.3, 2.7.5, 2.6.9 + NOTE: https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/ + NOTE: Fixed by: https://github.com/ruby/cgi/commit/052eb3a828b0f99bca39cfd800f6c2b91307dbd5 (v0.3.1) CVE-2021-41818 RESERVED -CVE-2021-41817 - RESERVED -CVE-2021-41816 - RESERVED +CVE-2021-41817 (Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regula ...) + {DSA-5067-1 DSA-5066-1 DLA-2853-1} + - ruby3.0 <unfixed> (bug #1002995) + - ruby2.7 2.7.5-1 + - ruby2.5 <removed> + - ruby2.3 <removed> + NOTE: Fixed in Ruby 3.0.3, 2.7.5, 2.6.9 + NOTE: https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/ + NOTE: Fixed by: https://github.com/ruby/date/commit/3959accef8da5c128f8a8e2fd54e932a4fb253b0 (v3.2.2) + NOTE: Followups to mimic previous behaviour: + NOTE: https://github.com/ruby/date/commit/8f2d7a0c7e52cea8333824bd527822e5449ed83d (v3.2.2) + NOTE: https://github.com/ruby/date/commit/376c65942bd1d81803f14d37351737df60ec4664 (v3.2.2) +CVE-2021-41816 (CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integ ...) + {DSA-5067-1} + - ruby3.0 <unfixed> (bug #1002995) + - ruby2.7 2.7.5-1 + - ruby2.5 <not-affected> (Vulnerable code introduced later) + - ruby2.3 <not-affected> (Vulnerable code introduced later) + NOTE: Fixed in Ruby 3.0.3, 2.7.5 + NOTE: https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/ + NOTE: Introduced by: https://github.com/ruby/cgi/commit/3a62e20f76ea42ff0b4d45f2952479eab266ae1c (v0.1.0) + NOTE: Fixed by: https://github.com/ruby/cgi/commit/c728632c1c09d46cfd4ecbff9caaa3651dd1002a (v0.3.1) CVE-2021-41815 RESERVED CVE-2021-41814 @@ -5660,16 +12632,17 @@ CVE-2021-41811 RESERVED CVE-2021-41810 RESERVED -CVE-2021-41809 - RESERVED -CVE-2021-41808 - RESERVED -CVE-2021-41807 - RESERVED +CVE-2021-41809 (SSRF vulnerability in M-Files Server products with versions before 22. ...) + NOT-FOR-US: M-Files Server +CVE-2021-41808 (In M-Files Server product with versions before 21.11.10775.0, enabling ...) + NOT-FOR-US: M-Files Server +CVE-2021-41807 (Lack of rate limiting in M-Files Server and M-Files Web products with ...) + NOT-FOR-US: M-Files Server CVE-2021-41806 RESERVED -CVE-2021-41805 - RESERVED +CVE-2021-41805 (HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1. ...) + - consul <not-affected> (Only affects Consul Enterprise) + NOTE: https://discuss.hashicorp.com/t/hcsec-2021-29-consul-enterprise-namespace-default-acls-allow-privilege-escalation/31871 CVE-2021-41804 RESERVED CVE-2021-41803 @@ -5715,10 +12688,10 @@ CVE-2021-41791 (An issue was discovered in Hyland org.alfresco:share through 7.0 NOT-FOR-US: Hyland org.alfresco:share and Hyland org.alfresco:community-share CVE-2021-41790 (An issue was discovered in Hyland org.alfresco:alfresco-content-servic ...) NOT-FOR-US: Hyland org.alfresco:alfresco-content-services -CVE-2021-41789 - RESERVED -CVE-2021-41788 - RESERVED +CVE-2021-41789 (In wifi driver, there is a possible system crash due to a missing vali ...) + NOT-FOR-US: Mediatek devices +CVE-2021-41788 (MediaTek microchips, as used in NETGEAR devices through 2021-12-13 and ...) + NOT-FOR-US: Netgear CVE-2021-3840 (A dependency confusion vulnerability was reported in the Antilles open ...) NOT-FOR-US: Antilles CVE-2021-41787 @@ -5763,19 +12736,23 @@ CVE-2021-3839 CVE-2021-41772 (Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reade ...) - golang-1.17 1.17.3-1 - golang-1.16 1.16.10-1 - - golang-1.15 <unfixed> - - golang-1.11 <removed> - - golang-1.8 <removed> - - golang-1.7 <removed> + - golang-1.15 <not-affected> (Vulnerable code introduced later in go1.16beta1) + - golang-1.11 <not-affected> (Vulnerable code introduced later in go1.16beta1) + - golang-1.8 <not-affected> (Vulnerable code introduced later in go1.16beta1) + - golang-1.7 <not-affected> (Vulnerable code introduced later in go1.16beta1) NOTE: https://github.com/golang/go/issues/48085 NOTE: https://groups.google.com/g/golang-announce/c/0fM21h43arc + NOTE: Introduced in: https://github.com/golang/go/commit/1296ee6b4f9058be75c799513ccb488d2f2dd085 (go1.16beta1) NOTE: https://github.com/golang/go/commit/b212ba68296b503b395e7d1838ca72a19030a6bf (go1.17.3) NOTE: https://github.com/golang/go/commit/88407a8dd98411f1730907dc8a69b99488af0052 (go1.16.10) CVE-2021-41771 (ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16 ...) + {DLA-2892-1 DLA-2891-1} - golang-1.17 1.17.3-1 - golang-1.16 1.16.10-1 - - golang-1.15 <unfixed> + - golang-1.15 1.15.15-5 + [bullseye] - golang-1.15 1.15.15-1~deb11u2 - golang-1.11 <removed> + [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/48990 @@ -5786,28 +12763,31 @@ CVE-2021-41770 (Ping Identity PingFederate before 10.3.1 mishandles pre-parsing NOT-FOR-US: Ping Identity PingFederate CVE-2021-3838 RESERVED -CVE-2021-41769 - RESERVED +CVE-2021-41769 (A vulnerability has been identified in SIPROTEC 5 6MD85 devices (CPU v ...) + NOT-FOR-US: Siemens CVE-2021-41768 RESERVED -CVE-2021-41767 - RESERVED -CVE-2021-3837 - RESERVED -CVE-2021-41766 - RESERVED -CVE-2021-3836 - RESERVED -CVE-2021-3835 - RESERVED +CVE-2021-41767 (Apache Guacamole 1.3.0 and older may incorrectly include a private tun ...) + - guacamole-client <unfixed> + [stretch] - guacamole-client <end-of-life> (unmaintained stretch-only package) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/11/6 +CVE-2021-3837 (openwhyd is vulnerable to Improper Authorization ...) + NOT-FOR-US: openwhyd +CVE-2021-41766 (Apache Karaf allows monitoring of applications and the Java runtime by ...) + - apache-karaf <itp> (bug #881297) +CVE-2021-3836 (dbeaver is vulnerable to Improper Restriction of XML External Entity R ...) + - dbeaver <itp> (bug #680987) + NOTE: https://github.com/dbeaver/dbeaver/commit/4debf8f25184b7283681ed3fb5e9e887d9d4fe22 +CVE-2021-3835 (Buffer overflow in usb device class. Zephyr versions >= v2.6.0 cont ...) + NOT-FOR-US: zephyr-rtos CVE-2021-3834 (Integria IMS in its 5.0.92 version does not filter correctly some fiel ...) NOT-FOR-US: Integria IMS CVE-2021-3833 (Integria IMS login check uses a loose comparator ("==") to compare the ...) NOT-FOR-US: Integria IMS CVE-2021-3832 (Integria IMS in its 5.0.92 version is vulnerable to a Remote Code Exec ...) NOT-FOR-US: Integria IMS -CVE-2021-3831 - RESERVED +CVE-2021-3831 (gnuboard5 is vulnerable to Improper Neutralization of Input During Web ...) + NOT-FOR-US: gnuboard5 CVE-2021-41765 (A SQL injection issue in pages/edit_fields/9_ajax/add_keyword.php of R ...) NOT-FOR-US: ResourceSpace CVE-2021-41764 (A cross-site request forgery (CSRF) vulnerability exists in Streama up ...) @@ -5842,8 +12822,8 @@ CVE-2021-41750 RESERVED CVE-2021-41749 RESERVED -CVE-2021-41748 (An Incorrect Access Control issue exists in all versions of Portainer. ...) - NOT-FOR-US: Portainer +CVE-2021-41748 + REJECTED CVE-2021-41747 (Cross-Site Scripting (XSS) vulnerability exists in Csdn APP 4.10.0, wh ...) NOT-FOR-US: Csdn APP CVE-2021-41746 (SQL Injection vulnerability exists in all versions of Yonyou TurboCRM. ...) @@ -5900,18 +12880,16 @@ CVE-2021-41722 RESERVED CVE-2021-41721 RESERVED -CVE-2021-41720 (** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 all ...) - - node-lodash <unfixed> (unimportant) - NOTE: https://github.com/lodash/lodash/issues/5261 - NOTE: Disputed security impact and validitity of the issue +CVE-2021-41720 + REJECTED CVE-2021-41719 RESERVED CVE-2021-41718 RESERVED CVE-2021-41717 RESERVED -CVE-2021-41716 - RESERVED +CVE-2021-41716 (Maharashtra State Electricity Board Mahavitara Android Application 8.2 ...) + NOT-FOR-US: Maharashtra State Electricity Board Mahavitara Android Application CVE-2021-41715 RESERVED CVE-2021-41714 @@ -5948,14 +12926,14 @@ CVE-2021-41699 RESERVED CVE-2021-41698 RESERVED -CVE-2021-41697 - RESERVED -CVE-2021-41696 - RESERVED -CVE-2021-41695 - RESERVED -CVE-2021-41694 - RESERVED +CVE-2021-41697 (A reflected Cross Site Scripting (XSS) vulnerability exists in Premium ...) + NOT-FOR-US: Premiumdatingscript +CVE-2021-41696 (An authentication bypass (account takeover) vulnerability exists in Pr ...) + NOT-FOR-US: Premiumdatingscript +CVE-2021-41695 (An SQL Injection vulnerability exists in Premiumdatingscript 4.2.7.7 v ...) + NOT-FOR-US: Premiumdatingscript +CVE-2021-41694 (An Incorrect Access Control vulnerability exists in Premiumdatingscrip ...) + NOT-FOR-US: Premiumdatingscript CVE-2021-41693 RESERVED CVE-2021-41692 @@ -5984,12 +12962,12 @@ CVE-2021-41681 RESERVED CVE-2021-41680 RESERVED -CVE-2021-41679 - RESERVED -CVE-2021-41678 - RESERVED -CVE-2021-41677 - RESERVED +CVE-2021-41679 (A SQL injection vulnerability exists in version 8.0 of openSIS when My ...) + NOT-FOR-US: openSIS +CVE-2021-41678 (A SQL injection vulnerability exists in version 8.0 of openSIS when My ...) + NOT-FOR-US: openSIS +CVE-2021-41677 (A SQL injection vulnerability exists in version 8.0 of openSIS when My ...) + NOT-FOR-US: openSIS CVE-2021-41676 (An SQL Injection vulnerabilty exists in the oretnom23 Pharmacy Point o ...) NOT-FOR-US: oretnom23 Pharmacy Point of Sale System CVE-2021-41675 (A Remote Code Execution (RCE) vulnerabilty exists in Sourcecodester E- ...) @@ -6022,12 +13000,12 @@ CVE-2021-41662 RESERVED CVE-2021-41661 RESERVED -CVE-2021-41660 - RESERVED -CVE-2021-41659 - RESERVED -CVE-2021-41658 - RESERVED +CVE-2021-41660 (SQL injection vulnerability in Sourcecodester Patient Appointment Sche ...) + NOT-FOR-US: Sourcecodester +CVE-2021-41659 (SQL injection vulnerability in Sourcecodester Banking System v1 by ore ...) + NOT-FOR-US: Sourcecodester +CVE-2021-41658 (Cross Site Scripting (XSS) in Sourcecodester Student Quarterly Grading ...) + NOT-FOR-US: Sourcecodester CVE-2021-41657 RESERVED CVE-2021-41656 @@ -6134,14 +13112,14 @@ CVE-2021-41611 (An issue was discovered in Squid 5.0.6 through 5.1.x before 5.2. [buster] - squid <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-47m4-g3mv-9q5r NOTE: Fixed by: http://www.squid-cache.org/Versions/v5/changesets/squid-5-533b4359f16cf9ed15a6d709a57a4b06e4222cfe.patch -CVE-2021-3829 - RESERVED +CVE-2021-3829 (openwhyd is vulnerable to URL Redirection to Untrusted Site ...) + NOT-FOR-US: openwhyd CVE-2021-41610 - RESERVED -CVE-2021-41609 - RESERVED -CVE-2021-41608 - RESERVED + REJECTED +CVE-2021-41609 (SQL injection in the ID parameter of the UploadedImageDisplay.aspx end ...) + NOT-FOR-US: SelectSurvey.NET +CVE-2021-41608 (A file disclosure vulnerability in the UploadedImageDisplay.aspx endpo ...) + NOT-FOR-US: SelectSurvey.NET CVE-2021-41607 RESERVED CVE-2021-41606 @@ -6158,12 +13136,12 @@ CVE-2021-41601 RESERVED CVE-2021-41600 RESERVED -CVE-2021-41599 - RESERVED -CVE-2021-41598 - RESERVED -CVE-2021-41597 - RESERVED +CVE-2021-41599 (A remote code execution vulnerability was identified in GitHub Enterpr ...) + NOT-FOR-US: GitHub Enterprise Server +CVE-2021-41598 (A UI misrepresentation vulnerability was identified in GitHub Enterpri ...) + NOT-FOR-US: GitHub Enterprise Server +CVE-2021-41597 (SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote ...) + NOT-FOR-US: SuiteCRM CVE-2021-41596 (SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via ...) NOT-FOR-US: SuiteCRM CVE-2021-41595 (SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via ...) @@ -6229,8 +13207,8 @@ CVE-2021-3827 NOT-FOR-US: Keycloak CVE-2021-41572 RESERVED -CVE-2021-41571 - RESERVED +CVE-2021-41571 (In Apache Pulsar it is possible to access data from BookKeeper that do ...) + NOT-FOR-US: Apache Pulsar CVE-2021-41570 RESERVED CVE-2021-41569 (SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. Th ...) @@ -6251,8 +13229,8 @@ CVE-2021-41563 (Tad Book3 editing book function does not filter special characte NOT-FOR-US: Tad Book3 CVE-2021-41562 (A vulnerability in Snow Snow Agent for Windows allows a non-admin user ...) NOT-FOR-US: Snow Snow Agent for Windows -CVE-2021-41561 - RESERVED +CVE-2021-41561 (Improper Input Validation vulnerability in Parquet-MR of Apache Parque ...) + NOT-FOR-US: Apache Parquet CVE-2021-3825 (On 2.1.15 version and below of Lider module in LiderAhenk software is ...) NOT-FOR-US: LiderAhenk CVE-2021-3824 (OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to in ...) @@ -6261,14 +13239,14 @@ CVE-2021-3823 (Improper Limitation of a Pathname to a Restricted Directory ('Pat NOT-FOR-US: Bitdefender CVE-2021-3822 (jsoneditor is vulnerable to Inefficient Regular Expression Complexity ...) NOT-FOR-US: jsoneditor -CVE-2021-41560 - RESERVED +CVE-2021-41560 (OpenCATS through 0.9.6 allows remote attackers to execute arbitrary co ...) + NOT-FOR-US: OpenCATS CVE-2021-41559 RESERVED CVE-2021-41558 (The set_user extension module before 3.0.0 for PostgreSQL allows Proce ...) NOT-FOR-US: set_user extension for Postgres -CVE-2021-41557 - RESERVED +CVE-2021-41557 (Sofico Miles RIA 2020.2 Build 127964T is affected by Stored Cross Site ...) + NOT-FOR-US: Sofico CVE-2021-41556 RESERVED CVE-2021-41555 (** UNSUPPORTED WHEN ASSIGNED ** In ARCHIBUS Web Central 21.3.3.815 (a ...) @@ -6277,18 +13255,18 @@ CVE-2021-41554 (** UNSUPPORTED WHEN ASSIGNED ** ARCHIBUS Web Central 21.3.3.815 NOT-FOR-US: ARCHIBUS Web Central CVE-2021-41553 (** UNSUPPORTED WHEN ASSIGNED ** In ARCHIBUS Web Central 21.3.3.815 (a ...) NOT-FOR-US: ARCHIBUS Web Central -CVE-2021-41552 - RESERVED -CVE-2021-41551 - RESERVED -CVE-2021-41550 - RESERVED +CVE-2021-41552 (CommScope SURFboard SBG6950AC2 9.1.103AA23 devices allow Command Injec ...) + NOT-FOR-US: CommScope +CVE-2021-41551 (Leostream Connection Broker 9.0.40.17 allows administrators to conduct ...) + NOT-FOR-US: Leostream Connection Broker +CVE-2021-41550 (Leostream Connection Broker 9.0.40.17 allows administrator to upload a ...) + NOT-FOR-US: Leostream Connection Broker CVE-2021-41549 RESERVED CVE-2021-41548 RESERVED -CVE-2021-41547 - RESERVED +CVE-2021-41547 (A vulnerability has been identified in Teamcenter Active Workspace V4. ...) + NOT-FOR-US: Siemens CVE-2021-41546 (A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versi ...) NOT-FOR-US: Siemens CVE-2021-41545 @@ -6351,8 +13329,8 @@ CVE-2021-3819 (firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) .. NOT-FOR-US: firefly-iii CVE-2021-3818 (grav is vulnerable to Reliance on Cookies without Validation and Integ ...) NOT-FOR-US: Grav CMS -CVE-2021-3817 - RESERVED +CVE-2021-3817 (wbce_cms is vulnerable to Improper Neutralization of Special Elements ...) + NOT-FOR-US: wbce_cms CVE-2021-41523 RESERVED CVE-2021-41522 @@ -6399,18 +13377,35 @@ CVE-2021-41502 RESERVED CVE-2021-41501 RESERVED -CVE-2021-41500 - RESERVED -CVE-2021-41499 - RESERVED -CVE-2021-41498 - RESERVED -CVE-2021-41497 - RESERVED -CVE-2021-41496 - RESERVED -CVE-2021-41495 - RESERVED +CVE-2021-41500 (Incomplete string comparison vulnerability exits in cvxopt.org cvxop & ...) + - cvxopt 1.2.7+dfsg-1 + [bullseye] - cvxopt <no-dsa> (Minor issue) + [buster] - cvxopt <no-dsa> (Minor issue) + [stretch] - cvxopt <no-dsa> (Minor issue) + NOTE: https://github.com/cvxopt/cvxopt/issues/193 +CVE-2021-41499 (Buffer Overflow Vulnerability exists in ajaxsoundstudio.com n Pyo < ...) + - python-pyo 1.0.4-1 + [stretch] - python-pyo <no-dsa> (Minor issue) + NOTE: https://github.com/belangeo/pyo/issues/222 + NOTE: https://github.com/belangeo/pyo/commit/e7e6d2880469b523e4c41f0da2087a6a3eec4a45 (1.0.4) +CVE-2021-41498 (Buffer overflow in ajaxsoundstudio.com Pyo &lt and 1.03 in the Ser ...) + - python-pyo 1.0.4-1 + [stretch] - python-pyo <no-dsa> (Minor issue) + NOTE: https://github.com/belangeo/pyo/issues/221 + NOTE: https://github.com/belangeo/pyo/commit/017702c73332a8560c8554a36250a6da587a2418 (1.0.4) +CVE-2021-41497 (Null pointer reference in CMS_Conservative_increment_obj in RaRe-Techn ...) + NOT-FOR-US: RaRe-Technologies bounter +CVE-2021-41496 (** DISPUTED ** Buffer overflow in the array_from_pyobj function of for ...) + - numpy <unfixed> + [bullseye] - numpy <no-dsa> (Minor issue) + NOTE: https://github.com/numpy/numpy/issues/19000 + NOTE: https://github.com/numpy/numpy/pull/20630 + NOTE: https://github.com/numpy/numpy/commit/271010f1037150e95017f803f4214b8861e528f2 +CVE-2021-41495 (** DISPUTED ** Null Pointer Dereference vulnerability exists in numpy. ...) + - numpy <unfixed> + [bullseye] - numpy <no-dsa> (Minor issue) + NOTE: https://github.com/numpy/numpy/issues/19038 + TODO: check for classification/severity CVE-2021-41494 RESERVED CVE-2021-41493 @@ -6455,10 +13450,10 @@ CVE-2021-41474 RESERVED CVE-2021-41473 RESERVED -CVE-2021-41472 - RESERVED -CVE-2021-41471 - RESERVED +CVE-2021-41472 (SQL injection vulnerability in Sourcecodester Simple Membership System ...) + NOT-FOR-US: Sourcecodester +CVE-2021-41471 (SQL injection vulnerability in Sourcecodester South Gate Inn Online Re ...) + NOT-FOR-US: Sourcecodester CVE-2021-41470 RESERVED CVE-2021-41469 @@ -6509,28 +13504,28 @@ CVE-2021-41453 RESERVED CVE-2021-41452 RESERVED -CVE-2021-41451 - RESERVED -CVE-2021-41450 - RESERVED -CVE-2021-41449 - RESERVED +CVE-2021-41451 (A misconfiguration in HTTP/1.0 and HTTP/1.1 of the web interface in TP ...) + NOT-FOR-US: TP-Link +CVE-2021-41450 (An HTTP request smuggling attack in TP-Link AX10v1 before v1_211117 al ...) + NOT-FOR-US: TP-Link +CVE-2021-41449 (A path traversal attack in web interfaces of Netgear RAX35, RAX38, and ...) + NOT-FOR-US: Netgear CVE-2021-41448 RESERVED CVE-2021-41447 RESERVED CVE-2021-41446 RESERVED -CVE-2021-41445 - RESERVED +CVE-2021-41445 (A reflected cross-site-scripting attack in web application of D-Link D ...) + NOT-FOR-US: D-Link CVE-2021-41444 RESERVED CVE-2021-41443 RESERVED -CVE-2021-41442 - RESERVED -CVE-2021-41441 - RESERVED +CVE-2021-41442 (An HTTP smuggling attack in the web application of D-Link DIR-X1860 be ...) + NOT-FOR-US: D-Link +CVE-2021-41441 (A DoS attack in the web application of D-Link DIR-X1860 before v1.10WW ...) + NOT-FOR-US: D-Link CVE-2021-41440 RESERVED CVE-2021-41439 @@ -6635,8 +13630,8 @@ CVE-2021-41390 (In Ericsson ECM before 18.0, it was observed that Security Provi NOT-FOR-US: Ericsson ECM CVE-2021-41389 RESERVED -CVE-2021-41388 - RESERVED +CVE-2021-41388 (Netskope client prior to 89.x on macOS is impacted by a local privileg ...) + NOT-FOR-US: Netskope CVE-2021-41387 (seatd-launch in seatd 0.6.x before 0.6.2 allows privilege escalation b ...) - seatd <not-affected> (Vulnerable code introduced later) NOTE: https://lists.sr.ht/~kennylevinsen/seatd-announce/%3CGJ2IZQ.HCKS1J0LSI803%40kl.wtf%3E @@ -6652,8 +13647,11 @@ CVE-2021-41382 (Plastic SCM before 10.0.16.5622 mishandles the WebAdmin server m NOT-FOR-US: Plastic SCM CVE-2021-41381 (Payara Micro Community 5.2021.6 and below allows Directory Traversal. ...) NOT-FOR-US: Payara Micro Community -CVE-2021-3816 - RESERVED +CVE-2021-3816 (Cacti 1.1.38 allows authenticated users with User Management permissio ...) + - cacti 1.2.1+ds1-1 + [stretch] - cacti <not-affected> (user_group_admin.php not present, added in 1.0) + NOTE: https://github.com/Cacti/cacti/issues/1882 + NOTE: Fixed by: https://github.com/Cacti/cacti/commit/2b8097c06030ab72c5b3bdadb23dceb5332f0e94 (1.2.0-beta1) CVE-2021-41380 (** DISPUTED ** RealVNC Viewer 6.21.406 allows remote VNC servers to ca ...) NOT-FOR-US: RealVNC CVE-2021-41379 (Windows Installer Elevation of Privilege Vulnerability ...) @@ -6684,8 +13682,8 @@ CVE-2021-41367 (NTFS Elevation of Privilege Vulnerability This CVE ID is unique NOT-FOR-US: Microsoft CVE-2021-41366 (Credential Security Support Provider Protocol (CredSSP) Elevation of P ...) NOT-FOR-US: Microsoft -CVE-2021-41365 - RESERVED +CVE-2021-41365 (Microsoft Defender for IoT Remote Code Execution Vulnerability This CV ...) + NOT-FOR-US: Microsoft CVE-2021-41364 RESERVED CVE-2021-41363 (Intune Management Extension Security Feature Bypass Vulnerability ...) @@ -6694,8 +13692,8 @@ CVE-2021-41362 RESERVED CVE-2021-41361 (Active Directory Federation Server Spoofing Vulnerability ...) NOT-FOR-US: Microsoft -CVE-2021-41360 - RESERVED +CVE-2021-41360 (HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID ...) + NOT-FOR-US: Microsoft CVE-2021-41359 RESERVED CVE-2021-41358 @@ -6748,8 +13746,8 @@ CVE-2021-41335 (Windows Kernel Elevation of Privilege Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-41334 (Windows Desktop Bridge Elevation of Privilege Vulnerability ...) NOT-FOR-US: Microsoft -CVE-2021-41333 - RESERVED +CVE-2021-41333 (Windows Print Spooler Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft CVE-2021-41332 (Windows Print Spooler Information Disclosure Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-41331 (Windows Media Audio Decoder Remote Code Execution Vulnerability ...) @@ -6786,24 +13784,24 @@ CVE-2021-41316 (The Device42 Main Appliance before 17.05.01 does not sanitize us NOT-FOR-US: Device42 Main Appliance CVE-2021-41315 (The Device42 Remote Collector before 17.05.01 does not sanitize user i ...) NOT-FOR-US: Device42 Remote Collector -CVE-2021-3815 - RESERVED +CVE-2021-3815 (utils.js is vulnerable to Improperly Controlled Modification of Object ...) + NOT-FOR-US: fabiocaccamo/utils.js CVE-2021-3814 RESERVED -CVE-2021-3813 - RESERVED +CVE-2021-3813 (Improper Privilege Management in GitHub repository chatwoot/chatwoot p ...) + NOT-FOR-US: chatwoot CVE-2021-41314 (Certain NETGEAR smart switches are affected by a \n injection in the w ...) NOT-FOR-US: NETGEAR CVE-2021-41313 (Affected versions of Atlassian Jira Server and Data Center allow authe ...) NOT-FOR-US: Atlassian CVE-2021-41312 (Affected versions of Atlassian Jira Server and Data Center allow a rem ...) NOT-FOR-US: Atlassian -CVE-2021-41311 - RESERVED +CVE-2021-41311 (Affected versions of Atlassian Jira Server and Data Center allow attac ...) + NOT-FOR-US: Atlassian CVE-2021-41310 (Affected versions of Atlassian Jira Server and Data Center allow anony ...) NOT-FOR-US: Atlassian -CVE-2021-41309 - RESERVED +CVE-2021-41309 (Affected versions of Atlassian Jira Server and Data Center allow a use ...) + NOT-FOR-US: Atlassian CVE-2021-41308 (Affected versions of Atlassian Jira Server and Data Center allow authe ...) NOT-FOR-US: Atlassian CVE-2021-41307 (Affected versions of Atlassian Jira Server and Data Center allow unaut ...) @@ -6837,7 +13835,7 @@ CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification o - node-object-path 0.11.8-1 [bullseye] - node-object-path 0.11.5-3+deb11u1 [buster] - node-object-path <no-dsa> (Minor issue) - [stretch] - node-object-path <no-dsa> (Minor issue) + [stretch] - node-object-path <end-of-life> (Nodejs in stretch not covered by security support) NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053 NOTE: https://github.com/mariocasciaro/object-path/commit/e6bb638ffdd431176701b3e9024f80050d0ef0a6 CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a ...) @@ -6902,16 +13900,16 @@ CVE-2021-41278 (Functions SDK for EdgeX is meant to provide all the plumbing nec NOT-FOR-US: EdgeX CVE-2021-41277 (Metabase is an open source data analytics platform. In affected versio ...) NOT-FOR-US: Metabase -CVE-2021-41276 - RESERVED +CVE-2021-41276 (Tuleap is a Libre and Open Source tool for end to end traceability of ...) + NOT-FOR-US: Tuleap CVE-2021-41275 (spree_auth_devise is an open source library which provides authenticat ...) NOT-FOR-US: spree_auth_devise CVE-2021-41274 (solidus_auth_devise provides authentication services for the Solidus w ...) NOT-FOR-US: solidus_auth_devise CVE-2021-41273 (Pterodactyl is an open-source game server management panel built with ...) NOT-FOR-US: Pterodactyl -CVE-2021-41272 - RESERVED +CVE-2021-41272 (Besu is an Ethereum client written in Java. Starting in version 21.10. ...) + NOT-FOR-US: Hyperledger Besu CVE-2021-41271 (Discourse is a platform for community discussion. In affected versions ...) NOT-FOR-US: Discourse CVE-2021-41270 (Symfony/Serializer handles serializing and deserializing data structur ...) @@ -6934,18 +13932,21 @@ CVE-2021-41267 (Symfony/Http-Kernel is the HTTP kernel component for Symfony, a NOTE: https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487 (v5.3.12) CVE-2021-41266 (Minio console is a graphical user interface for the for MinIO operator ...) NOT-FOR-US: Minio console -CVE-2021-41265 - RESERVED +CVE-2021-41265 (Flask-AppBuilder is a development framework built on top of Flask. Ver ...) + - flask-appbuilder <itp> (bug #998029) + NOTE: https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-m3rf-7m4w-r66q + NOTE: https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v3.3.4 + NOTE: https://github.com/dpgaspar/Flask-AppBuilder/commit/eba517aab121afa3f3f2edb011ec6bc4efd61fbc (3.3.4) CVE-2021-41264 (OpenZeppelin Contracts is a library for smart contract development. In ...) NOT-FOR-US: OpenZeppelin Contracts CVE-2021-41263 (rails_multisite provides multi-db support for Rails applications. In a ...) NOT-FOR-US: rails_multisite -CVE-2021-41262 - RESERVED -CVE-2021-41261 - RESERVED -CVE-2021-41260 - RESERVED +CVE-2021-41262 (Galette is a membership management web application built for non profi ...) + - galette <removed> +CVE-2021-41261 (Galette is a membership management web application built for non profi ...) + - galette <removed> +CVE-2021-41260 (Galette is a membership management web application built for non profi ...) + - galette <removed> CVE-2021-41259 (Nim is a systems programming language with a focus on efficiency, expr ...) - nim <unfixed> [bullseye] - nim <no-dsa> (Minor issue) @@ -6956,8 +13957,8 @@ CVE-2021-41258 (Kirby is an open source file structured CMS. In affected version NOT-FOR-US: Kirby CVE-2021-41257 RESERVED -CVE-2021-41256 - RESERVED +CVE-2021-41256 (nextcloud news-android is an Android client for the Nextcloud news/fee ...) + NOT-FOR-US: nextcloud news-android App CVE-2021-41255 RESERVED CVE-2021-41254 (kustomize-controller is a Kubernetes operator, specialized in running ...) @@ -6978,19 +13979,19 @@ CVE-2021-41249 (GraphQL Playground is a GraphQL IDE for development of graphQL f CVE-2021-41248 (GraphiQL is the reference implementation of this monorepo, GraphQL IDE ...) NOT-FOR-US: GraphiQL CVE-2021-41247 (JupyterHub is an open source multi-user server for Jupyter notebooks. ...) - - jupyterhub <unfixed> + - jupyterhub 2.0.0+ds1-1 NOTE: https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-cw7p-q79f-m2v7 NOTE: https://github.com/jupyterhub/jupyterhub/commit/5ac9e7f73a6e1020ffddc40321fc53336829fe27 -CVE-2021-41246 - RESERVED +CVE-2021-41246 (Express OpenID Connect is express JS middleware implementing sign on f ...) + NOT-FOR-US: Express OpenID Connect CVE-2021-41245 RESERVED CVE-2021-41244 (Grafana is an open-source platform for monitoring and observability. I ...) - grafana <removed> CVE-2021-41243 (There is a Potential Zip Slip Vulnerability and OS Command Injection V ...) NOT-FOR-US: baserCMS -CVE-2021-41242 - RESERVED +CVE-2021-41242 (OpenOlat is a web-basedlearning management system. A path traversal vu ...) + NOT-FOR-US: OpenOlat CVE-2021-41241 RESERVED CVE-2021-41240 @@ -7001,8 +14002,8 @@ CVE-2021-41238 (Hangfire is an open source system to perform background job proc NOT-FOR-US: Hangfire CVE-2021-41237 RESERVED -CVE-2021-41236 - RESERVED +CVE-2021-41236 (OroPlatform is a PHP Business Application Platform. In affected versio ...) + NOT-FOR-US: OroPlatform CVE-2021-41235 RESERVED CVE-2021-41234 @@ -7017,7 +14018,7 @@ CVE-2021-41230 (Pomerium is an open source identity-aware access proxy. In affec NOT-FOR-US: Pomerium CVE-2021-41229 (BlueZ is a Bluetooth protocol stack for Linux. In affected versions a ...) {DLA-2827-1} - - bluez <unfixed> (bug #1000262) + - bluez 5.62-2 (bug #1000262) [bullseye] - bluez <no-dsa> (Minor issue) [buster] - bluez <no-dsa> (Minor issue) NOTE: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq @@ -7118,20 +14119,29 @@ CVE-2021-41185 (Mycodo is an environmental monitoring and regulation system. An NOT-FOR-US: Mycodo CVE-2021-41184 (jQuery-UI is the official jQuery user interface library. Prior to vers ...) - jqueryui 1.13.0+dfsg-1 + [bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1 [stretch] - jqueryui <no-dsa> (Minor issue) NOTE: https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327 NOTE: https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280 CVE-2021-41183 (jQuery-UI is the official jQuery user interface library. Prior to vers ...) + {DLA-2889-1} + - drupal7 <removed> - jqueryui 1.13.0+dfsg-1 + [bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1 [stretch] - jqueryui <no-dsa> (Minor issue) NOTE: https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4 NOTE: https://bugs.jqueryui.com/ticket/15284 NOTE: https://github.com/jquery/jquery-ui/pull/1953 + NOTE: https://www.drupal.org/sa-core-2022-001 CVE-2021-41182 (jQuery-UI is the official jQuery user interface library. Prior to vers ...) + {DLA-2889-1} + - drupal7 <removed> - jqueryui 1.13.0+dfsg-1 + [bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1 [stretch] - jqueryui <no-dsa> (Minor issue) NOTE: https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc NOTE: https://github.com/jquery/jquery-ui/commit/32850869d308d5e7c9bf3e3b4d483ea886d373ce + NOTE: https://www.drupal.org/sa-core-2022-002 CVE-2021-41181 RESERVED CVE-2021-41180 @@ -7162,14 +14172,18 @@ CVE-2021-41168 (Snudown is a reddit-specific fork of the Sundown Markdown parser NOT-FOR-US: Snudown CVE-2021-41167 (modern-async is an open source JavaScript tooling library for asynchro ...) NOT-FOR-US: modern-async -CVE-2021-41166 - RESERVED +CVE-2021-41166 (The Nextcloud Android app is the Android client for Nextcloud, a self- ...) + NOT-FOR-US: Nextcloud Android app CVE-2021-41165 (CKEditor4 is an open source WYSIWYG HTML editor. In affected version a ...) - ckeditor <unfixed> (bug #999909) + [bullseye] - ckeditor <no-dsa> (Minor issue) + [buster] - ckeditor <no-dsa> (Minor issue) [stretch] - ckeditor <no-dsa> (Minor issue) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2 (v4.17.0) CVE-2021-41164 (CKEditor4 is an open source WYSIWYG HTML editor. In affected versions ...) - ckeditor <unfixed> (bug #999909) + [bullseye] - ckeditor <no-dsa> (Minor issue) + [buster] - ckeditor <no-dsa> (Minor issue) [stretch] - ckeditor <no-dsa> (Minor issue) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj (v4.17.0) CVE-2021-41163 (Discourse is an open source platform for community discussion. In affe ...) @@ -7179,19 +14193,23 @@ CVE-2021-41162 CVE-2021-41161 RESERVED CVE-2021-41160 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 <unfixed> + - freerdp2 2.4.1+dfsg1-1 (bug #1001062) [bullseye] - freerdp2 <no-dsa> (Minor issue) [buster] - freerdp2 <no-dsa> (Minor issue) - freerdp <removed> [stretch] - freerdp <no-dsa> (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7c9r-6r2q-93qg + NOTE: https://github.com/FreeRDP/FreeRDP/pull/7349 + NOTE: https://github.com/FreeRDP/FreeRDP/commit/217e0caa181fc1690cf84dd6a3ba1a4f90c02692 CVE-2021-41159 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - - freerdp2 <unfixed> + - freerdp2 2.4.1+dfsg1-1 (bug #1001061) [bullseye] - freerdp2 <no-dsa> (Minor issue) [buster] - freerdp2 <no-dsa> (Minor issue) - freerdp <removed> [stretch] - freerdp <no-dsa> (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vh34-m9h7-95xq + NOTE: https://github.com/FreeRDP/FreeRDP/commit/d39a7ba5c38e3ba3b99b1558dc2ab0970cbfb0c5 (Stable 2.0 backports) + NOTE: https://github.com/FreeRDP/FreeRDP/commit/f0b44da67c09488178000725ff9f2729ccfdf9fe CVE-2021-41158 (FreeSWITCH is a Software Defined Telecom Stack enabling the digital tr ...) - freeswitch <itp> (bug #389591) NOTE: https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4 @@ -7233,8 +14251,10 @@ CVE-2021-41143 RESERVED CVE-2021-41142 (Tuleap Open ALM is a libre and open source tool for end to end traceab ...) NOT-FOR-US: Tuleap -CVE-2021-41141 - RESERVED +CVE-2021-41141 (PJSIP is a free and open source multimedia communication library writt ...) + - pjproject <removed> + NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-8fmx-hqw7-6gmc + NOTE: https://github.com/pjsip/pjproject/commit/1aa2c0e0fb60a1b0bf793e0d834073ffe50fb196 CVE-2021-41140 (Discourse-reactions is a plugin for the Discourse platform that allows ...) NOT-FOR-US: Discourse plugin CVE-2021-41139 (Anuko Time Tracker is an open source, web-based time tracking applicat ...) @@ -7268,6 +14288,9 @@ CVE-2021-41126 (October is a Content Management System (CMS) and web platform bu NOT-FOR-US: October CMS CVE-2021-41125 (Scrapy is a high-level web crawling and scraping framework for Python. ...) - python-scrapy 2.5.1-1 + [bullseye] - python-scrapy <no-dsa> (Minor issue) + [buster] - python-scrapy <no-dsa> (Minor issue) + [stretch] - python-scrapy <no-dsa> (Minor issue) NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498 CVE-2021-41124 (Scrapy-splash is a library which provides Scrapy and JavaScript integr ...) NOT-FOR-US: Scrapy-splash @@ -7347,21 +14370,21 @@ CVE-2021-41093 (Wire is an open source secure messenger. In affected versions if NOT-FOR-US: Wire iOS CVE-2021-41092 (Docker CLI is the command line interface for the docker container runt ...) - docker.io 20.10.10+dfsg1-1 (bug #998292) - [bullseye] - docker.io <no-dsa> (Minor issue) + [bullseye] - docker.io 20.10.5+dfsg1-1+deb11u1 [buster] - docker.io <no-dsa> (Minor issue) NOTE: https://github.com/docker/cli/security/advisories/GHSA-99pg-grm5-qq3v NOTE: https://github.com/docker/cli/commit/893e52cf4ba4b048d72e99748e0f86b2767c6c6b CVE-2021-41091 (Moby is an open-source project created by Docker to enable software co ...) - docker.io 20.10.10+dfsg1-1 - [bullseye] - docker.io <no-dsa> (Minor issue) + [bullseye] - docker.io 20.10.5+dfsg1-1+deb11u1 [buster] - docker.io <no-dsa> (Minor issue) NOTE: https://github.com/moby/moby/security/advisories/GHSA-3fwx-pjgw-3558 NOTE: https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64 -CVE-2021-41090 - RESERVED +CVE-2021-41090 (Grafana Agent is a telemetry collector for sending metrics, logs, and ...) + NOT-FOR-US: Grafana Agent CVE-2021-41089 (Moby is an open-source project created by Docker to enable software co ...) - docker.io 20.10.10+dfsg1-1 - [bullseye] - docker.io <no-dsa> (Minor issue) + [bullseye] - docker.io 20.10.5+dfsg1-1+deb11u1 [buster] - docker.io <no-dsa> (Minor issue) NOTE: https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4 CVE-2021-41088 (Elvish is a programming language and interactive shell, combined into ...) @@ -7393,12 +14416,17 @@ CVE-2021-41079 (Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 NOTE: https://github.com/apache/tomcat/commit/d4b340fa8feaf55831f9a59350578f7b6ca048b8 (9.0.44) NOTE: https://github.com/apache/tomcat/commit/b90d4fc1ff44f30e4b3aba622ba6677e3f003822 (8.5.64) CVE-2021-3803 (nth-check is vulnerable to Inefficient Regular Expression Complexity ...) - NOT-FOR-US: nth-check -CVE-2021-3802 - RESERVED + - node-nth-check 2.0.1-1 + [bullseye] - node-nth-check <no-dsa> (Minor issue) + [buster] - node-nth-check <no-dsa> (Minor issue) + [stretch] - node-nth-check <end-of-life> (Nodejs in stretch not covered by security support) + NOTE: https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726 (v2.0.1) + NOTE: https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0/ + NOTE: https://github.com/advisories/GHSA-rp65-9cf3-cjxr +CVE-2021-3802 (A vulnerability found in udisks2. This flaw allows an attacker to inpu ...) {DLA-2809-1} - udisks2 2.9.4-1 - [bullseye] - udisks2 <no-dsa> (Minor issue) + [bullseye] - udisks2 2.9.2-2+deb11u1 [buster] - udisks2 <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2003649 NOTE: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-045.txt @@ -7441,16 +14469,16 @@ CVE-2021-41069 RESERVED CVE-2021-41068 RESERVED -CVE-2021-41067 - RESERVED -CVE-2021-41066 - RESERVED -CVE-2021-41065 - RESERVED +CVE-2021-41067 (An issue was discovered in Listary through 6. Improper implementation ...) + NOT-FOR-US: Listary +CVE-2021-41066 (An issue was discovered in Listary through 6. When Listary is configur ...) + NOT-FOR-US: Listary +CVE-2021-41065 (An issue was discovered in Listary through 6. An attacker can create a ...) + NOT-FOR-US: Listary CVE-2021-41064 RESERVED -CVE-2021-41063 - RESERVED +CVE-2021-41063 (SQL injection vulnerability was discovered in Aanderaa GeoView Webserv ...) + NOT-FOR-US: Aanderaa GeoView Webservice CVE-2021-41062 RESERVED CVE-2021-41061 (In RIOT-OS 2021.01, nonce reuse in 802.15.4 encryption in the ieee8201 ...) @@ -7466,11 +14494,13 @@ CVE-2021-41057 (In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDon CVE-2021-41056 RESERVED CVE-2021-41055 (Gajim 1.2.x and 1.3.x before 1.3.3 allows remote attackers to cause a ...) + {DSA-5064-1} - python-nbxmpp 2.0.4-1 + [buster] - python-nbxmpp <not-affected> (Vulnerable code not present) + [stretch] - python-nbxmpp <not-affected> (Vulnerable code introduced later (modules added in v1.0.0)) NOTE: https://dev.gajim.org/gajim/gajim/-/issues/10638 NOTE: https://dev.gajim.org/gajim/python-nbxmpp/-/commit/8a626829d7c4b14077f764e61b1d1e867d21413f NOTE: Fix in python-nbxmpp, and gajim 1.3.3 bumps depends on required nbxmpp version. - TODO: double-check correctness for tracking of source package, underlying issue is fixed in python-nbxmpp CVE-2021-41053 RESERVED CVE-2021-41052 @@ -7491,16 +14521,25 @@ CVE-2021-41045 RESERVED CVE-2021-41044 RESERVED -CVE-2021-41043 - RESERVED +CVE-2021-41043 (Use after free in tcpslice triggers AddressSanitizer, no other confirm ...) + - tcpslice <unfixed> (bug #1003190) + [bullseye] - tcpslice <no-dsa> (Minor issue) + [buster] - tcpslice <no-dsa> (Minor issue) + [stretch] - tcpslice <no-dsa> (Minor issue) + NOTE: https://github.com/the-tcpdump-group/tcpslice/issues/11 + NOTE: https://github.com/the-tcpdump-group/tcpslice/commit/030859fce9c77417de657b9bb29c0f78c2d68f4a (tcpslice-1.5) CVE-2021-41042 RESERVED CVE-2021-41041 RESERVED -CVE-2021-41040 - RESERVED -CVE-2021-41039 - RESERVED +CVE-2021-41040 (In Eclipse Wakaama, ever since its inception until 2021-01-14, the CoA ...) + NOT-FOR-US: Eclipse Wakaama +CVE-2021-41039 (In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client conn ...) + - mosquitto <unfixed> (bug #1001028) + [buster] - mosquitto <not-affected> (Vulnerable code introduced later) + [stretch] - mosquitto <not-affected> (Vulnerable code introduced later) + NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575314 + NOTE: Fixed by: https://github.com/eclipse/mosquitto/commit/9d6a73f9f72005c2f19a262f15d28327eedea91f (v2.0.12) CVE-2021-41038 (In versions of the @theia/plugin-ext component of Eclipse Theia prior ...) NOT-FOR-US: Eclipse Theia CVE-2021-41037 @@ -7518,42 +14557,42 @@ CVE-2021-41032 RESERVED CVE-2021-41031 RESERVED -CVE-2021-41030 - RESERVED -CVE-2021-41029 - RESERVED -CVE-2021-41028 - RESERVED -CVE-2021-41027 - RESERVED +CVE-2021-41030 (An authentication bypass by capture-replay vulnerability [CWE-294] in ...) + NOT-FOR-US: FortiGuard +CVE-2021-41029 (A improper neutralization of input during web page generation ('cross- ...) + NOT-FOR-US: FortiGuard +CVE-2021-41028 (A combination of a use of hard-coded cryptographic key vulnerability [ ...) + NOT-FOR-US: FortiGuard +CVE-2021-41027 (A stack-based buffer overflow in Fortinet FortiWeb version 6.4.1 and 6 ...) + NOT-FOR-US: FortiGuard CVE-2021-41026 RESERVED -CVE-2021-41025 - RESERVED -CVE-2021-41024 - RESERVED +CVE-2021-41025 (Multiple vulnerabilities in the authentication mechanism of confd in F ...) + NOT-FOR-US: FortiGuard +CVE-2021-41024 (A relative path traversal [CWE-23] vulnerabiltiy in FortiOS versions 7 ...) + NOT-FOR-US: FortiGuard CVE-2021-41023 (A unprotected storage of credentials in Fortinet FortiSIEM Windows Age ...) NOT-FOR-US: Fortiguard CVE-2021-41022 (A improper privilege management in Fortinet FortiSIEM Windows Agent ve ...) NOT-FOR-US: Fortiguard -CVE-2021-41021 - RESERVED +CVE-2021-41021 (A privilege escalation vulnerability in FortiNAC versions 8.8.8 and be ...) + NOT-FOR-US: FortiGuard CVE-2021-41020 RESERVED CVE-2021-41019 (An improper validation of certificate with host mismatch [CWE-297] vul ...) NOT-FOR-US: Fortiguard -CVE-2021-41018 - RESERVED -CVE-2021-41017 - RESERVED -CVE-2021-41016 - RESERVED -CVE-2021-41015 - RESERVED -CVE-2021-41014 - RESERVED -CVE-2021-41013 - RESERVED +CVE-2021-41018 (A improper neutralization of special elements used in an os command (' ...) + NOT-FOR-US: FortiGuard +CVE-2021-41017 (Multiple heap-based buffer overflow vulnerabilities in some web API co ...) + NOT-FOR-US: FortiGuard +CVE-2021-41016 (A improper neutralization of special elements used in a command ('comm ...) + NOT-FOR-US: FortiGuard +CVE-2021-41015 (A improper neutralization of input during web page generation ('cross- ...) + NOT-FOR-US: FortiGuard +CVE-2021-41014 (A uncontrolled resource consumption in Fortinet FortiWeb version 6.4.1 ...) + NOT-FOR-US: FortiGuard +CVE-2021-41013 (An improper access control vulnerability [CWE-284] in FortiWeb version ...) + NOT-FOR-US: FortiGuard CVE-2021-41012 RESERVED CVE-2021-41011 (LINE client for iOS before 11.15.0 might expose authentication informa ...) @@ -7612,6 +14651,7 @@ CVE-2021-3800 RESERVED CVE-2021-40985 (Buffer overflow vulnerability in htmldoc before 1.9.12, allows attacke ...) - htmldoc 1.9.13-1 (unimportant) + [bullseye] - htmldoc 1.9.11-4+deb11u1 NOTE: https://github.com/michaelrsweet/htmldoc/issues/444 NOTE: https://github.com/michaelrsweet/htmldoc/commit/f12b9666e582a8e7b70f11b28e5ffc49ad625d43 (v1.9.13) NOTE: Crash in CLI tool, no security impact @@ -7781,12 +14821,12 @@ CVE-2021-40911 RESERVED CVE-2021-40910 RESERVED -CVE-2021-40909 - RESERVED -CVE-2021-40908 - RESERVED -CVE-2021-40907 - RESERVED +CVE-2021-40909 (Cross site scripting (XSS) vulnerability in sourcecodester PHP CRUD wi ...) + NOT-FOR-US: Sourcecodester +CVE-2021-40908 (SQL injection vulnerability in Login.php in Sourcecodester Purchase Or ...) + NOT-FOR-US: Sourcecodester +CVE-2021-40907 (SQL injection vulnerability in Sourcecodester Storage Unit Rental Mana ...) + NOT-FOR-US: Sourcecodester CVE-2021-40906 RESERVED CVE-2021-40905 @@ -7833,10 +14873,10 @@ CVE-2021-40885 RESERVED CVE-2021-40884 (Projectsend version r1295 is affected by sensitive information disclos ...) NOT-FOR-US: Projectsend -CVE-2021-40883 - RESERVED -CVE-2021-40882 - RESERVED +CVE-2021-40883 (A Remote Code Execution (RCE) vulnerability exists in emlog 5.3.1 via ...) + NOT-FOR-US: emlog +CVE-2021-40882 (A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via ...) + - piwigo <removed> CVE-2021-40881 (An issue in the BAT file parameters of PublicCMS v4.0 allows attackers ...) NOT-FOR-US: PublicCMS CVE-2021-40880 @@ -7851,8 +14891,15 @@ CVE-2021-40876 RESERVED CVE-2021-40875 (Improper Access Control in Gurock TestRail versions < 7.2.0.3014 re ...) NOT-FOR-US: Gurock TestRail -CVE-2021-40874 - RESERVED +CVE-2021-40874 [RESTServer pwdConfirm always returns true with Combination + Kerberos] + RESERVED + [experimental] - lemonldap-ng 2.0.14~exp+ds-1 + - lemonldap-ng <unfixed> (bug #1005302) + [bullseye] - lemonldap-ng <no-dsa> (Minor issue) + [buster] - lemonldap-ng <no-dsa> (Minor issue) + [stretch] - lemonldap-ng <no-dsa> (Minor issue) + NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612 + NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/66946e8f754812b375768c2124937137c856fe0c CVE-2021-40873 (An issue was discovered in Softing Industrial Automation OPC UA C++ SD ...) NOT-FOR-US: Softing Industrial Automation CVE-2021-40872 (An issue was discovered in Softing Industrial Automation uaToolkit Emb ...) @@ -7888,10 +14935,10 @@ CVE-2021-40865 (An Unsafe Deserialization vulnerability exists in the worker ser CVE-2021-3797 (hestiacp is vulnerable to Use of Wrong Operator in String Comparison ...) NOT-FOR-US: Hestia Control Panel CVE-2021-3796 (vim is vulnerable to Use After Free ...) + {DLA-2876-1} - vim 2:8.2.3455-1 (bug #994497) - [bullseye] - vim <no-dsa> (Minor issue) + [bullseye] - vim 2:8.2.2434-3+deb11u1 [buster] - vim <no-dsa> (Minor issue) - [stretch] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/ab60b7f3-6fb1-4ac2-a4fa-4d592e08008d/ NOTE: https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3 (v8.2.3428) NOTE: https://www.openwall.com/lists/oss-security/2021/10/01/1 @@ -7905,30 +14952,30 @@ CVE-2021-40863 RESERVED CVE-2021-40862 (HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoi ...) NOT-FOR-US: HashiCorp Terraform Enterprise -CVE-2021-40861 - RESERVED -CVE-2021-40860 - RESERVED -CVE-2021-40859 - RESERVED -CVE-2021-40858 - RESERVED -CVE-2021-40857 - RESERVED -CVE-2021-40856 - RESERVED -CVE-2021-40855 - RESERVED +CVE-2021-40861 (A SQL Injection in the custom filter query component in Genesys intell ...) + NOT-FOR-US: Genesys +CVE-2021-40860 (A SQL Injection in the custom filter query component in Genesys intell ...) + NOT-FOR-US: Genesys +CVE-2021-40859 (Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B dev ...) + NOT-FOR-US: Auerswald +CVE-2021-40858 (Auerswald COMpact 5500R devices before 8.2B allow Arbitrary File Discl ...) + NOT-FOR-US: Auerswald COMpact 5500R devices +CVE-2021-40857 (Auerswald COMpact 5500R devices before 8.2B allow Privilege Escalation ...) + NOT-FOR-US: Auerswald COMpact 5500R devices +CVE-2021-40856 (Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Auth ...) + NOT-FOR-US: Auerswald +CVE-2021-40855 (The EU Technical Specifications for Digital COVID Certificates before ...) + NOT-FOR-US: EU Technical Specifications for Digital COVID Certificates CVE-2021-40854 (AnyDesk before 6.2.6 and 6.3.x before 6.3.3 allows a local user to obt ...) NOT-FOR-US: AnyDesk -CVE-2021-40853 - RESERVED -CVE-2021-40852 - RESERVED -CVE-2021-40851 - RESERVED -CVE-2021-40850 - RESERVED +CVE-2021-40853 (TCMAN GIM does not perform an authorization check when trying to acces ...) + NOT-FOR-US: TCMAN GIM +CVE-2021-40852 (TCMAN GIM is affected by an open redirect vulnerability. This vulnerab ...) + NOT-FOR-US: TCMAN GIM +CVE-2021-40851 (TCMAN GIM is vulnerable to a lack of authorization in all available we ...) + NOT-FOR-US: TCMAN GIM +CVE-2021-40850 (TCMAN GIM is vulnerable to a SQL injection vulnerability inside severa ...) + NOT-FOR-US: TCMAN GIM CVE-2021-40849 (In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account a ...) - mahara <removed> CVE-2021-40848 (In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV ...) @@ -7945,10 +14992,10 @@ CVE-2021-40843 (Proofpoint Insider Threat Management Server contains an unsafe d NOT-FOR-US: Proofpoint CVE-2021-40842 (Proofpoint Insider Threat Management Server contains a SQL injection v ...) NOT-FOR-US: Proofpoint -CVE-2021-40841 - RESERVED -CVE-2021-40840 - RESERVED +CVE-2021-40841 (A Path Traversal vulnerability for a log file in LiveConfig 2.12.2 all ...) + NOT-FOR-US: LiveConfig +CVE-2021-40840 (A Stored XSS issue exists in the admin/users user administration form ...) + NOT-FOR-US: LiveConfig CVE-2021-40839 (The rencode package through 1.0.6 for Python allows an infinite loop i ...) - python-rencode 1.0.6-2 [bullseye] - python-rencode <no-dsa> (Minor issue) @@ -7958,14 +15005,14 @@ CVE-2021-40839 (The rencode package through 1.0.6 for Python allows an infinite NOTE: https://github.com/aresch/rencode/pull/29 CVE-2021-40838 RESERVED -CVE-2021-40837 - RESERVED -CVE-2021-40836 - RESERVED -CVE-2021-40835 - RESERVED -CVE-2021-40834 - RESERVED +CVE-2021-40837 (A vulnerability affecting F-Secure antivirus engine before Capricorn u ...) + NOT-FOR-US: F-Secure +CVE-2021-40836 (A vulnerability affecting F-Secure antivirus engine was discovered whe ...) + NOT-FOR-US: F-Secure +CVE-2021-40835 (An URL Address bar spoofing vulnerability was discovered in Safe Brows ...) + NOT-FOR-US: Safe Browser for iOS +CVE-2021-40834 (A user interface overlay vulnerability was discovered in F-secure SAFE ...) + NOT-FOR-US: F-secure CVE-2021-40833 (A vulnerability affecting F-Secure antivirus engine was discovered whe ...) NOT-FOR-US: F-Secure CVE-2021-40832 (A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atl ...) @@ -7978,10 +15025,16 @@ CVE-2021-40829 (Connections initialized by the AWS IoT Device SDK v2 for Java (v NOT-FOR-US: AWS IoT Device SDK CVE-2021-40828 (Connections initialized by the AWS IoT Device SDK v2 for Java (version ...) NOT-FOR-US: AWS IoT Device SDK -CVE-2021-40827 - RESERVED -CVE-2021-40826 - RESERVED +CVE-2021-40827 (Clementine Music Player through 1.3.1 (when a GLib 2.0.0 DLL is used) ...) + - clementine <unfixed> (unimportant) + NOTE: https://voidsec.com/advisories/cve-2021-40827/ + NOTE: Bogus report with hardly useful details whether affects clementine/gstreamer, but + NOTE: regardless just a crash in a CLI tool +CVE-2021-40826 (Clementine Music Player through 1.3.1 is vulnerable to a User Mode Wri ...) + - clementine <unfixed> (unimportant) + NOTE: https://voidsec.com/advisories/cve-2021-40826/ + NOTE: Bogus report with hardly useful details whether affects clementine/gstreamer, but + NOTE: regardless just a crash in a CLI tool CVE-2021-40825 (nLight ECLYPSE (nECY) system Controllers running software prior to 1.1 ...) NOT-FOR-US: nLight ECLYPSE (nECY) system Controllers CVE-2021-40824 (A logic error in the room key sharing functionality of Element Android ...) @@ -8025,8 +15078,7 @@ CVE-2021-3783 (yourls is vulnerable to Improper Neutralization of Input During W NOT-FOR-US: yourls CVE-2021-3782 RESERVED -CVE-2021-3781 [Include device specifier strings in access validation] - RESERVED +CVE-2021-3781 (A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was ...) {DSA-4972-1} - ghostscript 9.53.3~dfsg-8 (bug #994011) [buster] - ghostscript <not-affected> (Vulnerable code introduced later) @@ -8043,8 +15095,8 @@ CVE-2021-40815 RESERVED CVE-2021-40814 (The Customer Photo Gallery addon before 2.9.4 for PrestaShop is vulner ...) NOT-FOR-US: PrestaShop addon -CVE-2021-40813 - RESERVED +CVE-2021-40813 (A cross-site scripting (XSS) vulnerability in the "Zip content" featur ...) + NOT-FOR-US: Element-IT HTTP Commander CVE-2021-40812 (The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds ...) - libgd2 <unfixed> [bullseye] - libgd2 <no-dsa> (Minor issue) @@ -8056,8 +15108,8 @@ CVE-2021-40811 RESERVED CVE-2021-40810 RESERVED -CVE-2021-40809 - RESERVED +CVE-2021-40809 (An issue was discovered in Jamf Pro before 10.32.0, aka PI-009921. An ...) + NOT-FOR-US: Jamf Pro CVE-2021-40808 RESERVED CVE-2021-40807 @@ -8111,10 +15163,10 @@ CVE-2021-40786 RESERVED CVE-2021-40785 RESERVED -CVE-2021-40784 - RESERVED -CVE-2021-40783 - RESERVED +CVE-2021-40784 (Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memo ...) + NOT-FOR-US: Adobe +CVE-2021-40783 (Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memo ...) + NOT-FOR-US: Adobe CVE-2021-40782 RESERVED CVE-2021-40781 @@ -8235,8 +15287,8 @@ CVE-2021-40724 (Acrobat Reader for Android versions 21.8.0 (and earlier) are aff NOT-FOR-US: Adobe CVE-2021-40723 RESERVED -CVE-2021-40722 - RESERVED +CVE-2021-40722 (AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and bel ...) + NOT-FOR-US: Adobe CVE-2021-40721 (Adobe Connect version 11.2.3 (and earlier) is affected by a reflected ...) NOT-FOR-US: Adobe CVE-2021-40720 (Ops CLI version 2.0.4 (and earlier) is affected by a Deserialization o ...) @@ -8288,17 +15340,17 @@ CVE-2021-40698 CVE-2021-40697 (Adobe Framemaker versions 2019 Update 8 (and earlier) and 2020 Release ...) NOT-FOR-US: Adobe CVE-2021-40696 - RESERVED -CVE-2021-40695 - RESERVED -CVE-2021-40694 - RESERVED -CVE-2021-40693 - RESERVED -CVE-2021-40692 - RESERVED -CVE-2021-40691 - RESERVED + REJECTED +CVE-2021-40695 (It was possible for a student to view their quiz grade before it had b ...) + - moodle <removed> +CVE-2021-40694 (Insufficient escaping of the LaTeX preamble made it possible for site ...) + - moodle <removed> +CVE-2021-40693 (An authentication bypass risk was identified in the external database ...) + - moodle <removed> +CVE-2021-40692 (Insufficient capability checks made it possible for teachers to downlo ...) + - moodle <removed> +CVE-2021-40691 (A session hijack risk was identified in the Shibboleth authentication ...) + - moodle <removed> CVE-2021-40690 (All versions of Apache Santuario - XML Security for Java prior to 2.2. ...) {DSA-5010-1 DLA-2767-1} - libxml-security-java 2.1.7-1 (bug #994569) @@ -8337,10 +15389,10 @@ CVE-2021-40682 CVE-2021-3779 RESERVED CVE-2021-3778 (vim is vulnerable to Heap-based Buffer Overflow ...) + {DLA-2876-1} - vim 2:8.2.3455-1 (bug #994498) - [bullseye] - vim <no-dsa> (Minor issue) + [bullseye] - vim 2:8.2.2434-3+deb11u1 [buster] - vim <no-dsa> (Minor issue) - [stretch] - vim <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/d9c17308-2c99-4f9f-a706-f7f72c24c273 NOTE: https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f (v8.2.3409) NOTE: https://www.openwall.com/lists/oss-security/2021/10/01/1 @@ -8484,8 +15536,8 @@ CVE-2021-40614 RESERVED CVE-2021-40613 RESERVED -CVE-2021-40612 - RESERVED +CVE-2021-40612 (An issue was discovered in Opmantek Open-AudIT after 3.5.0. Without au ...) + NOT-FOR-US: Opmantek Open-AudIT CVE-2021-40611 RESERVED CVE-2021-40610 @@ -8516,10 +15568,10 @@ CVE-2021-40598 RESERVED CVE-2021-40597 RESERVED -CVE-2021-40596 - RESERVED -CVE-2021-40595 - RESERVED +CVE-2021-40596 (SQL injection vulnerability in Login.php in sourcecodester Online Lear ...) + NOT-FOR-US: Sourcecodester +CVE-2021-40595 (SQL injection vulnerability in Sourcecodester Online Leave Management ...) + NOT-FOR-US: Sourcecodester CVE-2021-40594 RESERVED CVE-2021-40593 @@ -8550,48 +15602,80 @@ CVE-2021-40581 RESERVED CVE-2021-40580 RESERVED -CVE-2021-40579 - RESERVED -CVE-2021-40578 - RESERVED +CVE-2021-40579 (https://www.sourcecodester.com/ Online Enrollment Management System in ...) + NOT-FOR-US: Online Enrollment Management System in PHP and PayPal Free Source Code +CVE-2021-40578 (Authenticated Blind & Error-based SQL injection vulnerability was ...) + NOT-FOR-US: Online Enrollment Management System in PHP and PayPal Free Source Code CVE-2021-40577 (A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecode ...) NOT-FOR-US: Sourcecodester -CVE-2021-40576 - RESERVED -CVE-2021-40575 - RESERVED -CVE-2021-40574 - RESERVED -CVE-2021-40573 - RESERVED -CVE-2021-40572 - RESERVED -CVE-2021-40571 - RESERVED -CVE-2021-40570 - RESERVED -CVE-2021-40569 - RESERVED -CVE-2021-40568 - RESERVED -CVE-2021-40567 - RESERVED -CVE-2021-40566 - RESERVED -CVE-2021-40565 - RESERVED -CVE-2021-40564 - RESERVED -CVE-2021-40563 - RESERVED -CVE-2021-40562 - RESERVED +CVE-2021-40576 (The binary MP4Box in Gpac 1.0.1 has a null pointer dereference vulnera ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1904 + NOTE: https://github.com/gpac/gpac/commit/ad18ece95fa064efc0995c4ab2c985f77fb166ec +CVE-2021-40575 (The binary MP4Box in Gpac 1.0.1 has a null pointer dereference vulnera ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1905 + NOTE: https://github.com/gpac/gpac/commit/5f2c2a16d30229b6241f02fa28e3d6b810d64858 +CVE-2021-40574 (The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1897 + NOTE: https://github.com/gpac/gpac/commit/30ac5e5236b790accd1f25347eebf2dc8c6c1bcb +CVE-2021-40573 (The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1891 + NOTE: https://github.com/gpac/gpac/commit/b03c9f252526bb42fbd1b87b9f5e339c3cf2390a +CVE-2021-40572 (The binary MP4Box in Gpac 1.0.1 has a double-free bug in the av1dmx_fi ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1893 + NOTE: https://github.com/gpac/gpac/commit/7bb1b4a4dd23c885f9db9f577dfe79ecc5433109 +CVE-2021-40571 (The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1895 + NOTE: https://github.com/gpac/gpac/commit/a69b567b8c95c72f9560c873c5ab348be058f340 +CVE-2021-40570 (The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1899 + NOTE: https://github.com/gpac/gpac/commit/04dbf08bff4d61948bab80c3f9096ecc60c7f302 +CVE-2021-40569 (The binary MP4Box in Gpac through 1.0.1 has a double-free vulnerabilit ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1890 + NOTE: https://github.com/gpac/gpac/commit/b03c9f252526bb42fbd1b87b9f5e339c3cf2390a +CVE-2021-40568 (A buffer overflow vulnerability exists in Gpac through 1.0.1 via a mal ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1900 + NOTE: https://github.com/gpac/gpac/commit/f1ae01d745200a258cdf62622f71754c37cb6c30 +CVE-2021-40567 (Segmentation fault vulnerability exists in Gpac through 1.0.1 via the ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1889 + NOTE: https://github.com/gpac/gpac/commit/f5a038e6893019ee471b6a57490cf7a495673816 +CVE-2021-40566 (A Segmentation fault casued by heap use after free vulnerability exist ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1887 + NOTE: https://github.com/gpac/gpac/commit/96047e0e6166407c40cc19f4e94fb35cd7624391 +CVE-2021-40565 (A Segmentation fault caused by a null pointer dereference vulnerabilit ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1902 + NOTE: https://github.com/gpac/gpac/commit/893fb99b606eebfae46cde151846a980e689039b +CVE-2021-40564 (A Segmentation fault caused by null pointer dereference vulnerability ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1898 + NOTE: https://github.com/gpac/gpac/commit/cf6771c857eb9a290e2c19ddacfdd3ed98b27618 +CVE-2021-40563 (A Segmentation fault exists casued by null pointer dereference exists ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1892 + NOTE: https://github.com/gpac/gpac/commit/5ce0c906ed8599d218036b18b78e8126a496f137 +CVE-2021-40562 (A Segmentation fault caused by a floating point exception exists in Gp ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1901 + NOTE: https://github.com/gpac/gpac/commit/5dd71c7201a3e5cf40732d585bfb21c906c171d3 CVE-2021-40561 RESERVED CVE-2021-40560 RESERVED -CVE-2021-40559 - RESERVED +CVE-2021-40559 (A null pointer deference vulnerability exists in gpac through 1.0.1 vi ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1886 + NOTE: https://github.com/gpac/gpac/commit/70607fc71a671cf48a05e013a4e411429373dce7 CVE-2021-40558 RESERVED CVE-2021-40557 @@ -8650,7 +15734,7 @@ CVE-2021-40533 CVE-2021-40532 (Telegram Web K Alpha before 0.7.2 mishandles the characters in a docum ...) NOT-FOR-US: tweb NOTE: https://github.com/morethanwords/tweb -CVE-2021-40531 (An issue discovered in sketch before version 75,that allows for librar ...) +CVE-2021-40531 (Sketch before 75 allows library feeds to be used to bypass file quaran ...) NOT-FOR-US: Sketch collaborative design (Mac or Web app) NOTE: sketch.com, not the sketch package in Debian. CVE-2021-40530 (The ElGamal implementation in Crypto++ through 8.5 allows plaintext re ...) @@ -8665,6 +15749,8 @@ CVE-2021-40530 (The ElGamal implementation in Crypto++ through 8.5 allows plaint NOTE: https://github.com/weidai11/cryptopp/commit/bee8e8ca6658 (CRYPTOPP_8_6_0) CVE-2021-40529 (The ElGamal implementation in Botan through 2.18.1, as used in Thunder ...) - botan 2.18.1+dfsg-3 (bug #993840) + [bullseye] - botan <no-dsa> (Minor issue) + [buster] - botan <no-dsa> (Minor issue) - botan1.10 <removed> [stretch] - botan1.10 <ignored> (Affected function encrypt(...) has changed drastically. Backport is too instrusive to backport) NOTE: https://eprint.iacr.org/2021/923 @@ -8689,27 +15775,27 @@ CVE-2021-40527 (Exposure of senstive information to an unauthorised actor in the NOT-FOR-US: "com.onepeloton.erlich" mobile application CVE-2021-40526 (Incorrect calculation of buffer size vulnerability in Peleton TTR01 up ...) NOT-FOR-US: Peleton -CVE-2021-40525 - RESERVED +CVE-2021-40525 (Apache James ManagedSieve implementation alongside with the file stora ...) + NOT-FOR-US: Apache James CVE-2021-3776 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...) - NOT-FOR-US: showdoc + NOT-FOR-US: ShowDoc CVE-2021-3775 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...) - NOT-FOR-US: showdoc + NOT-FOR-US: ShowDoc CVE-2021-3774 (Meross Smart Wi-Fi 2 Way Wall Switch (MSS550X), on its 3.1.3 version a ...) NOT-FOR-US: Meross Smart Wi-Fi 2 Way Wall Switch -CVE-2021-3773 - RESERVED +CVE-2021-3773 (A flaw in netfilter could allow a network-connected attacker to infer ...) NOTE: https://www.openwall.com/lists/oss-security/2021/09/08/3 NOTE: https://breakpointingbad.com/2021/09/08/Port-Shadows-via-Network-Alchemy.html TODO: fill in tracking details CVE-2021-3772 [Invalid chunks may be used to remotely remove existing associations] RESERVED - linux 5.14.16-1 + [bullseye] - linux 5.10.84-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2000694 CVE-2021-3771 RESERVED CVE-2021-40524 (In Pure-FTPd before 1.0.50, an incorrect max_filesize quota mechanism ...) - - pure-ftpd <unfixed> (bug #993810) + - pure-ftpd 1.0.50-1 (bug #993810) [bullseye] - pure-ftpd <no-dsa> (Minor issue) [buster] - pure-ftpd <no-dsa> (Minor issue) [stretch] - pure-ftpd <no-dsa> (Minor issue) @@ -8738,15 +15824,15 @@ CVE-2021-40515 RESERVED CVE-2021-3770 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim 2:8.2.3455-1 (bug #994076) - [bullseye] - vim <no-dsa> (Minor issue) + [bullseye] - vim 2:8.2.2434-3+deb11u1 [buster] - vim <no-dsa> (Minor issue) - [stretch] - vim <no-dsa> (Minor issue) + [stretch] - vim <not-affected> (Vulnerable code not present) NOTE: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ NOTE: Fixed by: https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 (v8.2.3402) NOTE: Followup fix for introduced memory leak: https://github.com/vim/vim/commit/2ddb89f8a94425cda1e5491efc80c1ccccb6e08e (v8.2.3403) NOTE: https://www.openwall.com/lists/oss-security/2021/10/01/1 -CVE-2021-3769 - RESERVED +CVE-2021-3769 (# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` t ...) + NOT-FOR-US: ohmyzsh CVE-2021-40514 RESERVED CVE-2021-40513 @@ -8876,10 +15962,10 @@ CVE-2021-40455 (Windows Installer Spoofing Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-40454 (Rich Text Edit Control Information Disclosure Vulnerability ...) NOT-FOR-US: Microsoft -CVE-2021-40453 - RESERVED -CVE-2021-40452 - RESERVED +CVE-2021-40453 (HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2021-40452 (HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID ...) + NOT-FOR-US: Microsoft CVE-2021-40451 RESERVED CVE-2021-40450 (Win32k Elevation of Privilege Vulnerability This CVE ID is unique from ...) @@ -8900,13 +15986,14 @@ CVE-2021-40443 (Windows Common Log File System Driver Elevation of Privilege Vul NOT-FOR-US: Microsoft CVE-2021-40442 (Microsoft Excel Remote Code Execution Vulnerability ...) NOT-FOR-US: Microsoft -CVE-2021-40441 - RESERVED +CVE-2021-40441 (Windows Media Center Elevation of Privilege Vulnerability ...) + NOT-FOR-US: Microsoft CVE-2021-40440 (Microsoft Dynamics Business Central Cross-site Scripting Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-3764 [DoS in ccp_run_aes_gcm_cmd() function] RESERVED - linux 5.14.12-1 + [bullseye] - linux 5.10.84-1 [stretch] - linux <not-affected> (Vulnerability introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997467 NOTE: https://git.kernel.org/linus/505d9dcb0f7ddf9d075e729523a33d38642ae680 (5.15-rc4) @@ -8934,7 +16021,7 @@ CVE-2021-40491 (The ftp client in GNU Inetutils before 2.2 does not validate add NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html NOTE: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd CVE-2021-40490 (A race condition was discovered in ext4_write_inline_data_end in fs/ex ...) - {DSA-4978-1 DLA-2785-1} + {DSA-4978-1 DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 [buster] - linux 4.19.208-1 NOTE: https://lore.kernel.org/linux-ext4/000000000000e5080305c9e51453@google.com/ @@ -8966,83 +16053,108 @@ CVE-2021-40425 RESERVED CVE-2021-40424 RESERVED -CVE-2021-40423 - RESERVED +CVE-2021-40423 (A denial of service vulnerability exists in the cgiserver.cgi API comm ...) + NOT-FOR-US: Reolink CVE-2021-40422 RESERVED CVE-2021-40421 RESERVED -CVE-2021-40420 - RESERVED -CVE-2021-40419 - RESERVED -CVE-2021-40418 - RESERVED -CVE-2021-40417 - RESERVED -CVE-2021-40416 - RESERVED -CVE-2021-40415 - RESERVED -CVE-2021-40414 - RESERVED -CVE-2021-40413 - RESERVED -CVE-2021-40412 - RESERVED -CVE-2021-40411 - RESERVED -CVE-2021-40410 - RESERVED -CVE-2021-40409 - RESERVED -CVE-2021-40408 - RESERVED -CVE-2021-40407 - RESERVED -CVE-2021-40406 - RESERVED +CVE-2021-40420 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) + NOT-FOR-US: Foxit +CVE-2021-40419 (A firmware update vulnerability exists in the 'factory' binary of reol ...) + NOT-FOR-US: Reolink +CVE-2021-40418 (When parsing a file that is submitted to the DPDecoder service as a jo ...) + NOT-FOR-US: DaVinci Resolve +CVE-2021-40417 (When parsing a file that is submitted to the DPDecoder service as a jo ...) + NOT-FOR-US: DaVinci Resolve +CVE-2021-40416 (An incorrect default permission vulnerability exists in the cgiserver. ...) + NOT-FOR-US: Reolink +CVE-2021-40415 (An incorrect default permission vulnerability exists in the cgiserver. ...) + NOT-FOR-US: Reolink +CVE-2021-40414 (An incorrect default permission vulnerability exists in the cgiserver. ...) + NOT-FOR-US: Reolink +CVE-2021-40413 (An incorrect default permission vulnerability exists in the cgiserver. ...) + NOT-FOR-US: Reolink +CVE-2021-40412 (An OScommand injection vulnerability exists in the device network sett ...) + NOT-FOR-US: Reolink +CVE-2021-40411 (An OS command injection vulnerability exists in the device network set ...) + NOT-FOR-US: Reolink +CVE-2021-40410 (An OS command injection vulnerability exists in the device network set ...) + NOT-FOR-US: Reolink +CVE-2021-40409 (An OS command injection vulnerability exists in the device network set ...) + NOT-FOR-US: Reolink +CVE-2021-40408 (An OS command injection vulnerability exists in the device network set ...) + NOT-FOR-US: Reolink +CVE-2021-40407 (An OS command injection vulnerability exists in the device network set ...) + NOT-FOR-US: Reolink +CVE-2021-40406 (A denial of service vulnerability exists in the cgiserver.cgi session ...) + NOT-FOR-US: Reolink CVE-2021-40405 RESERVED -CVE-2021-40404 - RESERVED -CVE-2021-40403 - RESERVED +CVE-2021-40404 (An authentication bypass vulnerability exists in the cgiserver.cgi Log ...) + NOT-FOR-US: Reolink +CVE-2021-40403 (An information disclosure vulnerability exists in the pick-and-place r ...) + - gerbv <unfixed> + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1417 + NOTE: https://github.com/gerbv/gerbv/issues/82 + NOTE: Proposed patch: https://github.com/gerbv/gerbv/commit/387f07b163cc30cd95e9bedf53bc07e7b38cc318 CVE-2021-40402 RESERVED -CVE-2021-40401 - RESERVED + - gerbv <unfixed> + NOTE: https://github.com/gerbv/gerbv/issues/80 + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1416 +CVE-2021-40401 (A use-after-free vulnerability exists in the RS-274X aperture definiti ...) + - gerbv <unfixed> + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1415 + NOTE: https://github.com/gerbv/gerbv/commit/68ee18945bcf68ff964c42f12af79c5c0e2f4069 + NOTE: https://github.com/gerbv/gerbv/issues/81 CVE-2021-40400 RESERVED + - gerbv <unfixed> + NOTE: https://github.com/gerbv/gerbv/issues/79 + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1413 CVE-2021-40399 RESERVED CVE-2021-40398 RESERVED -CVE-2021-40397 - RESERVED -CVE-2021-40396 - RESERVED +CVE-2021-40397 (A privilege escalation vulnerability exists in the installation of Adv ...) + NOT-FOR-US: Advantech +CVE-2021-40396 (A privilege escalation vulnerability exists in the installation of Adv ...) + NOT-FOR-US: Advantech CVE-2021-40395 - RESERVED -CVE-2021-40394 - RESERVED -CVE-2021-40393 - RESERVED + REJECTED +CVE-2021-40394 (An out-of-bounds write vulnerability exists in the RS-274X aperture ma ...) + - gerbv 2.8.1-1 + [bullseye] - gerbv <no-dsa> (Minor issue) + [buster] - gerbv <no-dsa> (Minor issue) + [stretch] - gerbv <no-dsa> (Minor issue) + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1405 + NOTE: https://github.com/advisories/GHSA-936x-jwpc-5p28 + NOTE: https://github.com/gerbv/gerbv/commit/8d7e005f8783d92de74192af21303619bef7541f (v2.8.1-rc.1) +CVE-2021-40393 (An out-of-bounds write vulnerability exists in the RS-274X aperture ma ...) + - gerbv 2.8.2-1 + [bullseye] - gerbv <no-dsa> (Minor issue) + [buster] - gerbv <no-dsa> (Minor issue) + [stretch] - gerbv <no-dsa> (Minor issue) + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1404 + NOTE: https://github.com/advisories/GHSA-w67q-2hr6-7cjf + NOTE: https://github.com/gerbv/gerbv/commit/4d12b696aed19fbcc115fe83aa7597b7c42ba8d6 (v2.8.2-rc.1) CVE-2021-40392 RESERVED CVE-2021-40391 (An out-of-bounds write vulnerability exists in the drill format T-code ...) + {DLA-2839-1} - gerbv 2.7.1-1 - [bullseye] - gerbv <no-dsa> (Minor issue) + [bullseye] - gerbv 2.7.0-2+deb11u1 [buster] - gerbv <no-dsa> (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1402 NOTE: https://github.com/gerbv/gerbv/commit/9f83950b772b37b49ee188300e444546e6aab17e NOTE: https://github.com/gerbv/gerbv/issues/30 CVE-2021-40390 RESERVED -CVE-2021-40389 - RESERVED -CVE-2021-40388 - RESERVED +CVE-2021-40389 (A privilege escalation vulnerability exists in the installation of Adv ...) + NOT-FOR-US: Advantech +CVE-2021-40388 (A privilege escalation vulnerability exists in Advantech SQ Manager Se ...) + NOT-FOR-US: Advantech CVE-2021-40387 (An issue was discovered in the server software in Kaseya Unitrends Bac ...) NOT-FOR-US: Kaseya Unitrends Backup Software CVE-2021-40386 @@ -9091,14 +16203,14 @@ CVE-2021-40365 RESERVED CVE-2021-40364 (A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier ...) NOT-FOR-US: Siemens -CVE-2021-40363 - RESERVED +CVE-2021-40363 (A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier ...) + NOT-FOR-US: Siemens CVE-2021-40362 RESERVED CVE-2021-40361 RESERVED -CVE-2021-40360 - RESERVED +CVE-2021-40360 (A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier ...) + NOT-FOR-US: Siemens CVE-2021-40359 (A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier ...) NOT-FOR-US: Siemens CVE-2021-40358 (A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier ...) @@ -9112,12 +16224,14 @@ CVE-2021-40355 (A vulnerability has been identified in Teamcenter V12.4 (All ver CVE-2021-40354 (A vulnerability has been identified in Teamcenter V12.4 (All versions ...) NOT-FOR-US: Siemens CVE-2021-3761 (Any CA issuer in the RPKI can trick OctoRPKI prior to 1.3.0 into emitt ...) + {DSA-5041-1} - cfrpki 1.3.0-1 (bug #994572) NOTE: https://github.com/cloudflare/cfrpki/security/advisories/GHSA-c8xp-8mf3-62h9 NOTE: https://github.com/cloudflare/cfrpki/commit/a8db4e009ef217484598ba1fd1c595b54e0f6422 -CVE-2021-3760 - RESERVED +CVE-2021-3760 (A flaw was found in the Linux kernel. A use-after-free vulnerability i ...) + {DLA-2843-1} - linux 5.14.16-1 (unimportant) + [bullseye] - linux 5.10.84-1 NOTE: https://www.openwall.com/lists/oss-security/2021/10/26/2 NOTE: https://git.kernel.org/linus/1b1499a817c90fd1ce9453a2c98d2a01cca0e775 (5.15-rc6) NOTE: CONFIG_NFC_NCI is not set in Debian @@ -9155,22 +16269,22 @@ CVE-2021-40342 RESERVED CVE-2021-40341 RESERVED -CVE-2021-40340 - RESERVED -CVE-2021-40339 - RESERVED -CVE-2021-40338 - RESERVED -CVE-2021-40337 - RESERVED +CVE-2021-40340 (Information Exposure vulnerability in Hitachi Energy LinkOne applicati ...) + NOT-FOR-US: Hitachi +CVE-2021-40339 (Configuration vulnerability in Hitachi Energy LinkOne application due ...) + NOT-FOR-US: Hitachi +CVE-2021-40338 (Hitachi Energy LinkOne product, has a vulnerability due to a web serve ...) + NOT-FOR-US: Hitachi +CVE-2021-40337 (Cross-site Scripting (XSS) vulnerability in Hitachi Energy LinkOne all ...) + NOT-FOR-US: Hitachi CVE-2021-40336 RESERVED CVE-2021-40335 RESERVED -CVE-2021-40334 - RESERVED -CVE-2021-40333 - RESERVED +CVE-2021-40334 (Missing Handler vulnerability in the proprietary management protocol ( ...) + NOT-FOR-US: Hitachi +CVE-2021-40333 (Weak Password Requirements vulnerability in Hitachi Energy FOX61x, XCM ...) + NOT-FOR-US: Hitachi CVE-2021-40332 RESERVED CVE-2021-3759 [unaccounted ipc objects in Linux kernel lead to breaking memcg limits and DoS attacks] @@ -9186,21 +16300,22 @@ CVE-2021-40331 RESERVED CVE-2021-3756 (libmysofa is vulnerable to Heap-based Buffer Overflow ...) - libmysofa 1.2.1~dfsg0-1 + [bullseye] - libmysofa <no-dsa> (Minor issue) + [buster] - libmysofa <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/7ca8d9ea-e2a6-4294-af28-70260bb53bc1/ NOTE: https://github.com/hoene/libmysofa/commit/890400ebd092c574707d0c132124f8ff047e20e1 (v1.2.1) CVE-2021-3755 REJECTED CVE-2021-3754 RESERVED -CVE-2021-3753 - RESERVED - {DSA-4978-1 DLA-2785-1} +CVE-2021-3753 (A race problem was seen in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c ...) + {DSA-4978-1 DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 [buster] - linux 4.19.208-1 NOTE: https://git.kernel.org/linus/2287a51ba822384834dafc1c798453375d1107c7 -CVE-2021-3752 - RESERVED - - linux <unfixed> +CVE-2021-3752 (A use-after-free flaw was found in the Linux kernel’s Bluetooth ...) + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 NOTE: https://www.openwall.com/lists/oss-security/2021/09/15/4 CVE-2021-40330 (git_connect_git in connect.c in Git before 2.30.1 allows a repository ...) - git 1:2.30.1-1 @@ -9211,11 +16326,13 @@ CVE-2021-40330 (git_connect_git in connect.c in Git before 2.30.1 allows a repos CVE-2021-40329 (The Authentication API in Ping Identity PingFederate before 10.3 misha ...) NOT-FOR-US: Ping Identity PingFederate CVE-2021-3751 (libmobi is vulnerable to Out-of-bounds Write ...) - - libmobi <itp> (bug #966677) + - libmobi <not-affected> (Fixed before initial upload to Debian) + NOTE: https://huntr.dev/bounties/fcb4383c-bc27-4b89-bfce-6b041f0cb769/ + NOTE: https://github.com/bfabiszewski/libmobi/commit/ab5bf0e37e540eac682a14e628853b918626e72b (v0.7) CVE-2021-40328 RESERVED -CVE-2021-40327 - RESERVED +CVE-2021-40327 (Trusted Firmware-M (TF-M) 1.4.0, when Profile Small is used, has incor ...) + NOT-FOR-US: Trusted Firmware-M (TF-M) CVE-2021-40326 RESERVED CVE-2021-40325 (Cobbler before 3.3.0 allows authorization bypass for modification of s ...) @@ -9239,6 +16356,7 @@ CVE-2021-3750 [hcd-ehci: DMA reentrancy issue leads to use-after-free] NOTE: https://gitlab.com/qemu-project/qemu/-/issues/541 NOTE: Fix for whole class of DMA MMIO reentrancy issues: https://gitlab.com/qemu-project/qemu/-/issues/556 NOTE: Patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html + NOTE: No upstream patch as of 2022-01-28 CVE-2021-3749 (axios is vulnerable to Inefficient Regular Expression Complexity ...) - node-axios 0.21.3+dfsg-1 [bullseye] - node-axios 0.21.1+dfsg-1+deb11u1 @@ -9264,8 +16382,8 @@ CVE-2021-40315 RESERVED CVE-2021-40314 RESERVED -CVE-2021-40313 - RESERVED +CVE-2021-40313 (Piwigo v11.5 was discovered to contain a SQL injection vulnerability v ...) + - piwigo <removed> CVE-2021-40312 RESERVED CVE-2021-40311 @@ -9314,8 +16432,8 @@ CVE-2021-40290 RESERVED CVE-2021-40289 RESERVED -CVE-2021-40288 - RESERVED +CVE-2021-40288 (A denial-of-service attack in WPA2, and WPA3-SAE authentication method ...) + NOT-FOR-US: TP-Link CVE-2021-40287 RESERVED CVE-2021-40286 @@ -9326,14 +16444,14 @@ CVE-2021-40284 (D-Link DSL-3782 EU v1.01:EU v1.03 is affected by a buffer overfl NOT-FOR-US: D-Link CVE-2021-40283 RESERVED -CVE-2021-40282 - RESERVED -CVE-2021-40281 - RESERVED -CVE-2021-40280 - RESERVED -CVE-2021-40279 - RESERVED +CVE-2021-40282 (An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 202 ...) + NOT-FOR-US: zzcms +CVE-2021-40281 (An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 202 ...) + NOT-FOR-US: zzcms +CVE-2021-40280 (An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 ...) + NOT-FOR-US: zzcms +CVE-2021-40279 (An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 202 ...) + NOT-FOR-US: zzcms CVE-2021-40278 RESERVED CVE-2021-40277 @@ -9396,8 +16514,8 @@ CVE-2021-40249 RESERVED CVE-2021-40248 RESERVED -CVE-2021-40247 - RESERVED +CVE-2021-40247 (SQL injection vulnerability in Sourcecodester Budget and Expense Track ...) + NOT-FOR-US: Sourcecodester CVE-2021-40246 RESERVED CVE-2021-40245 @@ -9548,16 +16666,16 @@ CVE-2021-40173 (Zoho ManageEngine Cloud Security Plus before Build 4117 allows a NOT-FOR-US: Zoho ManageEngine CVE-2021-40172 (Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on pro ...) NOT-FOR-US: Zoho ManageEngine -CVE-2021-40171 - RESERVED -CVE-2021-40170 - RESERVED +CVE-2021-40171 (The absence of notifications regarding an ongoing RF jamming attack in ...) + NOT-FOR-US: SecuritasHome home alarm system +CVE-2021-40170 (An RF replay attack vulnerability in the SecuritasHome home alarm syst ...) + NOT-FOR-US: SecuritasHome home alarm system CVE-2021-40169 RESERVED CVE-2021-40168 RESERVED -CVE-2021-40167 - RESERVED +CVE-2021-40167 (A Memory Corruption Vulnerability in Autodesk Design Review 2018, 2017 ...) + NOT-FOR-US: Autodesk CVE-2021-40166 RESERVED CVE-2021-40165 @@ -9568,14 +16686,14 @@ CVE-2021-40163 RESERVED CVE-2021-40162 RESERVED -CVE-2021-40161 - RESERVED -CVE-2021-40160 - RESERVED -CVE-2021-40159 - RESERVED -CVE-2021-40158 - RESERVED +CVE-2021-40161 (A Memory Corruption vulnerability may lead to code execution through m ...) + NOT-FOR-US: Autodesk +CVE-2021-40160 (A maliciously crafted PDF file prior to 9.0.7 may be forced to read be ...) + NOT-FOR-US: Autodesk +CVE-2021-40159 (An Information Disclosure vulnerability for JT files in Autodesk Inven ...) + NOT-FOR-US: Autodesk +CVE-2021-40158 (A maliciously crafted JT file in Autodesk Inventor 2022, 2021, 2020, 2 ...) + NOT-FOR-US: Autodesk CVE-2021-40157 (A user may be tricked into opening a malicious FBX file which may expl ...) NOT-FOR-US: Autodesk CVE-2021-40156 (A maliciously crafted DWG file in Autodesk Navisworks 2019, 2020, 2021 ...) @@ -9584,22 +16702,26 @@ CVE-2021-40155 (A maliciously crafted DWG file in Autodesk Navisworks 2019, 2020 NOT-FOR-US: Autodesk CVE-2021-3747 (The MacOS version of Multipass, version 1.7.0, fixed in 1.7.2, acciden ...) NOT-FOR-US: Multipass -CVE-2021-40154 - RESERVED +CVE-2021-40154 (NXP LPC55S69 devices before A3 have a buffer over-read via a crafted w ...) + NOT-FOR-US: NXP LPC55S69 devices CVE-2021-40152 RESERVED CVE-2021-40151 RESERVED CVE-2021-3746 (A flaw was found in the libtpms code that may cause access beyond the ...) - - libtpms <unfixed> + - libtpms 0.9.1-1 NOTE: https://github.com/stefanberger/libtpms/commit/1fb6cd9b8df05b5d6e381b31215193d6ada969df (v0.6.6) NOTE: https://github.com/stefanberger/libtpms/commit/ea62fd9679f8c6fc5e79471b33cfbd8227bfed72 (v0.6.6) - TODO: check, might only affect the upstream stable-0.6 branch and not an issue in src:libtpms in any released version in Debian + NOTE: https://github.com/stefanberger/libtpms/commit/aaef222e8682cc2e0f9ea7124220c5fe44fab62b (v0.8.5) + NOTE: https://github.com/stefanberger/libtpms/commit/33a03986e0a09dde439985e0312d1c8fb3743aab (v0.8.5) + NOTE: https://github.com/stefanberger/libtpms/commit/034a5c02488cf7f0048e130177fc71c9e626e135 (v0.9.0) + NOTE: https://github.com/stefanberger/libtpms/commit/17255da54cf8354d02369f1323dc50cfb87e2bf4 (v0.9.0) CVE-2021-3745 (flatcore-cms is vulnerable to Unrestricted Upload of File with Dangero ...) NOT-FOR-US: flatcore-cms CVE-2021-3744 [crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()] RESERVED - linux 5.14.12-1 + [bullseye] - linux 5.10.84-1 [stretch] - linux <not-affected> (Vulnerability introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2000627 NOTE: https://git.kernel.org/linus/505d9dcb0f7ddf9d075e729523a33d38642ae680 (5.15-rc4) @@ -9614,8 +16736,8 @@ CVE-2021-40150 RESERVED CVE-2021-40149 RESERVED -CVE-2021-40148 - RESERVED +CVE-2021-40148 (In Modem EMM, there is a possible information disclosure due to a miss ...) + NOT-FOR-US: Mediatek components for Android CVE-2021-3743 RESERVED {DSA-4978-1 DLA-2785-1} @@ -9732,7 +16854,7 @@ CVE-2021-40120 (A vulnerability in the web-based management interface of certain NOT-FOR-US: Cisco CVE-2021-40119 (A vulnerability in the key-based SSH authentication mechanism of Cisco ...) NOT-FOR-US: Cisco -CVE-2021-40118 (Multiple vulnerabilities in the web services interface of Cisco Adapti ...) +CVE-2021-40118 (A vulnerability in the web services interface of Cisco Adaptive Securi ...) NOT-FOR-US: Cisco CVE-2021-40117 (A vulnerability in SSL/TLS message handler for Cisco Adaptive Security ...) NOT-FOR-US: Cisco @@ -9746,10 +16868,10 @@ CVE-2021-40113 (Multiple vulnerabilities in the web-based management interface o NOT-FOR-US: Cisco CVE-2021-40112 (Multiple vulnerabilities in the web-based management interface of the ...) NOT-FOR-US: Cisco -CVE-2021-40111 - RESERVED -CVE-2021-40110 - RESERVED +CVE-2021-40111 (In Apache James, while fuzzing with Jazzer the IMAP parsing stack, we ...) + NOT-FOR-US: Apache James +CVE-2021-40110 (In Apache James, using Jazzer fuzzer, we identified that an IMAP user ...) + NOT-FOR-US: Apache James CVE-2021-40109 (A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can a ...) NOT-FOR-US: Concrete CMS CVE-2021-40108 (An issue was discovered in Concrete CMS through 8.5.5. The Calendar is ...) @@ -9766,8 +16888,8 @@ CVE-2021-40103 (An issue was discovered in Concrete CMS through 8.5.5. Path Trav NOT-FOR-US: Concrete CMS CVE-2021-40102 (An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File ...) NOT-FOR-US: Concrete CMS -CVE-2021-40101 - RESERVED +CVE-2021-40101 (An issue was discovered in Concrete CMS before 8.5.7. The Dashboard al ...) + NOT-FOR-US: Concrete CMS CVE-2021-40100 (An issue was discovered in Concrete CMS through 8.5.5. Stored XSS can ...) NOT-FOR-US: Concrete CMS CVE-2021-40099 (An issue was discovered in Concrete CMS through 8.5.5. Fetching the up ...) @@ -9776,18 +16898,18 @@ CVE-2021-40098 (An issue was discovered in Concrete CMS through 8.5.5. Path Trav NOT-FOR-US: Concrete CMS CVE-2021-40097 (An issue was discovered in Concrete CMS through 8.5.5. Authenticated p ...) NOT-FOR-US: Concrete CMS -CVE-2021-40096 - RESERVED -CVE-2021-40095 - RESERVED -CVE-2021-40094 - RESERVED -CVE-2021-40093 - RESERVED -CVE-2021-40092 - RESERVED -CVE-2021-40091 - RESERVED +CVE-2021-40096 (A cross-site scripting (XSS) vulnerability in integration configuratio ...) + NOT-FOR-US: SquaredUp for SCOM +CVE-2021-40095 (An issue was discovered in SquaredUp for SCOM 5.2.1.6654. The Download ...) + NOT-FOR-US: SquaredUp for SCOM +CVE-2021-40094 (A DOM-based XSS vulnerability affects SquaredUp for SCOM 5.2.1.6654. I ...) + NOT-FOR-US: SquaredUp for SCOM +CVE-2021-40093 (A cross-site scripting (XSS) vulnerability in integration configuratio ...) + NOT-FOR-US: SquaredUp for SCOM +CVE-2021-40092 (A cross-site scripting (XSS) vulnerability in Image Tile in SquaredUp ...) + NOT-FOR-US: SquaredUp for SCOM +CVE-2021-40091 (An SSRF issue was discovered in SquaredUp for SCOM 5.2.1.6654. ...) + NOT-FOR-US: SquaredUp for SCOM CVE-2021-40090 RESERVED CVE-2021-40089 (An issue was discovered in PrimeKey EJBCA before 7.6.0. The General Pu ...) @@ -9821,6 +16943,7 @@ CVE-2021-3735 [ahci: deadlock issue leads to denial of service] [buster] - qemu <no-dsa> (Minor issue) [stretch] - qemu <postponed> (Fix along with a future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997184 + NOTE: No upstream patch as of 2022-01-28 CVE-2021-40083 (Knot Resolver before 5.3.2 is prone to an assertion failure, triggerab ...) [experimental] - knot-resolver 5.4.1-1 - knot-resolver 5.4.1-2 (bug #991463) @@ -9900,166 +17023,166 @@ CVE-2021-40047 RESERVED CVE-2021-40046 RESERVED -CVE-2021-40045 - RESERVED -CVE-2021-40044 - RESERVED +CVE-2021-40045 (There is a vulnerability of signature verification mechanism failure i ...) + NOT-FOR-US: Huawei +CVE-2021-40044 (There is a permission verification vulnerability in the Bluetooth modu ...) + NOT-FOR-US: Huawei CVE-2021-40043 RESERVED -CVE-2021-40042 - RESERVED -CVE-2021-40041 - RESERVED +CVE-2021-40042 (There is a release of invalid pointer vulnerability in some Huawei pro ...) + NOT-FOR-US: Huawei +CVE-2021-40041 (There is a Cross-Site Scripting(XSS) vulnerability in HUAWEI WS318n pr ...) + NOT-FOR-US: Huawei CVE-2021-40040 RESERVED -CVE-2021-40039 - RESERVED -CVE-2021-40038 - RESERVED -CVE-2021-40037 - RESERVED +CVE-2021-40039 (There is a Null pointer dereference vulnerability in the camera module ...) + NOT-FOR-US: Huawei +CVE-2021-40038 (There is a Double free vulnerability in the AOD module in smartphones. ...) + NOT-FOR-US: Huawei +CVE-2021-40037 (There is a Vulnerability of accessing resources using an incompatible ...) + NOT-FOR-US: Huawei CVE-2021-40036 RESERVED -CVE-2021-40035 - RESERVED +CVE-2021-40035 (There is a Buffer overflow vulnerability due to a boundary error with ...) + NOT-FOR-US: Huawei CVE-2021-40034 RESERVED -CVE-2021-40033 - RESERVED -CVE-2021-40032 - RESERVED -CVE-2021-40031 - RESERVED +CVE-2021-40033 (There is an information exposure vulnerability on several Huawei Produ ...) + NOT-FOR-US: Huawei +CVE-2021-40032 (The bone voice ID TA has a vulnerability in information management,Suc ...) + NOT-FOR-US: Huawei +CVE-2021-40031 (There is a Null pointer dereference vulnerability in the camera module ...) + NOT-FOR-US: Huawei CVE-2021-40030 RESERVED -CVE-2021-40029 - RESERVED -CVE-2021-40028 - RESERVED -CVE-2021-40027 - RESERVED -CVE-2021-40026 - RESERVED -CVE-2021-40025 - RESERVED +CVE-2021-40029 (There is a Buffer overflow vulnerability due to a boundary error with ...) + NOT-FOR-US: Huawei +CVE-2021-40028 (The eID module has an out-of-bounds memory write vulnerability,Success ...) + NOT-FOR-US: Huawei +CVE-2021-40027 (The bone voice ID TA has a vulnerability in calculating the buffer len ...) + NOT-FOR-US: Huawei +CVE-2021-40026 (There is a Heap-based buffer overflow vulnerability in the AOD module ...) + NOT-FOR-US: Huawei +CVE-2021-40025 (The eID module has a vulnerability that causes the memory to be used w ...) + NOT-FOR-US: Huawei CVE-2021-40024 RESERVED CVE-2021-40023 RESERVED -CVE-2021-40022 - RESERVED -CVE-2021-40021 - RESERVED -CVE-2021-40020 - RESERVED +CVE-2021-40022 (The weaver module has a vulnerability in parameter type verification,S ...) + NOT-FOR-US: Huawei +CVE-2021-40021 (The eID module has an out-of-bounds memory write vulnerability,Success ...) + NOT-FOR-US: Huawei +CVE-2021-40020 (There is an Out-of-bounds array read vulnerability in the security sto ...) + NOT-FOR-US: Huawei CVE-2021-40019 RESERVED -CVE-2021-40018 - RESERVED +CVE-2021-40018 (The eID module has a null pointer reference vulnerability. Successful ...) + NOT-FOR-US: Huawei CVE-2021-40017 RESERVED CVE-2021-40016 RESERVED -CVE-2021-40015 - RESERVED -CVE-2021-40014 - RESERVED +CVE-2021-40015 (There is a race condition vulnerability in the binder driver subsystem ...) + NOT-FOR-US: Huawei +CVE-2021-40014 (The bone voice ID trusted application (TA) has a heap overflow vulnera ...) + NOT-FOR-US: Huawei CVE-2021-40013 RESERVED CVE-2021-40012 RESERVED -CVE-2021-40011 - RESERVED -CVE-2021-40010 - RESERVED -CVE-2021-40009 - RESERVED -CVE-2021-40008 - RESERVED -CVE-2021-40007 - RESERVED -CVE-2021-40006 - RESERVED -CVE-2021-40005 - RESERVED -CVE-2021-40004 - RESERVED -CVE-2021-40003 - RESERVED -CVE-2021-40002 - RESERVED -CVE-2021-40001 - RESERVED -CVE-2021-40000 - RESERVED +CVE-2021-40011 (There is an Uncontrolled resource consumption vulnerability in the dis ...) + NOT-FOR-US: Huawei +CVE-2021-40010 (The bone voice ID trusted application (TA) has a heap overflow vulnera ...) + NOT-FOR-US: Huawei +CVE-2021-40009 (There is an Out-of-bounds write vulnerability in the AOD module in sma ...) + NOT-FOR-US: Huawei +CVE-2021-40008 (There is a memory leak vulnerability in CloudEngine 12800 V200R019C00S ...) + NOT-FOR-US: Huawei +CVE-2021-40007 (There is an information leak vulnerability in eCNS280_TD V100R005C10SP ...) + NOT-FOR-US: Huawei +CVE-2021-40006 (The fingerprint module has a security risk of brute force cracking. Su ...) + NOT-FOR-US: Huawei +CVE-2021-40005 (The distributed data service component has a vulnerability in data acc ...) + NOT-FOR-US: Huawei +CVE-2021-40004 (The cellular module has a vulnerability in permission management. Succ ...) + NOT-FOR-US: Huawei +CVE-2021-40003 (HwPCAssistant has a path traversal vulnerability. Successful exploitat ...) + NOT-FOR-US: Huawei +CVE-2021-40002 (The Bluetooth module has an out-of-bounds write vulnerability. Success ...) + NOT-FOR-US: Huawei +CVE-2021-40001 (The CaasKit module has a path traversal vulnerability. Successful expl ...) + NOT-FOR-US: Huawei +CVE-2021-40000 (The Bluetooth module has an out-of-bounds write vulnerability. Success ...) + NOT-FOR-US: Huawei CVE-2021-39999 RESERVED -CVE-2021-39998 - RESERVED -CVE-2021-39997 - RESERVED -CVE-2021-39996 - RESERVED -CVE-2021-39995 - RESERVED -CVE-2021-39994 - RESERVED -CVE-2021-39993 - RESERVED -CVE-2021-39992 - RESERVED -CVE-2021-39991 - RESERVED -CVE-2021-39990 - RESERVED -CVE-2021-39989 - RESERVED -CVE-2021-39988 - RESERVED -CVE-2021-39987 - RESERVED -CVE-2021-39986 - RESERVED -CVE-2021-39985 - RESERVED -CVE-2021-39984 - RESERVED -CVE-2021-39983 - RESERVED -CVE-2021-39982 - RESERVED -CVE-2021-39981 - RESERVED -CVE-2021-39980 - RESERVED -CVE-2021-39979 - RESERVED -CVE-2021-39978 - RESERVED -CVE-2021-39977 - RESERVED +CVE-2021-39998 (There is Vulnerability of APIs being concurrently called for multiple ...) + NOT-FOR-US: Huawei +CVE-2021-39997 (There is a vulnerability of unstrict input parameter verification in t ...) + NOT-FOR-US: Huawei +CVE-2021-39996 (There is a Heap-based buffer overflow vulnerability with the NFC modul ...) + NOT-FOR-US: Huawei +CVE-2021-39995 (Some Huawei products use the OpenHpi software for hardware management. ...) + NOT-FOR-US: Huawei +CVE-2021-39994 (There is an arbitrary address access vulnerability with the product li ...) + NOT-FOR-US: Huawei +CVE-2021-39993 (There is an Integer overflow vulnerability with ACPU in smartphones. S ...) + NOT-FOR-US: Huawei +CVE-2021-39992 (There is an improper security permission configuration vulnerability o ...) + NOT-FOR-US: Huawei +CVE-2021-39991 (There is an unauthorized rewriting vulnerability with the memory acces ...) + NOT-FOR-US: Huawei +CVE-2021-39990 (The screen lock module has a Stack-based Buffer Overflow vulnerability ...) + NOT-FOR-US: Huawei +CVE-2021-39989 (The HwNearbyMain module has a Exposure of Sensitive Information to an ...) + NOT-FOR-US: Huawei +CVE-2021-39988 (The HwNearbyMain module has a NULL Pointer Dereference vulnerability.S ...) + NOT-FOR-US: Huawei +CVE-2021-39987 (The HwNearbyMain module has a Data Processing Errors vulnerability.Suc ...) + NOT-FOR-US: Huawei +CVE-2021-39986 (There is an unauthorized rewriting vulnerability with the memory acces ...) + NOT-FOR-US: Huawei +CVE-2021-39985 (The HwNearbyMain module has a Improper Validation of Array Index vulne ...) + NOT-FOR-US: Huawei +CVE-2021-39984 (Huawei idap module has a Out-of-bounds Read vulnerability.Successful e ...) + NOT-FOR-US: Huawei +CVE-2021-39983 (The HwNearbyMain module has a Data Processing Errors vulnerability.Suc ...) + NOT-FOR-US: Huawei +CVE-2021-39982 (Phone Manager application has a Improper Privilege Management vulnerab ...) + NOT-FOR-US: Huawei +CVE-2021-39981 (Chang Lian application has a vulnerability which can be maliciously ex ...) + NOT-FOR-US: Huawei +CVE-2021-39980 (Telephony application has a Exposure of Sensitive Information to an Un ...) + NOT-FOR-US: Huawei +CVE-2021-39979 (HHEE system has a Code Injection vulnerability.Successful exploitation ...) + NOT-FOR-US: Huawei +CVE-2021-39978 (Telephony application has a SQL Injection vulnerability.Successful exp ...) + NOT-FOR-US: Huawei +CVE-2021-39977 (The HwNearbyMain module has a NULL Pointer Dereference vulnerability.S ...) + NOT-FOR-US: Huawei CVE-2021-39976 (There is a privilege escalation vulnerability in CloudEngine 5800 V200 ...) NOT-FOR-US: Huawei -CVE-2021-39975 - RESERVED -CVE-2021-39974 - RESERVED -CVE-2021-39973 - RESERVED -CVE-2021-39972 - RESERVED -CVE-2021-39971 - RESERVED -CVE-2021-39970 - RESERVED -CVE-2021-39969 - RESERVED -CVE-2021-39968 - RESERVED -CVE-2021-39967 - RESERVED -CVE-2021-39966 - RESERVED +CVE-2021-39975 (Hilinksvc has a Data Processing Errors vulnerability.Successful exploi ...) + NOT-FOR-US: Huawei +CVE-2021-39974 (There is an Out-of-bounds read in Smartphones.Successful exploitation ...) + NOT-FOR-US: Huawei +CVE-2021-39973 (There is a Null pointer dereference in Smartphones.Successful exploita ...) + NOT-FOR-US: Huawei +CVE-2021-39972 (MyHuawei-App has a Exposure of Sensitive Information to an Unauthorize ...) + NOT-FOR-US: Huawei +CVE-2021-39971 (Password vault has a External Control of System or Configuration Setti ...) + NOT-FOR-US: Huawei +CVE-2021-39970 (HwPCAssistant has a Improper Input Validation vulnerability.Successful ...) + NOT-FOR-US: Huawei +CVE-2021-39969 (There is an Unauthorized file access vulnerability in Smartphones.Succ ...) + NOT-FOR-US: Huawei +CVE-2021-39968 (Changlian Blocklist has a Business Logic Errors vulnerability .Success ...) + NOT-FOR-US: Huawei +CVE-2021-39967 (There is a Vulnerability of obtaining broadcast information improperly ...) + NOT-FOR-US: Huawei +CVE-2021-39966 (There is an Uninitialized AOD driver structure in Smartphones.Successf ...) + NOT-FOR-US: Huawei CVE-2021-39965 RESERVED CVE-2021-39964 @@ -10098,88 +17221,111 @@ CVE-2021-39948 RESERVED CVE-2021-39947 RESERVED -CVE-2021-39946 - RESERVED -CVE-2021-39945 - RESERVED -CVE-2021-39944 - RESERVED -CVE-2021-39943 - RESERVED -CVE-2021-39942 - RESERVED -CVE-2021-39941 - RESERVED -CVE-2021-39940 - RESERVED -CVE-2021-39939 - RESERVED -CVE-2021-39938 - RESERVED -CVE-2021-39937 - RESERVED -CVE-2021-39936 - RESERVED -CVE-2021-39935 - RESERVED -CVE-2021-39934 - RESERVED -CVE-2021-39933 - RESERVED -CVE-2021-39932 - RESERVED -CVE-2021-39931 - RESERVED -CVE-2021-39930 - RESERVED +CVE-2021-39946 (Improper neutralization of user input in GitLab CE/EE versions 14.3 to ...) + - gitlab <unfixed> +CVE-2021-39945 (Improper access control in the GitLab CE/EE API affecting all versions ...) + - gitlab <unfixed> +CVE-2021-39944 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) + - gitlab <unfixed> +CVE-2021-39943 (An authorization logic error in the External Status Check API in GitLa ...) + - gitlab <unfixed> + TODO: reach out for details +CVE-2021-39942 (A denial of service vulnerability in GitLab CE/EE affecting all versio ...) + - gitlab <unfixed> +CVE-2021-39941 (An information disclosure vulnerability in GitLab CE/EE versions 12.0 ...) + - gitlab <unfixed> +CVE-2021-39940 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) + - gitlab <unfixed> +CVE-2021-39939 (An uncontrolled resource consumption vulnerability in GitLab Runner af ...) + - gitlab-ci-multi-runner <not-affected> (Vulnerable code introduced later) + NOTE: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/28630 + NOTE: https://about.gitlab.com/releases/2021/12/10/security-release-gitlab-runner-14-5-2-released/ +CVE-2021-39938 (A vulnerable regular expression pattern in GitLab CE/EE since version ...) + - gitlab <unfixed> +CVE-2021-39937 (A collision in access memoization logic in all versions of GitLab CE/E ...) + - gitlab <unfixed> +CVE-2021-39936 (Improper access control in GitLab CE/EE affecting all versions startin ...) + - gitlab <unfixed> +CVE-2021-39935 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) + - gitlab <unfixed> +CVE-2021-39934 (Improper access control allows any project member to retrieve the serv ...) + - gitlab <unfixed> +CVE-2021-39933 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) + - gitlab <unfixed> +CVE-2021-39932 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) + - gitlab <unfixed> +CVE-2021-39931 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) + - gitlab <unfixed> +CVE-2021-39930 (Missing authorization in GitLab EE versions between 12.4 and 14.3.6, b ...) + - gitlab <unfixed> CVE-2021-39929 (Uncontrolled Recursion in the Bluetooth DHT dissector in Wireshark 3.4 ...) + {DSA-5019-1 DLA-2849-1} - wireshark 3.6.0-1 + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17651 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-07.html CVE-2021-39928 (NULL pointer exception in the IEEE 802.11 dissector in Wireshark 3.4.0 ...) + {DSA-5019-1 DLA-2849-1} - wireshark 3.6.0-1 + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17704 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-13.html -CVE-2021-39927 - RESERVED +CVE-2021-39927 (Server side request forgery protections in GitLab CE/EE versions betwe ...) + - gitlab <unfixed> CVE-2021-39926 (Buffer overflow in the Bluetooth HCI_ISO dissector in Wireshark 3.4.0 ...) + {DSA-5019-1} - wireshark 3.6.0-1 + [buster] - wireshark <not-affected> (Vulnerable code not present) + [stretch] - wireshark <not-affected> (Vulnerable code not present) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17649 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-08.html CVE-2021-39925 (Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3 ...) + {DSA-5019-1 DLA-2849-1} - wireshark 3.6.0-1 + [buster] - wireshark 2.6.20-0+deb10u2 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17635 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-09.html CVE-2021-39924 (Large loop in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 ...) + {DSA-5019-1 DLA-2849-1} - wireshark 3.6.0-1 + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17677 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-10.html -CVE-2021-39923 (NULL pointer exception in the IPPUSB dissector in Wireshark 3.4.0 to 3 ...) +CVE-2021-39923 (Large loop in the PNRP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 ...) + {DSA-5019-1 DLA-2849-1} - wireshark 3.6.0-1 - NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17705 - NOTE: https://www.wireshark.org/security/wnpa-sec-2021-15.html + [buster] - wireshark <no-dsa> (Minor issue) + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17684 + NOTE: https://www.wireshark.org/security/wnpa-sec-2021-11.html CVE-2021-39922 (Buffer overflow in the C12.22 dissector in Wireshark 3.4.0 to 3.4.9 an ...) + {DSA-5019-1 DLA-2849-1} - wireshark 3.6.0-1 + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17636 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-12.html CVE-2021-39921 (NULL pointer exception in the Modbus dissector in Wireshark 3.4.0 to 3 ...) + {DSA-5019-1 DLA-2849-1} - wireshark 3.6.0-1 + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17703 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-14.html CVE-2021-39920 (NULL pointer exception in the IPPUSB dissector in Wireshark 3.4.0 to 3 ...) + {DSA-5019-1} - wireshark 3.6.0-1 + [buster] - wireshark <not-affected> (IPPUSB dissector added in 3.4) + [stretch] - wireshark <not-affected> (IPPUSB dissector added in 3.4) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17705 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-15.html -CVE-2021-39919 - RESERVED -CVE-2021-39918 - RESERVED -CVE-2021-39917 - RESERVED -CVE-2021-39916 - RESERVED -CVE-2021-39915 - RESERVED +CVE-2021-39919 (In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, a ...) + - gitlab <unfixed> +CVE-2021-39918 (Incorrect Authorization in GitLab EE affecting all versions starting f ...) + - gitlab <unfixed> +CVE-2021-39917 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) + - gitlab <unfixed> +CVE-2021-39916 (Lack of an access control check in the External Status Check feature a ...) + - gitlab <unfixed> +CVE-2021-39915 (Improper access control in the GraphQL API in GitLab CE/EE affecting a ...) + - gitlab <unfixed> CVE-2021-39914 (A regular expression denial of service issue in GitLab versions 8.13 t ...) - gitlab <unfixed> CVE-2021-39913 (Accidental logging of system root password in the migration log in all ...) @@ -10188,8 +17334,8 @@ CVE-2021-39912 (A potential DoS vulnerability was discovered in GitLab CE/EE sta - gitlab <unfixed> CVE-2021-39911 (An improper access control flaw in GitLab CE/EE since version 13.9 exp ...) - gitlab <unfixed> -CVE-2021-39910 - RESERVED +CVE-2021-39910 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) + - gitlab <unfixed> CVE-2021-39909 (Lack of email address ownership verification in the CODEOWNERS feature ...) - gitlab <not-affected> (Specific to EE) CVE-2021-39908 @@ -10224,12 +17370,14 @@ CVE-2021-39894 (In all versions of GitLab CE/EE since version 8.0, a DNS rebindi - gitlab <unfixed> CVE-2021-39893 (A potential DOS vulnerability was discovered in GitLab starting with v ...) - gitlab <unfixed> -CVE-2021-39892 - RESERVED +CVE-2021-39892 (In all versions of GitLab CE/EE since version 12.0, a lower privileged ...) + [experimental] - gitlab 14.6.4+ds1-1 + - gitlab <unfixed> + NOTE: https://gitlab.com/gitlab-org/gitlab/-/issues/28440 CVE-2021-39891 (In all versions of GitLab CE/EE since version 8.0, access tokens creat ...) - gitlab <unfixed> -CVE-2021-39890 - RESERVED +CVE-2021-39890 (It was possible to bypass 2FA for LDAP users and access some specific ...) + - gitlab <unfixed> CVE-2021-39889 (In all versions of GitLab EE since version 14.1, due to an insecure di ...) - gitlab <not-affected> (Specific to Enterprise Edition) CVE-2021-39888 (In all versions of GitLab EE since version 13.10, a specific API endpo ...) @@ -10634,152 +17782,177 @@ CVE-2021-39690 RESERVED CVE-2021-39689 RESERVED -CVE-2021-39688 - RESERVED -CVE-2021-39687 - RESERVED +CVE-2021-39688 (In TBD of TBD, there is a possible out of bounds read due to TBD. This ...) + NOT-FOR-US: Pixel +CVE-2021-39687 (In HandleTransactionIoEvent of actuator_driver.cc, there is a possible ...) + NOT-FOR-US: Android CVE-2021-39686 RESERVED CVE-2021-39685 RESERVED -CVE-2021-39684 - RESERVED -CVE-2021-39683 - RESERVED -CVE-2021-39682 - RESERVED -CVE-2021-39681 - RESERVED -CVE-2021-39680 - RESERVED -CVE-2021-39679 - RESERVED -CVE-2021-39678 - RESERVED -CVE-2021-39677 - RESERVED -CVE-2021-39676 - RESERVED -CVE-2021-39675 - RESERVED -CVE-2021-39674 - RESERVED + {DSA-5050-1} + - linux 5.15.5-2 + NOTE: https://www.openwall.com/lists/oss-security/2021/12/15/4 +CVE-2021-39684 (In target_init of gs101/abl/target/slider/target.c, there is a possibl ...) + NOT-FOR-US: Pixel +CVE-2021-39683 (In copy_from_mbox of sss_ice_util.c, there is a possible out of bounds ...) + NOT-FOR-US: Pixel +CVE-2021-39682 (In mgm_alloc_page of memory_group_manager.c, there is a possible out o ...) + NOT-FOR-US: Pixel +CVE-2021-39681 (In delete_protocol of main.c, there is a possible arbitrary code execu ...) + NOT-FOR-US: Pixel +CVE-2021-39680 (In sec_SHA256_Transform of sha256_core.c, there is a possible way to r ...) + NOT-FOR-US: Pixel +CVE-2021-39679 (In init of vendor_graphicbuffer_meta.cpp, there is a possible use afte ...) + NOT-FOR-US: Pixel +CVE-2021-39678 (In <TBD> of <TBD>, there is a possible bypass of Factory R ...) + NOT-FOR-US: Pixel +CVE-2021-39677 (In startVideoStream() there is a possibility of an OOB Read in the hea ...) + NOT-FOR-US: Android +CVE-2021-39676 (In writeThrowable of AndroidFuture.java, there is a possible parcel se ...) + NOT-FOR-US: Android +CVE-2021-39675 (In GKI_getbuf of gki_buffer.cc, there is a possible out of bounds writ ...) + NOT-FOR-US: Android +CVE-2021-39674 (In btm_sec_connected and btm_sec_disconnected of btm_sec.cc file , the ...) + NOT-FOR-US: Android CVE-2021-39673 RESERVED -CVE-2021-39672 - RESERVED -CVE-2021-39671 - RESERVED +CVE-2021-39672 (In fastboot, there is a possible secure boot bypass due to a configura ...) + NOT-FOR-US: Android +CVE-2021-39671 (In code generated by aidl_const_expressions.cpp, there is a possible o ...) + NOT-FOR-US: Android CVE-2021-39670 RESERVED -CVE-2021-39669 - RESERVED -CVE-2021-39668 - RESERVED +CVE-2021-39669 (In onCreate of InstallCaCertificateWarning.java, there is a possible w ...) + NOT-FOR-US: Android +CVE-2021-39668 (In onActivityViewReady of DetailDialog.kt, there is a possible Intent ...) + NOT-FOR-US: Android CVE-2021-39667 RESERVED -CVE-2021-39666 - RESERVED -CVE-2021-39665 - RESERVED -CVE-2021-39664 - RESERVED -CVE-2021-39663 - RESERVED -CVE-2021-39662 - RESERVED +CVE-2021-39666 (In extract of MediaMetricsItem.h, there is a possible out of bounds re ...) + NOT-FOR-US: Android +CVE-2021-39665 (In checkSpsUpdated of AAVCAssembler.cpp, there is a possible out of bo ...) + NOT-FOR-US: Android +CVE-2021-39664 (In LoadedPackage::Load of LoadedArsc.cpp, there is a possible out of b ...) + NOT-FOR-US: Android +CVE-2021-39663 (In openFileAndEnforcePathPermissionsHelper of MediaProvider.java, ther ...) + NOT-FOR-US: Android +CVE-2021-39662 (In checkUriPermission of MediaProvider.java , there is a possible way ...) + NOT-FOR-US: Android CVE-2021-39661 RESERVED CVE-2021-39660 RESERVED -CVE-2021-39659 - RESERVED -CVE-2021-39658 - RESERVED -CVE-2021-39657 - RESERVED -CVE-2021-39656 - RESERVED -CVE-2021-39655 - RESERVED +CVE-2021-39659 (In sortSimPhoneAccountsForEmergency of CreateConnectionProcessor.java, ...) + NOT-FOR-US: Android +CVE-2021-39658 (ismsEx service is a vendor service in unisoc equipment。ismsEx s ...) + NOT-FOR-US: Android +CVE-2021-39657 (In ufshcd_eh_device_reset_handler of ufshcd.c, there is a possible out ...) + - linux 5.10.12-1 + [buster] - linux 4.19.171-1 + [stretch] - linux 4.9.258-1 + NOTE: https://source.android.com/security/bulletin/pixel/2021-12-01 + NOTE: https://git.kernel.org/linus/35fc4cd34426c242ab015ef280853b7bff101f48 (5.11-rc4) +CVE-2021-39656 (In __configfs_open_file of file.c, there is a possible use-after-free ...) + - linux 5.10.24-1 + [buster] - linux 4.19.181-1 + [stretch] - linux 4.9.272-1 + NOTE: https://source.android.com/security/bulletin/pixel/2021-12-01 + NOTE: https://git.kernel.org/linus/14fbbc8297728e880070f7b077b3301a8c698ef9 (5.12-rc3) +CVE-2021-39655 (Product: AndroidVersions: Android kernelAndroid ID: A-192641593Referen ...) + NOT-FOR-US: Google Pixel components CVE-2021-39654 RESERVED -CVE-2021-39653 - RESERVED -CVE-2021-39652 - RESERVED -CVE-2021-39651 - RESERVED -CVE-2021-39650 - RESERVED -CVE-2021-39649 - RESERVED -CVE-2021-39648 - RESERVED -CVE-2021-39647 - RESERVED -CVE-2021-39646 - RESERVED -CVE-2021-39645 - RESERVED -CVE-2021-39644 - RESERVED -CVE-2021-39643 - RESERVED -CVE-2021-39642 - RESERVED -CVE-2021-39641 - RESERVED -CVE-2021-39640 - RESERVED -CVE-2021-39639 - RESERVED -CVE-2021-39638 - RESERVED -CVE-2021-39637 - RESERVED -CVE-2021-39636 - RESERVED -CVE-2021-39635 - RESERVED -CVE-2021-39634 - RESERVED -CVE-2021-39633 - RESERVED -CVE-2021-39632 - RESERVED -CVE-2021-39631 - RESERVED -CVE-2021-39630 - RESERVED -CVE-2021-39629 - RESERVED -CVE-2021-39628 - RESERVED -CVE-2021-39627 - RESERVED -CVE-2021-39626 - RESERVED -CVE-2021-39625 - RESERVED +CVE-2021-39653 (In (TBD) of (TBD), there is a possible way to boot with a hidden debug ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39652 (In sec_ts_parsing_cmds of (TBD), there is a possible out of bounds wri ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39651 (In TBD of TBD, there is a possible way to access PIN protected setting ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39650 (In (TBD) of (TBD), there is a possible out of bounds write due to a mi ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39649 (In regmap_exit of regmap.c, there is a possible use-after-free due to ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39648 (In gadget_dev_desc_UDC_show of configfs.c, there is a possible disclos ...) + - linux 5.10.9-1 + [buster] - linux 4.19.171-1 + [stretch] - linux 4.9.258-1 + NOTE: https://git.kernel.org/linus/64e6bbfff52db4bf6785fab9cffab850b2de6870 + NOTE: https://source.android.com/security/bulletin/pixel/2021-12-01 +CVE-2021-39647 (In mon_smc_load_sp of gs101-sc/plat/samsung/exynos/soc/exynos9845/smc_ ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39646 (Product: AndroidVersions: Android kernelAndroid ID: A-201537251Referen ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39645 (Product: AndroidVersions: Android kernelAndroid ID: A-199805112Referen ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39644 (Product: AndroidVersions: Android kernelAndroid ID: A-199809304Referen ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39643 (In ic_startRetrieveEntryValue of acropora/app/identity/ic.c, there is ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39642 (In synchronous_process_io_entries of lwis_ioctl.c, there is a possible ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39641 (Product: AndroidVersions: Android kernelAndroid ID: A-126949257Referen ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39640 (In __dwc3_gadget_ep0_queue of ep0.c, there is a possible out of bounds ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39639 (In TBD of fvp.c, there is a possible way to glitch CPU behavior due to ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39638 (In periodic_io_work_func of lwis_periodic_io.c, there is a possible ou ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39637 (In CreateDeviceInfo of trusty_remote_provisioning_context.cpp, there i ...) + NOT-FOR-US: Google Pixel components +CVE-2021-39636 (In do_ipt_get_ctl and do_ipt_set_ctl of ip_tables.c, there is a possib ...) + - linux 4.16.5-1 + NOTE: https://source.android.com/security/bulletin/pixel/2021-12-01 +CVE-2021-39635 (ims_ex is a vendor system service used to manage VoLTE in unisoc devic ...) + NOT-FOR-US: Android +CVE-2021-39634 (In fs/eventpoll.c, there is a possible use after free. This could lead ...) + - linux 5.8.14-1 + [buster] - linux 4.19.152-1 + [stretch] - linux 4.9.240-1 + NOTE: https://source.android.com/security/bulletin/2022-01-01 + NOTE: https://git.kernel.org/linus/f8d4f44df056c5b504b0d49683fb7279218fd207 (5.9-rc8) +CVE-2021-39633 (In gre_handle_offloads of ip_gre.c, there is a possible page fault due ...) + - linux 5.14.6-1 + [bullseye] - linux 5.10.70-1 + [buster] - linux 4.19.208-1 + [stretch] - linux 4.9.290-1 + NOTE: https://source.android.com/security/bulletin/2022-01-01 + NOTE: https://git.kernel.org/linus/1d011c4803c72f3907eccfc1ec63caefb852fcbf (5.14) +CVE-2021-39632 (In inotify_cb of events.cpp, there is a possible out of bounds write d ...) + NOT-FOR-US: Android +CVE-2021-39631 (In clear_data_dlg_text of strings.xml, there is a possible situation w ...) + NOT-FOR-US: Android +CVE-2021-39630 (In executeRequest of OverlayManagerService.java, there is a possible w ...) + NOT-FOR-US: Android +CVE-2021-39629 (In phTmlNfc_Init and phTmlNfc_CleanUp of phTmlNfc.cc, there is a possi ...) + NOT-FOR-US: Android +CVE-2021-39628 (In StatusBar.java, there is a possible disclosure of notification cont ...) + NOT-FOR-US: Android +CVE-2021-39627 (In sendLegacyVoicemailNotification of LegacyModeSmsHandler.java, there ...) + NOT-FOR-US: Android +CVE-2021-39626 (In onAttach of ConnectedDeviceDashboardFragment.java, there is a possi ...) + NOT-FOR-US: Android +CVE-2021-39625 (In showCarrierAppInstallationNotification of EuiccNotificationManager. ...) + NOT-FOR-US: Android CVE-2021-39624 RESERVED -CVE-2021-39623 - RESERVED -CVE-2021-39622 - RESERVED -CVE-2021-39621 - RESERVED -CVE-2021-39620 - RESERVED -CVE-2021-39619 - RESERVED -CVE-2021-39618 - RESERVED +CVE-2021-39623 (In doRead of SimpleDecodingSource.cpp, there is a possible out of boun ...) + NOT-FOR-US: Android +CVE-2021-39622 (In GBoard, there is a possible way to bypass Factory Reset Protection ...) + NOT-FOR-US: Android +CVE-2021-39621 (In sendLegacyVoicemailNotification of LegacyModeSmsHandler.java, there ...) + NOT-FOR-US: Android +CVE-2021-39620 (In ipcSetDataReference of Parcel.cpp, there is a possible way to corru ...) + NOT-FOR-US: Android +CVE-2021-39619 (In updatePackageMappingsData of UsageStatsService.java, there is a pos ...) + NOT-FOR-US: Android +CVE-2021-39618 (In multiple methods of EuiccNotificationManager.java, there is a possi ...) + NOT-FOR-US: Android CVE-2021-39617 RESERVED -CVE-2021-39616 - RESERVED +CVE-2021-39616 (Summary:Product: AndroidVersions: Android SoCAndroid ID: A-204686438 ...) + NOT-FOR-US: Android CVE-2021-3733 [Denial of service when identifying crafted invalid RFCs] RESERVED {DLA-2808-1} @@ -10797,7 +17970,7 @@ CVE-2021-3733 [Denial of service when identifying crafted invalid RFCs] NOTE: https://github.com/python/cpython/commit/3fbe96123aeb66664fa547a8f6022efa2dc8788f (3.6.14) CVE-2021-3732 [overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files] RESERVED - {DSA-4978-1 DLA-2785-1} + {DSA-4978-1 DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 [buster] - linux 4.19.208-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1995249 @@ -11150,8 +18323,8 @@ CVE-2021-39482 RESERVED CVE-2021-39481 RESERVED -CVE-2021-39480 - RESERVED +CVE-2021-39480 (Bingrep v0.8.5 was discovered to contain a memory allocation failure w ...) + NOT-FOR-US: bingrep CVE-2021-39479 RESERVED CVE-2021-39478 @@ -11484,7 +18657,6 @@ CVE-2021-39331 RESERVED CVE-2021-39330 REJECTED - NOT-FOR-US: WordPress plugin CVE-2021-39329 (The JobBoardWP WordPress plugin is vulnerable to Stored Cross-Site Scr ...) NOT-FOR-US: WordPress plugin CVE-2021-39328 (The Simple Job Board WordPress plugin is vulnerable to Stored Cross-Si ...) @@ -11505,34 +18677,34 @@ CVE-2021-39321 (Version 3.3.23 of the Sassy Social Share WordPress plugin is vul NOT-FOR-US: WordPress plugin CVE-2021-39320 (The underConstruction plugin <= 1.18 for WordPress echoes out the r ...) NOT-FOR-US: WordPress plugin -CVE-2021-39319 - RESERVED -CVE-2021-39318 - RESERVED -CVE-2021-39317 (Versions up to, and including, 1.0.6, of the Access Demo Importer Word ...) +CVE-2021-39319 (The duoFAQ - Responsive, Flat, Simple FAQ WordPess plugin is vulnerabl ...) + NOT-FOR-US: WordPess plugin +CVE-2021-39318 (The H5P CSS Editor WordPress plugin is vulnerable to Reflected Cross-S ...) + NOT-FOR-US: WordPess plugin +CVE-2021-39317 (A WordPress plugin and several WordPress themes developed by AccessPre ...) NOT-FOR-US: WordPress plugin CVE-2021-39316 (The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, ...) NOT-FOR-US: WordPress plugin -CVE-2021-39315 - RESERVED -CVE-2021-39314 - RESERVED -CVE-2021-39313 - RESERVED -CVE-2021-39312 - RESERVED -CVE-2021-39311 - RESERVED -CVE-2021-39310 - RESERVED -CVE-2021-39309 - RESERVED -CVE-2021-39308 - RESERVED +CVE-2021-39315 (The Magic Post Voice WordPress plugin is vulnerable to Reflected Cross ...) + NOT-FOR-US: WordPess plugin +CVE-2021-39314 (The WooCommerce EnvioPack WordPress plugin is vulnerable to Reflected ...) + NOT-FOR-US: WordPess plugin +CVE-2021-39313 (The Simple Image Gallery WordPress plugin is vulnerable to Reflected C ...) + NOT-FOR-US: WordPess plugin +CVE-2021-39312 (The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary file ...) + NOT-FOR-US: WordPess plugin +CVE-2021-39311 (The link-list-manager WordPress plugin is vulnerable to Reflected Cros ...) + NOT-FOR-US: WordPess plugin +CVE-2021-39310 (The Real WYSIWYG WordPress plugin is vulnerable to Reflected Cross-Sit ...) + NOT-FOR-US: WordPess plugin +CVE-2021-39309 (The Parsian Bank Gateway for Woocommerce WordPress plugin is vulnerabl ...) + NOT-FOR-US: WordPess plugin +CVE-2021-39308 (The WooCommerce myghpay Payment Gateway WordPess plugin is vulnerable ...) + NOT-FOR-US: WordPess plugin CVE-2021-39307 (PDFTron's WebViewer UI 8.0 or below renders dangerous URLs as hyperlin ...) NOT-FOR-US: PDFTron WebViewer UI -CVE-2021-39306 - RESERVED +CVE-2021-39306 (A stack buffer overflow was discovered on Realtek RTL8195AM device bef ...) + NOT-FOR-US: Realtek CVE-2021-39305 RESERVED CVE-2021-39304 (Proofpoint Enterprise Protection before 8.12.0-2108090000 allows secur ...) @@ -11543,30 +18715,30 @@ CVE-2021-3729 (firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) .. NOT-FOR-US: firefly-iii CVE-2021-3728 (firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: firefly-iii -CVE-2021-39303 (The server in Jamf Pro before 10.32.0 has a vulnerability affecting in ...) +CVE-2021-39303 (The server in Jamf Pro before 10.32.0 has an SSRF vulnerability, aka P ...) NOT-FOR-US: Jamf Pro CVE-2021-39302 (MISP 2.4.148, in certain configurations, allows SQL injection via the ...) NOT-FOR-US: MISP -CVE-2021-39301 - RESERVED -CVE-2021-39300 - RESERVED -CVE-2021-39299 - RESERVED -CVE-2021-39298 - RESERVED -CVE-2021-39297 - RESERVED +CVE-2021-39301 (Potential vulnerabilities have been identified in UEFI firmware (BIOS) ...) + NOT-FOR-US: HP +CVE-2021-39300 (Potential vulnerabilities have been identified in UEFI firmware (BIOS) ...) + NOT-FOR-US: HP +CVE-2021-39299 (Potential vulnerabilities have been identified in UEFI firmware (BIOS) ...) + NOT-FOR-US: HP +CVE-2021-39298 (Potential vulnerabilities have been identified in UEFI firmware (BIOS) ...) + NOT-FOR-US: HP +CVE-2021-39297 (Potential vulnerabilities have been identified in UEFI firmware (BIOS) ...) + NOT-FOR-US: HP CVE-2021-39296 (In OpenBMC 2.9, crafted IPMI messages allow an attacker to bypass auth ...) NOT-FOR-US: OpenBMC CVE-2021-39295 RESERVED -CVE-2021-3727 - RESERVED -CVE-2021-3726 - RESERVED -CVE-2021-3725 - RESERVED +CVE-2021-3727 (# Vulnerability in `rand-quote` and `hitokoto` plugins **Description** ...) + NOT-FOR-US: ohmyzsh +CVE-2021-3726 (# Vulnerability in `title` function **Description**: the `title` funct ...) + NOT-FOR-US: ohmyzsh +CVE-2021-3725 (Vulnerability in dirhistory plugin Description: the widgets that go ba ...) + NOT-FOR-US: ohmyzsh CVE-2021-3724 RESERVED NOT-FOR-US: Red Hat Serverless @@ -11578,11 +18750,12 @@ CVE-2021-23156 NOT-FOR-US: Red Hat Serverless CVE-2021-39294 RESERVED -CVE-2021-39293 - RESERVED +CVE-2021-39293 (In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted ...) + {DLA-2892-1 DLA-2891-1} - golang-1.17 1.17.1-1 - golang-1.16 1.16.8-1 - golang-1.15 1.15.15-2 + [bullseye] - golang-1.15 1.15.15-1~deb11u1 - golang-1.11 <removed> [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <removed> @@ -11632,8 +18805,8 @@ CVE-2021-39282 (Live555 through 1.08 has a memory leak in AC3AudioStreamParser f NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021970.html CVE-2021-39281 RESERVED -CVE-2021-39280 - RESERVED +CVE-2021-39280 (Certain Korenix JetWave devices allow authenticated users to execute a ...) + NOT-FOR-US: Korenix JetWave devices CVE-2021-39279 (Certain MOXA devices allow Authenticated Command Injection via /forms/ ...) NOT-FOR-US: MOXA CVE-2021-39278 (Certain MOXA devices allow reflected XSS via the Config Import menu. T ...) @@ -11839,6 +19012,7 @@ CVE-2021-3713 (An out-of-bounds write flaw was found in the UAS (USB Attached SC - qemu 1:6.1+dfsg-2 (bug #992727) [buster] - qemu <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1994640 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a CVE-2021-39230 (Butter is a system usability utility. Due to a kernel error the JPNS k ...) NOT-FOR-US: Butter CVE-2021-39229 (Apprise is an open source library which allows you to send a notificat ...) @@ -11966,8 +19140,8 @@ CVE-2021-39185 (Http4s is a minimal, idiomatic Scala interface for HTTP services NOT-FOR-US: Https4s CVE-2021-39184 (Electron is a framework for writing cross-platform desktop application ...) - electron <itp> (bug #842420) -CVE-2021-39183 - RESERVED +CVE-2021-39183 (Owncast is an open source, self-hosted live video streaming and chat s ...) + NOT-FOR-US: Owncast CVE-2021-39182 (EnroCrypt is a Python module for encryption and hashing. Prior to vers ...) NOT-FOR-US: EnroCrypt CVE-2021-39181 (OpenOlat is a web-based learning management system (LMS). Prior to ver ...) @@ -12084,8 +19258,8 @@ CVE-2021-39144 (XStream is a simple library to serialize objects to XML and back - libxstream-java 1.4.18-1 (bug #998054) NOTE: https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh NOTE: https://x-stream.github.io/CVE-2021-39144.html -CVE-2021-39143 - RESERVED +CVE-2021-39143 (Spinnaker is an open source, multi-cloud continuous delivery platform. ...) + NOT-FOR-US: Spinnaker CVE-2021-39142 RESERVED CVE-2021-39141 (XStream is a simple library to serialize objects to XML and back again ...) @@ -12227,10 +19401,10 @@ CVE-2021-39082 RESERVED CVE-2021-39081 RESERVED -CVE-2021-39080 - RESERVED -CVE-2021-39079 - RESERVED +CVE-2021-39080 (Due to weak obfuscation, IBM Cognos Analytics Mobile for Android appli ...) + NOT-FOR-US: IBM +CVE-2021-39079 (IBM Cognos Analytics Mobile for Android applications prior to version ...) + NOT-FOR-US: IBM CVE-2021-39078 RESERVED CVE-2021-39077 @@ -12247,22 +19421,22 @@ CVE-2021-39072 RESERVED CVE-2021-39071 RESERVED -CVE-2021-39070 - RESERVED +CVE-2021-39070 (IBM Security Verify Access 10.0.0.0, 10.0.1.0 and 10.0.2.0 with the ad ...) + NOT-FOR-US: IBM CVE-2021-39069 RESERVED CVE-2021-39068 RESERVED CVE-2021-39067 RESERVED -CVE-2021-39066 - RESERVED -CVE-2021-39065 - RESERVED -CVE-2021-39064 - RESERVED -CVE-2021-39063 - RESERVED +CVE-2021-39066 (IBM Financial Transaction Manager 3.2.4 does not invalidate session an ...) + NOT-FOR-US: IBM +CVE-2021-39065 (IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a rem ...) + NOT-FOR-US: IBM +CVE-2021-39064 (IBM Spectrum Copy Data Management 2.2.13 and earlier has weak authenti ...) + NOT-FOR-US: IBM +CVE-2021-39063 (IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x uses Cross-Origin ...) + NOT-FOR-US: IBM CVE-2021-39062 RESERVED CVE-2021-39061 @@ -12271,36 +19445,36 @@ CVE-2021-39060 RESERVED CVE-2021-39059 RESERVED -CVE-2021-39058 - RESERVED -CVE-2021-39057 - RESERVED -CVE-2021-39056 - RESERVED +CVE-2021-39058 (IBM Spectrum Copy Data Management 2.2.13 and earlier uses weaker than ...) + NOT-FOR-US: IBM +CVE-2021-39057 (IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x is vulnerable to s ...) + NOT-FOR-US: IBM +CVE-2021-39056 (The IBM i 7.1, 7.2, 7.3, and 7.4 Extended Dynamic Remote SQL server (E ...) + NOT-FOR-US: IBM CVE-2021-39055 RESERVED -CVE-2021-39054 - RESERVED -CVE-2021-39053 - RESERVED -CVE-2021-39052 - RESERVED +CVE-2021-39054 (IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a rem ...) + NOT-FOR-US: IBM +CVE-2021-39053 (IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a rem ...) + NOT-FOR-US: IBM +CVE-2021-39052 (IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a rem ...) + NOT-FOR-US: IBM CVE-2021-39051 RESERVED -CVE-2021-39050 - RESERVED -CVE-2021-39049 - RESERVED -CVE-2021-39048 - RESERVED +CVE-2021-39050 (IBM i2 Analyst's Notebook 9.2.0, 9.2.1, and 9.2.2 is vulnerable to a s ...) + NOT-FOR-US: IBM +CVE-2021-39049 (IBM i2 Analyst's Notebook 9.2.0, 9.2.1, and 9.2.2 is vulnerable to a s ...) + NOT-FOR-US: IBM +CVE-2021-39048 (IBM Spectrum Protect Client 7.1 and 8.1 is vulnerable to a stack based ...) + NOT-FOR-US: IBM CVE-2021-39047 RESERVED CVE-2021-39046 RESERVED CVE-2021-39045 RESERVED -CVE-2021-39044 - RESERVED +CVE-2021-39044 (IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site re ...) + NOT-FOR-US: IBM CVE-2021-39043 RESERVED CVE-2021-39042 @@ -12319,14 +19493,14 @@ CVE-2021-39036 RESERVED CVE-2021-39035 RESERVED -CVE-2021-39034 - RESERVED +CVE-2021-39034 (IBM MQ 9.1 LTS is vulnerable to a denial of service attack caused by a ...) + NOT-FOR-US: IBM CVE-2021-39033 RESERVED -CVE-2021-39032 - RESERVED -CVE-2021-39031 - RESERVED +CVE-2021-39032 (IBM Sterling Gentran:Server for Microsoft Windows 5.3 stores potential ...) + NOT-FOR-US: IBM +CVE-2021-39031 (IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 c ...) + NOT-FOR-US: IBM CVE-2021-39030 RESERVED CVE-2021-39029 @@ -12335,8 +19509,8 @@ CVE-2021-39028 RESERVED CVE-2021-39027 RESERVED -CVE-2021-39026 - RESERVED +CVE-2021-39026 (IBM Guardium Data Encryption (GDE) 5.0.0.2 and 5.0.0.3 could allow a r ...) + NOT-FOR-US: IBM CVE-2021-39025 RESERVED CVE-2021-39024 @@ -12345,8 +19519,8 @@ CVE-2021-39023 RESERVED CVE-2021-39022 RESERVED -CVE-2021-39021 - RESERVED +CVE-2021-39021 (IBM Guardium Data Encryption (GDE) 5.0.0.2 behaves differently or send ...) + NOT-FOR-US: IBM CVE-2021-39020 RESERVED CVE-2021-39019 @@ -12361,8 +19535,8 @@ CVE-2021-39015 RESERVED CVE-2021-39014 RESERVED -CVE-2021-39013 - RESERVED +CVE-2021-39013 (IBM Cloud Pak for Security (CP4S) 1.7.2.0, 1.7.1.0, and 1.7.0.0 could ...) + NOT-FOR-US: IBM CVE-2021-39012 RESERVED CVE-2021-39011 @@ -12383,14 +19557,14 @@ CVE-2021-39004 RESERVED CVE-2021-39003 RESERVED -CVE-2021-39002 - RESERVED +CVE-2021-39002 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) + NOT-FOR-US: IBM CVE-2021-39001 RESERVED -CVE-2021-39000 - RESERVED -CVE-2021-38999 - RESERVED +CVE-2021-39000 (IBM MQ Appliance 9.2 CD and 9.2 LTS could allow a local attacker to ob ...) + NOT-FOR-US: IBM +CVE-2021-38999 (IBM MQ Appliance could allow a local attacker to obtain sensitive info ...) + NOT-FOR-US: IBM CVE-2021-38998 RESERVED CVE-2021-38997 @@ -12405,10 +19579,10 @@ CVE-2021-38993 RESERVED CVE-2021-38992 RESERVED -CVE-2021-38991 - RESERVED -CVE-2021-38990 - RESERVED +CVE-2021-38991 (IBM AIX 7.0, 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local ...) + NOT-FOR-US: IBM +CVE-2021-38990 (IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local user ...) + NOT-FOR-US: IBM CVE-2021-38989 RESERVED CVE-2021-38988 @@ -12453,30 +19627,30 @@ CVE-2021-38969 RESERVED CVE-2021-38968 RESERVED -CVE-2021-38967 - RESERVED -CVE-2021-38966 - RESERVED -CVE-2021-38965 - RESERVED +CVE-2021-38967 (IBM MQ Appliance 9.2 CD and 9.2 LTS could allow a local privileged use ...) + NOT-FOR-US: IBM +CVE-2021-38966 (IBM Cloud Pak for Automation 21.0.2 is vulnerable to cross-site script ...) + NOT-FOR-US: IBM +CVE-2021-38965 (IBM FileNet Content Manager 5.5.4, 5.5.6, and 5.5.7 could allow a remo ...) + NOT-FOR-US: IBM CVE-2021-38964 RESERVED CVE-2021-38963 RESERVED CVE-2021-38962 RESERVED -CVE-2021-38961 - RESERVED -CVE-2021-38960 - RESERVED +CVE-2021-38961 (IBM OPENBMC OP910 is vulnerable to cross-site scripting. This vulnerab ...) + NOT-FOR-US: IBM +CVE-2021-38960 (IBM OPENBMC OP920, OP930, and OP940 could allow an unauthenticated use ...) + NOT-FOR-US: IBM CVE-2021-38959 (IBM SPSS Statistics for Windows 24.0, 25.0, 26.0, 27.0, 27.0.1, and 28 ...) NOT-FOR-US: IBM -CVE-2021-38958 - RESERVED -CVE-2021-38957 - RESERVED -CVE-2021-38956 - RESERVED +CVE-2021-38958 (IBM MQ Appliance 9.2 CD and 9.2 LTS is affected by a denial of service ...) + NOT-FOR-US: IBM +CVE-2021-38957 (IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 could disclose sens ...) + NOT-FOR-US: IBM +CVE-2021-38956 (IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 could disclose sens ...) + NOT-FOR-US: IBM CVE-2021-38955 RESERVED CVE-2021-38954 @@ -12485,16 +19659,16 @@ CVE-2021-38953 RESERVED CVE-2021-38952 RESERVED -CVE-2021-38951 - RESERVED -CVE-2021-38950 - RESERVED +CVE-2021-38951 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) + NOT-FOR-US: IBM +CVE-2021-38950 (IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege esc ...) + NOT-FOR-US: IBM CVE-2021-38949 (IBM MQ 7.5, 8.0, 9.0 LTS, 9.1 CD, and 9.1 LTS stores user credentials ...) NOT-FOR-US: IBM CVE-2021-38948 (IBM InfoSphere Information Server 11.7 is vulnerable to an XML Externa ...) NOT-FOR-US: IBM -CVE-2021-38947 - RESERVED +CVE-2021-38947 (IBM Spectrum Copy Data Management 2.2.13 and earlier uses weaker than ...) + NOT-FOR-US: IBM CVE-2021-38946 RESERVED CVE-2021-38945 @@ -12513,20 +19687,20 @@ CVE-2021-38939 RESERVED CVE-2021-38938 RESERVED -CVE-2021-38937 - RESERVED +CVE-2021-38937 (IBM PowerVM Hypervisor FW940, FW950, and FW1010 could allow an authent ...) + NOT-FOR-US: IBM CVE-2021-38936 RESERVED -CVE-2021-38935 - RESERVED +CVE-2021-38935 (IBM Maximo Asset Management 7.6.1.2 does not require that users should ...) + NOT-FOR-US: IBM CVE-2021-38934 RESERVED CVE-2021-38933 RESERVED CVE-2021-38932 RESERVED -CVE-2021-38931 - RESERVED +CVE-2021-38931 (IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 ...) + NOT-FOR-US: IBM CVE-2021-38930 RESERVED CVE-2021-38929 @@ -12535,8 +19709,8 @@ CVE-2021-38928 RESERVED CVE-2021-38927 RESERVED -CVE-2021-38926 - RESERVED +CVE-2021-38926 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, ...) + NOT-FOR-US: IBM CVE-2021-38925 (IBM Sterling B2B Integrator Standard Edition 5.2.0. 0 through 6.1.1.0 ...) NOT-FOR-US: IBM CVE-2021-38924 @@ -12545,16 +19719,16 @@ CVE-2021-38923 (IBM PowerVM Hypervisor FW1010 could allow a privileged user to g NOT-FOR-US: IBM CVE-2021-38922 RESERVED -CVE-2021-38921 - RESERVED +CVE-2021-38921 (IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 uses weaker than ex ...) + NOT-FOR-US: IBM CVE-2021-38920 RESERVED CVE-2021-38919 RESERVED -CVE-2021-38918 - RESERVED -CVE-2021-38917 - RESERVED +CVE-2021-38918 (IBM PowerVM Hypervisor FW860, FW940, FW950, and FW1010, through a spec ...) + NOT-FOR-US: IBM +CVE-2021-38917 (IBM PowerVM Hypervisor FW860, FW940, and FW950 could allow an attacker ...) + NOT-FOR-US: IBM CVE-2021-38916 RESERVED CVE-2021-38915 (IBM Data Risk Manager 2.0.6 stores user credentials in plain clear tex ...) @@ -12569,8 +19743,8 @@ CVE-2021-38911 (IBM Security Risk Manager on CP4S 1.7.0.0 stores user credential NOT-FOR-US: IBM CVE-2021-38910 RESERVED -CVE-2021-38909 - RESERVED +CVE-2021-38909 (IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scr ...) + NOT-FOR-US: IBM CVE-2021-38908 RESERVED CVE-2021-38907 @@ -12585,10 +19759,10 @@ CVE-2021-38903 RESERVED CVE-2021-38902 RESERVED -CVE-2021-38901 - RESERVED -CVE-2021-38900 - RESERVED +CVE-2021-38901 (IBM Spectrum Protect Operations Center 7.1, under special configuratio ...) + NOT-FOR-US: IBM +CVE-2021-38900 (IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation W ...) + NOT-FOR-US: IBM CVE-2021-38899 (IBM Cloud Pak for Data 2.5 could allow a local user with special privi ...) NOT-FOR-US: IBM CVE-2021-38898 @@ -12597,14 +19771,15 @@ CVE-2021-38897 RESERVED CVE-2021-38896 (IBM QRadar Advisor 2.5 through 2.6.1 is vulnerable to cross-site scrip ...) NOT-FOR-US: IBM -CVE-2021-38895 - RESERVED -CVE-2021-38894 - RESERVED -CVE-2021-38893 - RESERVED +CVE-2021-38895 (IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 is vulnerable to cr ...) + NOT-FOR-US: IBM +CVE-2021-38894 (IBM Security Verify 10.0.0, 10.0.1.0, and 10.0.2.0 could allow a remot ...) + NOT-FOR-US: IBM +CVE-2021-38893 (IBM Business Process Manager 8.5 and 8.6 and IBM Business Automation W ...) + NOT-FOR-US: IBM CVE-2021-38892 - RESERVED + REJECTED + NOT-FOR-US: IBM CVE-2021-38891 (IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses weaker than ...) NOT-FOR-US: IBM CVE-2021-38890 (IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses an inadequat ...) @@ -12621,8 +19796,8 @@ CVE-2021-38885 RESERVED CVE-2021-38884 RESERVED -CVE-2021-38883 - RESERVED +CVE-2021-38883 (IBM Business Automation Workflow 18.0, 19.0, 20,0 and 21.0 and IBM Bus ...) + NOT-FOR-US: IBM CVE-2021-38882 (IBM Spectrum Scale 5.1.0 through 5.1.1.1 could allow a privileged admi ...) NOT-FOR-US: IBM CVE-2021-38881 @@ -12635,8 +19810,8 @@ CVE-2021-38878 RESERVED CVE-2021-38877 (IBM Jazz for Service Management 1.1.3.10 is vulnerable to stored cross ...) NOT-FOR-US: IBM -CVE-2021-38876 - RESERVED +CVE-2021-38876 (IBM i 7.2, 7.3, and 7.4 is vulnerable to cross-site scripting. This vu ...) + NOT-FOR-US: IBM CVE-2021-38875 (IBM MQ 8.0, 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.1 CD, and 9.2 CD is vulnerabl ...) NOT-FOR-US: IBM CVE-2021-38874 @@ -12833,20 +20008,20 @@ CVE-2021-38791 RESERVED CVE-2021-38790 RESERVED -CVE-2021-38789 - RESERVED -CVE-2021-38788 - RESERVED -CVE-2021-38787 - RESERVED -CVE-2021-38786 - RESERVED -CVE-2021-38785 - RESERVED -CVE-2021-38784 - RESERVED -CVE-2021-38783 - RESERVED +CVE-2021-38789 (Allwinner R818 SoC Android Q SDK V1.0 is affected by an incorrect acce ...) + NOT-FOR-US: Allwinner Android Q SDK +CVE-2021-38788 (The Background service in Allwinner R818 SoC Android Q SDK V1.0 is use ...) + NOT-FOR-US: Allwinner Android Q SDK +CVE-2021-38787 (There is an integer overflow in the ION driver "/dev/ion" of Allwinner ...) + NOT-FOR-US: Allwinner Android Q SDK +CVE-2021-38786 (There is a NULL pointer dereference in media/libcedarc/vdecoder of All ...) + NOT-FOR-US: Allwinner Android Q SDK +CVE-2021-38785 (There is a NULL pointer deference in the Allwinner R818 SoC Android Q ...) + NOT-FOR-US: Allwinner Android Q SDK +CVE-2021-38784 (There is a NULL pointer dereference in the syscall open_exec function ...) + NOT-FOR-US: Allwinner Android Q SDK +CVE-2021-38783 (There is a Out-of-Bound Write in the Allwinner R818 SoC Android Q SDK ...) + NOT-FOR-US: Allwinner Android Q SDK CVE-2021-38782 RESERVED CVE-2021-38781 @@ -12893,8 +20068,8 @@ CVE-2021-38761 RESERVED CVE-2021-38760 RESERVED -CVE-2021-38759 - RESERVED +CVE-2021-38759 (Raspberry Pi OS through 5.10 has the raspberry default password for th ...) + NOT-FOR-US: Raspberry Pi OS CVE-2021-38758 (Directory traversal vulnerability in Online Catering Reservation Syste ...) NOT-FOR-US: Directory traversal in Online Catering Reservation System CVE-2021-38757 (Persistent cross-site scripting (XSS) in Hospital Management System ta ...) @@ -12986,7 +20161,7 @@ CVE-2021-38715 CVE-2021-38714 (In Plib through 1.85, there is an integer overflow vulnerability that ...) {DLA-2775-1} - plib 1.8.5-10 (bug #992973) - [bullseye] - plib <no-dsa> (Minor issue) + [bullseye] - plib 1.8.5-8+deb11u1 [buster] - plib <no-dsa> (Minor issue) NOTE: https://sourceforge.net/p/plib/bugs/55/ CVE-2021-38713 (imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header. ...) @@ -13025,38 +20200,40 @@ CVE-2021-3707 (D-Link router DSL-2750U with firmware vME1.16 or prior versions i NOT-FOR-US: D-Link CVE-2021-38702 (Cyberoam NetGenie C0101B1-20141120-NG11VO devices through 2021-08-14 a ...) NOT-FOR-US: Cyberoam NetGenie C0101B1-20141120-NG11VO devices -CVE-2021-38701 - RESERVED +CVE-2021-38701 (Certain Motorola Solutions Avigilon devices allow XSS in the administr ...) + NOT-FOR-US: Motorola Solutions Avigilon devices CVE-2021-38700 RESERVED CVE-2021-38699 (TastyIgniter 3.0.7 allows XSS via /account, /reservation, /admin/dashb ...) NOT-FOR-US: TastyIgniter CVE-2021-38698 (HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allow ...) - consul <unfixed> + [bullseye] - consul <no-dsa> (Minor issue) + [buster] - consul <no-dsa> (Minor issue) NOTE: https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026 NOTE: https://github.com/hashicorp/consul/commit/747844bad6410091f2c6e961216c0c5fc285a44d (v1.8.15) -CVE-2021-38697 - RESERVED -CVE-2021-38696 - RESERVED -CVE-2021-38695 - RESERVED -CVE-2021-38694 - RESERVED +CVE-2021-38697 (SoftVibe SARABAN for INFOMA 1.1 allows Unauthenticated unrestricted Fi ...) + NOT-FOR-US: SoftVibe SARABAN for INFOMA +CVE-2021-38696 (SoftVibe SARABAN for INFOMA 1.1 has Incorrect Access Control vulnerabi ...) + NOT-FOR-US: SoftVibe SARABAN for INFOMA +CVE-2021-38695 (SoftVibe SARABAN for INFOMA 1.1 is vulnerable to stored cross-site scr ...) + NOT-FOR-US: SoftVibe SARABAN for INFOMA +CVE-2021-38694 (SoftVibe SARABAN for INFOMA 1.1 allows SQL Injection. ...) + NOT-FOR-US: SoftVibe SARABAN for INFOMA CVE-2021-38693 RESERVED -CVE-2021-38692 - RESERVED -CVE-2021-38691 - RESERVED -CVE-2021-38690 - RESERVED -CVE-2021-38689 - RESERVED -CVE-2021-38688 - RESERVED -CVE-2021-38687 - RESERVED +CVE-2021-38692 (A stack buffer overflow vulnerability has been reported to affect QNAP ...) + NOT-FOR-US: QNAP +CVE-2021-38691 (A stack buffer overflow vulnerability has been reported to affect QNAP ...) + NOT-FOR-US: QNAP +CVE-2021-38690 (A stack buffer overflow vulnerability has been reported to affect QNAP ...) + NOT-FOR-US: QNAP +CVE-2021-38689 (A stack buffer overflow vulnerability has been reported to affect QNAP ...) + NOT-FOR-US: QNAP +CVE-2021-38688 (An improper authentication vulnerability has been reported to affect A ...) + NOT-FOR-US: QNAP +CVE-2021-38687 (A stack buffer overflow vulnerability has been reported to affect QNAP ...) + NOT-FOR-US: QNAP CVE-2021-38686 (An improper authentication vulnerability has been reported to affect Q ...) NOT-FOR-US: QNAP CVE-2021-38685 (A command injection vulnerability has been reported to affect QNAP dev ...) @@ -13065,24 +20242,24 @@ CVE-2021-38684 (A stack buffer overflow vulnerability has been reported to affec NOT-FOR-US: QNAP CVE-2021-38683 RESERVED -CVE-2021-38682 - RESERVED +CVE-2021-38682 (A stack buffer overflow vulnerability has been reported to affect QNAP ...) + NOT-FOR-US: QNAP CVE-2021-38681 (A reflected cross-site scripting (XSS) vulnerability has been reported ...) NOT-FOR-US: QNAP -CVE-2021-38680 - RESERVED -CVE-2021-38679 - RESERVED -CVE-2021-38678 - RESERVED -CVE-2021-38677 - RESERVED +CVE-2021-38680 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) + NOT-FOR-US: QNAP +CVE-2021-38679 (An improper authentication vulnerability has been reported to affect Q ...) + NOT-FOR-US: QNAP +CVE-2021-38678 (An open redirect vulnerability has been reported to affect QNAP device ...) + NOT-FOR-US: QNAP +CVE-2021-38677 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) + NOT-FOR-US: QNAP CVE-2021-38676 RESERVED CVE-2021-38675 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) NOT-FOR-US: QNAP -CVE-2021-38674 - RESERVED +CVE-2021-38674 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) + NOT-FOR-US: QNAP CVE-2021-3706 (adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag ...) NOT-FOR-US: adminlte CVE-2021-38673 @@ -13237,9 +20414,11 @@ CVE-2021-38604 (In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/ NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8 CVE-2021-38603 (PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Informati ...) - pluxml <unfixed> + [buster] - pluxml <ignored> (Minor issue) [stretch] - pluxml <no-dsa> (Minor issue) CVE-2021-38602 (PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content ...) - pluxml <unfixed> + [buster] - pluxml <ignored> (Minor issue) [stretch] - pluxml <no-dsa> (Minor issue) CVE-2021-38601 RESERVED @@ -13256,7 +20435,7 @@ CVE-2021-38598 (OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 NOTE: https://launchpad.net/bugs/1938670 NOTE: https://review.opendev.org/c/openstack/neutron/+/785917/ CVE-2021-38597 (wolfSSL before 4.8.1 incorrectly skips OCSP verification in certain si ...) - - wolfssl <unfixed> (bug #992174) + - wolfssl 5.0.0-1 (bug #992174) [bullseye] - wolfssl <no-dsa> (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/commit/f93083be72a3b3d956b52a7ec13f307a27b6e093 CVE-2021-38596 @@ -13306,10 +20485,10 @@ CVE-2021-38578 RESERVED CVE-2021-38577 RESERVED -CVE-2021-38576 - RESERVED -CVE-2021-38575 [edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe] - RESERVED +CVE-2021-38576 (A BIOS bug in firmware for a particular PC model leaves the Platform a ...) + - edk2 <undetermined> + NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3499 (private) +CVE-2021-38575 (NetworkPkg/IScsiDxe has remotely exploitable buffer overflows. ...) - edk2 2021.08-1 [bullseye] - edk2 <no-dsa> (Minor issue) [buster] - edk2 <no-dsa> (Minor issue) @@ -13356,6 +20535,10 @@ CVE-2021-3701 NOTE: https://github.com/ansible/ansible-runner/pull/742/commits/60b059f00409224acae1e417153a241c8591ad89 CVE-2021-3700 RESERVED + - usbredir 0.11.0-1 + [bullseye] - usbredir <no-dsa> (Minor issue) + [buster] - usbredir <no-dsa> (Minor issue) + NOTE: https://gitlab.freedesktop.org/spice/usbredir/-/commit/03c519ff5831ba75120e00ebebbf1d5a1f7220ab (usbredir-0.11.0) CVE-2021-38562 (Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4. ...) - request-tracker5 <unfixed> (bug #995167) - request-tracker4 4.4.4+dfsg-3 (bug #995175) @@ -13367,8 +20550,8 @@ CVE-2021-38562 (Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 befor NOTE: https://github.com/bestpractical/rt/commit/d16f8cf13c2af517ee55a85e7b91a0267477189f (rt-4.2.17) CVE-2021-38561 RESERVED -CVE-2021-38560 - RESERVED +CVE-2021-38560 (Ivanti Service Manager 2021.1 allows reflected XSS via the appName par ...) + NOT-FOR-US: Ivanti CVE-2021-38559 (DigitalDruid HotelDruid 3.0.2 has an XSS vulnerability in prenota.php ...) - hoteldruid 3.0.3-1 [bullseye] - hoteldruid <no-dsa> (Minor issue) @@ -13406,8 +20589,8 @@ CVE-2021-38544 (Sony SRS-XB33 and SRS-XB43 devices through 2021-08-09 allow remo NOT-FOR-US: Sony SRS-XB33 and SRS-XB43 devices CVE-2021-38543 (TP-Link UE330 USB splitter devices through 2021-08-09, in certain spec ...) NOT-FOR-US: TP-Link -CVE-2021-38542 - RESERVED +CVE-2021-38542 (Apache James prior to release 3.6.1 is vulnerable to a buffering attac ...) + NOT-FOR-US: Apache James CVE-2021-38541 RESERVED CVE-2021-3699 @@ -13476,64 +20659,62 @@ CVE-2021-38513 (Certain NETGEAR devices are affected by authentication bypass. T NOT-FOR-US: Netgear CVE-2021-38512 (An issue was discovered in the actix-http crate before 3.0.0-beta.9 fo ...) NOT-FOR-US: Rust crate actix-http -CVE-2021-38510 - RESERVED +CVE-2021-38510 (The executable file warning was not presented when downloading .inetlo ...) - firefox <not-affected> (Only affects Mac OSX) - firefox-esr <not-affected> (Only affects Mac OSX) - thunderbird <not-affected> (Only affects Mac OSX) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-38510 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38510 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38510 -CVE-2021-38509 - RESERVED +CVE-2021-38509 (Due to an unusual sequence of attacker-controlled events, a Javascript ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} - firefox 94.0-1 - firefox-esr 91.3.0esr-1 - thunderbird 1:91.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-38509 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38509 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38509 -CVE-2021-38508 - RESERVED +CVE-2021-38508 (By displaying a form validity message in the correct location at the s ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} - firefox 94.0-1 - firefox-esr 91.3.0esr-1 - thunderbird 1:91.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-38508 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38508 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38508 -CVE-2021-38507 - RESERVED +CVE-2021-38507 (The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a conn ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} - firefox 94.0-1 - firefox-esr 91.3.0esr-1 - thunderbird 1:91.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-38507 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38507 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38507 -CVE-2021-38506 - RESERVED +CVE-2021-38506 (Through a series of navigations, Firefox could have entered fullscreen ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} - firefox 94.0-1 - firefox-esr 91.3.0esr-1 - thunderbird 1:91.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-38506 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38506 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38506 -CVE-2021-38505 - RESERVED +CVE-2021-38505 (Microsoft introduced a new feature in Windows 10 known as Cloud Clipbo ...) - firefox <not-affected> (Only affects Windows) - firefox-esr <not-affected> (Only affects Windows) - thunderbird <not-affected> (Only affects Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-38505 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38505 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38505 -CVE-2021-38504 - RESERVED +CVE-2021-38504 (When interacting with an HTML input element's file picker dialog with ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} - firefox 94.0-1 - firefox-esr 91.3.0esr-1 - thunderbird 1:91.3.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-48/#CVE-2021-38504 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38504 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38504 -CVE-2021-38503 - RESERVED +CVE-2021-38503 (The iframe sandbox rules were not correctly applied to XSLT stylesheet ...) + {DSA-5034-1 DSA-5026-1 DLA-2874-1 DLA-2863-1} - firefox 94.0-1 - firefox-esr 91.3.0esr-1 - thunderbird 1:91.3.0-1 @@ -13541,6 +20722,7 @@ CVE-2021-38503 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-49/#CVE-2021-38503 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/#CVE-2021-38503 CVE-2021-38502 (Thunderbird ignored the configuration to require STARTTLS security for ...) + {DSA-5034-1 DLA-2874-1} [experimental] - thunderbird 1:91.2.0-1 - thunderbird 1:91.2.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/#CVE-2021-38502 @@ -13552,7 +20734,7 @@ CVE-2021-38501 (Mozilla developers reported memory safety bugs present in Firefo NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-45/#CVE-2021-38501 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/#CVE-2021-38501 CVE-2021-38500 (Mozilla developers reported memory safety bugs present in Firefox 92 a ...) - {DSA-4981-1 DLA-2782-1} + {DSA-5034-1 DSA-4981-1 DLA-2874-1 DLA-2782-1} - firefox 93.0-1 - firefox-esr 91.2.0esr-1 [experimental] - thunderbird 1:91.2.0-1 @@ -13580,7 +20762,7 @@ CVE-2021-38497 (Through use of reportValidity() and window.open(), a plain-text NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-45/#CVE-2021-38497 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-47/#CVE-2021-38497 CVE-2021-38496 (During operations on MessageTasks, a task may have been removed while ...) - {DSA-4981-1 DLA-2782-1} + {DSA-5034-1 DSA-4981-1 DLA-2874-1 DLA-2782-1} - firefox 93.0-1 - firefox-esr 91.2.0esr-1 [experimental] - thunderbird 1:91.2.0-1 @@ -13752,32 +20934,32 @@ CVE-2021-38423 RESERVED CVE-2021-38422 (Delta Electronics DIALink versions 1.2.4.0 and prior stores sensitive ...) NOT-FOR-US: Delta Electronics DIALink -CVE-2021-38421 - RESERVED +CVE-2021-38421 (Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0. ...) + NOT-FOR-US: Fuji Electric CVE-2021-38420 (Delta Electronics DIALink versions 1.2.4.0 and prior default permissio ...) NOT-FOR-US: Delta Electronics DIALink -CVE-2021-38419 - RESERVED +CVE-2021-38419 (Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0. ...) + NOT-FOR-US: Fuji Electric CVE-2021-38418 (Delta Electronics DIALink versions 1.2.4.0 and prior runs by default o ...) NOT-FOR-US: Delta Electronics DIALink CVE-2021-38417 RESERVED CVE-2021-38416 (Delta Electronics DIALink versions 1.2.4.0 and prior insecurely loads ...) NOT-FOR-US: Delta Electronics DIALink -CVE-2021-38415 - RESERVED +CVE-2021-38415 (Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0. ...) + NOT-FOR-US: Fuji Electric CVE-2021-38414 RESERVED -CVE-2021-38413 - RESERVED +CVE-2021-38413 (Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0. ...) + NOT-FOR-US: Fuji Electric CVE-2021-38412 (Properly formatted POST requests to multiple resources on the HTTP and ...) NOT-FOR-US: Digi PortServer TS CVE-2021-38411 (Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to ...) NOT-FOR-US: Delta Electronics DIALink CVE-2021-38410 RESERVED -CVE-2021-38409 - RESERVED +CVE-2021-38409 (Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0. ...) + NOT-FOR-US: Fuji Electric CVE-2021-38408 (A stack-based buffer overflow vulnerability in Advantech WebAccess Ver ...) NOT-FOR-US: Advantech WebAccess CVE-2021-38407 (Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to ...) @@ -13792,8 +20974,8 @@ CVE-2021-38403 (Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerab NOT-FOR-US: Delta Electronics DIALink CVE-2021-38402 (Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper va ...) NOT-FOR-US: Delta Electronic -CVE-2021-38401 - RESERVED +CVE-2021-38401 (Fuji Electric V-Server Lite and Tellus Lite V-Simulator prior to v4.0. ...) + NOT-FOR-US: Fuji Electric CVE-2021-38400 (An attacker with physical access to Boston Scientific Zoom Latitude Mo ...) NOT-FOR-US: Boston Scientific Zoom Latitude Model 3120 CVE-2021-38399 @@ -13897,10 +21079,12 @@ CVE-2021-38365 (Winner (aka ToneWinner) desktop speakers through 2021-08-09 allo NOT-FOR-US: Winner (aka ToneWinner) desktop speakers CVE-2021-3698 [authenticates with revoked certificates] RESERVED - - cockpit <unfixed> + - cockpit 260-1 [bullseye] - cockpit <no-dsa> (Minor issue) [buster] - cockpit <not-affected> (Vulnerable code not present, introduced in 208) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1992149 + NOTE: Needs sssd 2.6.1 + NOTE: https://cockpit-project.org/blog/cockpit-260.html CVE-2021-3697 RESERVED CVE-2021-3696 @@ -13916,8 +21100,8 @@ CVE-2021-38363 RESERVED CVE-2021-38362 RESERVED -CVE-2021-38361 - RESERVED +CVE-2021-38361 (The .htaccess Redirect WordPress plugin is vulnerable to Reflected Cro ...) + NOT-FOR-US: WordPess plugin CVE-2021-38360 (The wp-publications WordPress plugin is vulnerable to restrictive loca ...) NOT-FOR-US: WordPress plugin CVE-2021-38359 (The WordPress InviteBox Plugin for viral Refer-a-Friend Promotions Wor ...) @@ -14051,6 +21235,8 @@ CVE-2021-38298 (Zoho ManageEngine ADManager Plus before 7110 is vulnerable to bl CVE-2021-38297 (Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via la ...) - golang-1.17 1.17.2-1 - golang-1.16 1.16.9-1 + - golang-1.15 1.15.15-5 + [bullseye] - golang-1.15 1.15.15-1~deb11u2 - golang-1.11 <removed> [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <not-affected> (Vulnerable code not present) @@ -14098,8 +21284,8 @@ CVE-2021-38285 RESERVED CVE-2021-38284 RESERVED -CVE-2021-38283 - RESERVED +CVE-2021-38283 (Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote att ...) + NOT-FOR-US: Wipro Holmes Orchestrator CVE-2021-38282 RESERVED CVE-2021-38281 @@ -14176,8 +21362,8 @@ CVE-2021-38246 RESERVED CVE-2021-38245 RESERVED -CVE-2021-38244 - RESERVED +CVE-2021-38244 (A regular expression denial of service (ReDoS) vulnerability exits in ...) + NOT-FOR-US: cbioportal CVE-2021-38243 RESERVED CVE-2021-38242 @@ -14273,13 +21459,13 @@ CVE-2021-38206 (The mac80211 subsystem in the Linux kernel before 5.12.13, when [stretch] - linux <not-affected> (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/bddc0c411a45d3718ac535a070f349be8eca8d48 CVE-2021-38205 (drivers/net/ethernet/xilinx/xilinx_emaclite.c in the Linux kernel befo ...) - {DLA-2785-1} + {DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 [bullseye] - linux 5.10.70-1 [buster] - linux 4.19.208-1 NOTE: https://git.kernel.org/linus/d0d62baa7f505bd4c59cd169692ff07ec49dde37 CVE-2021-38204 (drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allow ...) - {DLA-2785-1} + {DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 (unimportant) [bullseye] - linux 5.10.70-1 [buster] - linux 4.19.208-1 @@ -14300,12 +21486,12 @@ CVE-2021-38200 (arch/powerpc/perf/core-book3s.c in the Linux kernel before 5.12. - linux <not-affected> (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/60b7ed54a41b550d50caf7f2418db4a7e75b5bdc CVE-2021-38199 (fs/nfs/nfs4client.c in the Linux kernel before 5.13.4 has incorrect co ...) - {DSA-4978-1 DLA-2785-1} + {DSA-4978-1 DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 [buster] - linux 4.19.208-1 NOTE: https://git.kernel.org/linus/dd99e9f98fbf423ff6d365b37a98e8879170f17c CVE-2021-38198 (arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 inco ...) - {DLA-2785-1} + {DLA-2843-1 DLA-2785-1} - linux 5.10.46-1 [buster] - linux 4.19.208-1 NOTE: https://git.kernel.org/linus/b1bd5cba3306691c771d558e94baa73e8b0b96b7 @@ -14348,8 +21534,8 @@ CVE-2021-38184 RESERVED CVE-2021-38183 (SAP NetWeaver - versions 700, 701, 702, 730, does not sufficiently enc ...) NOT-FOR-US: SAP -CVE-2021-38182 - RESERVED +CVE-2021-38182 (Due to insufficient input validation of Kyma, authenticated users can ...) + NOT-FOR-US: Kyma CVE-2021-38181 (SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, ...) NOT-FOR-US: SAP CVE-2021-38180 (SAP Business One - version 10.0, allows an attacker to inject formulas ...) @@ -14375,8 +21561,8 @@ CVE-2021-38173 (Btrbk before 0.31.2 allows command execution because of the mish [buster] - btrbk 0.27.1-1+deb10u1 NOTE: Fixed by: https://github.com/digint/btrbk/commit/58212de771c381cd4fa05625927080bf264e9584 (v0.31.2) NOTE: Introduced by: https://github.com/digint/btrbk/commit/ccb5ed5e7191a083da52998df4c880f693451144 (v0.23.0-rc1) -CVE-2021-38172 - RESERVED +CVE-2021-38172 (perM 0.4.0 has a Buffer Overflow related to strncpy. (Debian initially ...) + NOT-FOR-US: perM CVE-2021-38171 (adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not ...) {DSA-4998-1 DSA-4990-1 DLA-2818-1} - ffmpeg 7:4.4.1-1 @@ -14417,7 +21603,7 @@ CVE-2021-38156 (In Nagios XI before 5.8.6, XSS exists in the dashboard page (/da NOT-FOR-US: Nagios XI CVE-2021-38155 (OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1 ...) - keystone 2:19.0.0-3 (bug #992070) - [bullseye] - keystone <no-dsa> (Minor issue) + [bullseye] - keystone 2:18.0.0-3+deb11u1 [buster] - keystone <no-dsa> (Minor issue) [stretch] - keystone <end-of-life> (Keystone not supported in stretch) NOTE: https://launchpad.net/bugs/1688137 @@ -14430,7 +21616,7 @@ CVE-2021-38165 (Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI NOTE: https://lynx.invisible-island.net/current/CHANGES.html#v2.9.0dev.9 NOTE: https://invisible-mirror.net/archives/lynx/patches/lynx2.9.0dev.9.patch.gz CVE-2021-38160 (** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel be ...) - {DSA-4978-1 DLA-2785-1} + {DSA-4978-1 DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 [buster] - linux 4.19.208-1 NOTE: https://git.kernel.org/linus/d00d8da5869a2608e97cfede094dfc5e11462a46 @@ -14448,8 +21634,8 @@ CVE-2021-38149 (index.php/admin/add_user in Chikitsa Patient Management System 2 NOT-FOR-US: Chikitsa Patient Management System CVE-2021-38148 (Obsidian before 0.12.12 does not require user confirmation for non-htt ...) NOT-FOR-US: Obsidian -CVE-2021-38147 - RESERVED +CVE-2021-38147 (Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_11_2020) allows remote att ...) + NOT-FOR-US: Wipro Holmes Orchestrator CVE-2021-38146 (The File Download API in Wipro Holmes Orchestrator 20.4.1 (20.4.1_02_1 ...) NOT-FOR-US: Wipro Holmes Orchestrator CVE-2021-38145 (An issue was discovered in Form Tools through 3.0.20. SQL Injection ca ...) @@ -14485,16 +21671,16 @@ CVE-2021-38132 RESERVED CVE-2021-38131 RESERVED -CVE-2021-38130 - RESERVED -CVE-2021-38129 - RESERVED +CVE-2021-38130 (A potential Information leakage vulnerability has been identified in v ...) + NOT-FOR-US: Micro Focus +CVE-2021-38129 (Escalation of privileges vulnerability in Micro Focus in Micro Focus O ...) + NOT-FOR-US: Micro Focus CVE-2021-38128 RESERVED -CVE-2021-38127 - RESERVED -CVE-2021-38126 - RESERVED +CVE-2021-38127 (Potential vulnerabilities have been identified in Micro Focus ArcSight ...) + NOT-FOR-US: Micro Focus +CVE-2021-38126 (Potential vulnerabilities have been identified in Micro Focus ArcSight ...) + NOT-FOR-US: Micro Focus CVE-2021-38125 RESERVED CVE-2021-38124 (Remote Code Execution vulnerability in Micro Focus ArcSight Enterprise ...) @@ -14535,7 +21721,7 @@ CVE-2021-3685 CVE-2021-3684 RESERVED CVE-2021-3683 (showdoc is vulnerable to Cross-Site Request Forgery (CSRF) ...) - NOT-FOR-US: showdoc + NOT-FOR-US: ShowDoc CVE-2021-38113 (In addBouquet in js/bqe.js in OpenWebif (aka e2openplugin-OpenWebif) t ...) NOT-FOR-US: OpenWebif (aka e2openplugin-OpenWebif) CVE-2021-38112 (In the Amazon AWS WorkSpaces client 3.0.10 through 3.1.8 on Windows, a ...) @@ -14747,187 +21933,337 @@ CVE-2021-38024 RESERVED CVE-2021-38023 RESERVED -CVE-2021-38022 - RESERVED -CVE-2021-38021 - RESERVED -CVE-2021-38020 - RESERVED -CVE-2021-38019 - RESERVED -CVE-2021-38018 - RESERVED -CVE-2021-38017 - RESERVED -CVE-2021-38016 - RESERVED -CVE-2021-38015 - RESERVED -CVE-2021-38014 - RESERVED -CVE-2021-38013 - RESERVED -CVE-2021-38012 - RESERVED -CVE-2021-38011 - RESERVED -CVE-2021-38010 - RESERVED -CVE-2021-38009 - RESERVED -CVE-2021-38008 - RESERVED -CVE-2021-38007 - RESERVED -CVE-2021-38006 - RESERVED -CVE-2021-38005 - RESERVED +CVE-2021-38022 (Inappropriate implementation in WebAuthentication in Google Chrome pri ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38021 (Inappropriate implementation in referrer in Google Chrome prior to 96. ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38020 (Insufficient policy enforcement in contacts picker in Google Chrome on ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38019 (Insufficient policy enforcement in CORS in Google Chrome prior to 96.0 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38018 (Inappropriate implementation in navigation in Google Chrome prior to 9 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38017 (Insufficient policy enforcement in iframe sandbox in Google Chrome pri ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38016 (Insufficient policy enforcement in background fetch in Google Chrome p ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38015 (Inappropriate implementation in input in Google Chrome prior to 96.0.4 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38014 (Out of bounds write in Swiftshader in Google Chrome prior to 96.0.4664 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38013 (Heap buffer overflow in fingerprint recognition in Google Chrome on Ch ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38012 (Type confusion in V8 in Google Chrome prior to 96.0.4664.45 allowed a ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38011 (Use after free in storage foundation in Google Chrome prior to 96.0.46 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38010 (Inappropriate implementation in service workers in Google Chrome prior ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38009 (Inappropriate implementation in cache in Google Chrome prior to 96.0.4 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38008 (Use after free in media in Google Chrome prior to 96.0.4664.45 allowed ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38007 (Type confusion in V8 in Google Chrome prior to 96.0.4664.45 allowed a ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38006 (Use after free in storage foundation in Google Chrome prior to 96.0.46 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2021-38005 (Use after free in loader in Google Chrome prior to 96.0.4664.45 allowe ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-38004 (Insufficient policy enforcement in Autofill in Google Chrome prior to ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-38003 (Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-38002 (Use after free in Web Transport in Google Chrome prior to 95.0.4638.69 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-38001 (Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-38000 (Insufficient validation of untrusted input in Intents in Google Chrome ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37999 (Insufficient data validation in New Tab Page in Google Chrome prior to ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37998 (Use after free in Garbage Collection in Google Chrome prior to 95.0.46 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37997 (Use after free in Sign-In in Google Chrome prior to 95.0.4638.69 allow ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37996 (Insufficient validation of untrusted input Downloads in Google Chrome ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37995 (Inappropriate implementation in WebApp Installer in Google Chrome prio ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37994 (Inappropriate implementation in iFrame Sandbox in Google Chrome prior ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37993 (Use after free in PDF Accessibility in Google Chrome prior to 95.0.463 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37992 (Out of bounds read in WebAudio in Google Chrome prior to 95.0.4638.54 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37991 (Race in V8 in Google Chrome prior to 95.0.4638.54 allowed a remote att ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37990 (Inappropriate implementation in WebView in Google Chrome on Android pr ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37989 (Inappropriate implementation in Blink in Google Chrome prior to 95.0.4 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37988 (Use after free in Profiles in Google Chrome prior to 95.0.4638.54 allo ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37987 (Use after free in Network APIs in Google Chrome prior to 95.0.4638.54 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37986 (Heap buffer overflow in Settings in Google Chrome prior to 95.0.4638.5 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37985 (Use after free in V8 in Google Chrome prior to 95.0.4638.54 allowed a ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37984 (Heap buffer overflow in PDFium in Google Chrome prior to 95.0.4638.54 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37983 (Use after free in Dev Tools in Google Chrome prior to 95.0.4638.54 all ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37982 (Use after free in Incognito in Google Chrome prior to 95.0.4638.54 all ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37981 (Heap buffer overflow in Skia in Google Chrome prior to 95.0.4638.54 al ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37980 (Inappropriate implementation in Sandbox in Google Chrome prior to 94.0 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37979 (heap buffer overflow in WebRTC in Google Chrome prior to 94.0.4606.81 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37978 (Heap buffer overflow in Blink in Google Chrome prior to 94.0.4606.81 a ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37977 (Use after free in Garbage Collection in Google Chrome prior to 94.0.46 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37976 (Inappropriate implementation in Memory in Google Chrome prior to 94.0. ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37975 (Use after free in V8 in Google Chrome prior to 94.0.4606.71 allowed a ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37974 (Use after free in Safebrowsing in Google Chrome prior to 94.0.4606.71 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37973 (Use after free in Portals in Google Chrome prior to 94.0.4606.61 allow ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37972 (Out of bounds read in libjpeg-turbo in Google Chrome prior to 94.0.460 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37971 (Incorrect security UI in Web Browser UI in Google Chrome prior to 94.0 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37970 (Use after free in File System API in Google Chrome prior to 94.0.4606. ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37969 (Inappropriate implementation in Google Updater in Google Chrome on Win ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37968 (Inappropriate implementation in Background Fetch API in Google Chrome ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37967 (Inappropriate implementation in Background Fetch API in Google Chrome ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37966 (Inappropriate implementation in Compositing in Google Chrome on Androi ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37965 (Inappropriate implementation in Background Fetch API in Google Chrome ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37964 (Inappropriate implementation in ChromeOS Networking in Google Chrome o ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37963 (Side-channel information leakage in DevTools in Google Chrome prior to ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37962 (Use after free in Performance Manager in Google Chrome prior to 94.0.4 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37961 (Use after free in Tab Strip in Google Chrome prior to 94.0.4606.54 all ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37960 REJECTED CVE-2021-37959 (Use after free in Task Manager in Google Chrome prior to 94.0.4606.54 ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37958 (Inappropriate implementation in Navigation in Google Chrome on Windows ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37957 (Use after free in WebGPU in Google Chrome prior to 94.0.4606.54 allowe ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37956 (Use after free in Offline use in Google Chrome on Android prior to 94. ...) - - chromium <unfixed> + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-37955 RESERVED @@ -14957,10 +22293,10 @@ CVE-2021-37943 RESERVED CVE-2021-37942 RESERVED -CVE-2021-37941 - RESERVED -CVE-2021-37940 - RESERVED +CVE-2021-37941 (A local privilege escalation issue was found with the APM Java agent, ...) + NOT-FOR-US: Elastic APM Java agent +CVE-2021-37940 (An information disclosure via GET request server-side request forgery ...) + NOT-FOR-US: Workplace Search GHES integration CVE-2021-37939 (It was discovered that Kibana’s JIRA connector & IBM Resilie ...) NOT-FOR-US: IBM CVE-2021-37938 (It was discovered that on Windows operating systems specifically, Kiba ...) @@ -14969,10 +22305,10 @@ CVE-2021-37937 RESERVED CVE-2021-37936 RESERVED -CVE-2021-37935 - RESERVED -CVE-2021-37934 - RESERVED +CVE-2021-37935 (An information disclosure vulnerability in the login page of Huntflow ...) + NOT-FOR-US: Huntflow Enterprise +CVE-2021-37934 (Due to insufficient server-side login-attempt limit enforcement, a vul ...) + NOT-FOR-US: Huntflow Enterprise CVE-2021-37933 (An LDAP injection vulnerability in /account/login in Huntflow Enterpri ...) NOT-FOR-US: Huntflow Enterprise CVE-2021-37932 @@ -14982,14 +22318,14 @@ CVE-2021-3681 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1989407 TODO: check, needs verifying the affected ansible/ansible-base components CVE-2021-3680 (showdoc is vulnerable to Missing Cryptographic Step ...) - NOT-FOR-US: showdoc + NOT-FOR-US: ShowDoc CVE-2021-3679 (A lack of CPU resource in the Linux kernel tracing module functionalit ...) - {DSA-4978-1 DLA-2785-1} + {DSA-4978-1 DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 [buster] - linux 4.19.208-1 NOTE: https://git.kernel.org/linus/67f0d6d9883c13174669f88adac4f0ee656cc16a CVE-2021-3678 (showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random N ...) - NOT-FOR-US: showdoc + NOT-FOR-US: ShowDoc CVE-2021-37931 (Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestr ...) NOT-FOR-US: Zoho ManageEngine CVE-2021-37930 (Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestr ...) @@ -15118,38 +22454,42 @@ CVE-2021-37869 RESERVED CVE-2021-37868 RESERVED -CVE-2021-37867 - RESERVED -CVE-2021-37866 - RESERVED -CVE-2021-37865 - RESERVED -CVE-2021-37864 - RESERVED -CVE-2021-37863 - RESERVED -CVE-2021-37862 - RESERVED -CVE-2021-37861 - RESERVED +CVE-2021-37867 (Mattermost Boards plugin v0.10.0 and earlier fails to protect email ad ...) + NOT-FOR-US: Mattermost Boards plugin +CVE-2021-37866 (Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a ses ...) + NOT-FOR-US: Mattermost Boards plugin +CVE-2021-37865 (Mattermost 6.2 and earlier fails to sufficiently process a specificall ...) + - mattermost-server <itp> (bug #823556) + NOTE: https://cve.report/CVE-2021-37865 (MMSA-2021-0081) +CVE-2021-37864 (Mattermost 6.1 and earlier fails to sufficiently validate permissions ...) + - mattermost-server <itp> (bug #823556) + NOTE: https://cve.report/CVE-2021-37864 (MMSA-2021-0076) +CVE-2021-37863 (Mattermost 6.0 and earlier fails to sufficiently validate parameters d ...) + - mattermost-server <itp> (bug #823556) + NOTE: https://cve.report/CVE-2021-37863 (MMSA-2021-0075) +CVE-2021-37862 (Mattermost 6.0 and earlier fails to sufficiently validate the email ad ...) + - mattermost-server <itp> (bug #823556) + NOTE: https://cve.report/CVE-2021-37862 (MMSA-2021-0074) +CVE-2021-37861 (Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's pas ...) + - mattermost-server <itp> (bug #823556) CVE-2021-37860 (Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard c ...) - mattermost-server <itp> (bug #823556) CVE-2021-37859 (Fixed a bypass for a reflected cross-site scripting vulnerability affe ...) - mattermost-server <itp> (bug #823556) CVE-2021-37858 - RESERVED + REJECTED CVE-2021-37857 - RESERVED + REJECTED CVE-2021-37856 - RESERVED + REJECTED CVE-2021-37855 - RESERVED + REJECTED CVE-2021-37854 - RESERVED + REJECTED CVE-2021-37853 - RESERVED -CVE-2021-37852 - RESERVED + REJECTED +CVE-2021-37852 (ESET products for Windows allows untrusted process to impersonate the ...) + NOT-FOR-US: ESET CVE-2021-37851 RESERVED CVE-2021-37850 (ESET was made aware of a vulnerability in its consumer and business pr ...) @@ -15164,7 +22504,7 @@ CVE-2021-37846 RESERVED CVE-2021-37845 RESERVED - - citadel <unfixed> + - citadel <removed> [buster] - citadel <ignored> (Minor issue) [stretch] - citadel <postponed> (Minor issue, revisit when fixed upstream) NOTE: https://uncensored.citadel.org/readfwd?go=Citadel Security?view=0?start_reading_at=2099264259#2099264259 @@ -15196,7 +22536,7 @@ CVE-2021-37839 CVE-2021-3674 RESERVED CVE-2021-3673 (A vulnerability was found in Radare2 in version 5.3.1. Improper input ...) - - radare2 <unfixed> + - radare2 5.5.0+dfsg-1 NOTE: https://github.com/radareorg/radare2/issues/18923 NOTE: https://github.com/radareorg/radare2/commit/d7ea20fb2e1433ebece9f004d87ad8f2377af23d CVE-2021-37838 @@ -15515,8 +22855,12 @@ CVE-2021-37708 (Shopware is an open source eCommerce platform. Versions prior to NOT-FOR-US: Shopware CVE-2021-37707 (Shopware is an open source eCommerce platform. Versions prior to 6.4.3 ...) NOT-FOR-US: Shopware -CVE-2021-37706 - RESERVED +CVE-2021-37706 (PJSIP is a free and open source multimedia communication library writt ...) + - asterisk <unfixed> + - pjproject <removed> + - ring <unfixed> + NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984 + NOTE: https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865 CVE-2021-37705 (OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. S ...) NOT-FOR-US: OneFuzz CVE-2021-37704 (PhpFastCache is a high-performance backend cache system (packagist pac ...) @@ -15537,6 +22881,8 @@ CVE-2021-37699 (Next.js is an open source website development framework to be us CVE-2021-37698 (Icinga is a monitoring system which checks the availability of network ...) {DLA-2816-1} - icinga2 2.13.1-1 + [bullseye] - icinga2 <no-dsa> (Minor issue) + [buster] - icinga2 <no-dsa> (Minor issue) NOTE: https://github.com/Icinga/icinga2/security/advisories/GHSA-cxfm-8j5v-5qr2 NOTE: https://icinga.com/blog/2021/08/19/icinga-2-13-1-security-release/ NOTE: https://github.com/Icinga/icinga2/commit/8910abc5882774c067dfc22cdf8bf8b830257608 (v2.12.6) @@ -15699,42 +23045,42 @@ CVE-2021-37624 (FreeSWITCH is a Software Defined Telecom Stack enabling the digi - freeswitch <itp> (bug #389591) NOTE: https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3 CVE-2021-37623 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> + - exiv2 0.27.5-1 [bullseye] - exiv2 <ignored> (Minor issue) [buster] - exiv2 <ignored> (Minor issue) [stretch] - exiv2 <no-dsa> (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mvc4-g5pv-4qqq NOTE: https://github.com/Exiv2/exiv2/pull/1790 CVE-2021-37622 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> + - exiv2 0.27.5-1 [bullseye] - exiv2 <ignored> (Minor issue) [buster] - exiv2 <ignored> (Minor issue) [stretch] - exiv2 <no-dsa> (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jh3-fcc3-g6hv NOTE: https://github.com/Exiv2/exiv2/pull/1788 CVE-2021-37621 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> + - exiv2 0.27.5-1 [bullseye] - exiv2 <ignored> (Minor issue) [buster] - exiv2 <ignored> (Minor issue) [stretch] - exiv2 <no-dsa> (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-m479-7frc-gqqg NOTE: https://github.com/Exiv2/exiv2/pull/1778 CVE-2021-37620 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> + - exiv2 0.27.5-1 [bullseye] - exiv2 <ignored> (Minor issue) [buster] - exiv2 <ignored> (Minor issue) [stretch] - exiv2 <ignored> (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-v5g7-46xf-h728 NOTE: https://github.com/Exiv2/exiv2/pull/1769 CVE-2021-37619 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> + - exiv2 0.27.5-1 [bullseye] - exiv2 <ignored> (Minor issue) [buster] - exiv2 <ignored> (Minor issue) [stretch] - exiv2 <no-dsa> (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v NOTE: https://github.com/Exiv2/exiv2/pull/1752 CVE-2021-37618 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> + - exiv2 0.27.5-1 [bullseye] - exiv2 <ignored> (Minor issue) [buster] - exiv2 <ignored> (Minor issue) [stretch] - exiv2 <no-dsa> (Minor issue) @@ -15744,14 +23090,14 @@ CVE-2021-37617 (The Nextcloud Desktop Client is a tool to synchronize files from - nextcloud-desktop <not-affected> (Doesn't affect Nextcloud client as shipped in Debian) NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q2w-v879-q24v CVE-2021-37616 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> + - exiv2 0.27.5-1 [bullseye] - exiv2 <ignored> (Minor issue) [buster] - exiv2 <ignored> (Minor issue) [stretch] - exiv2 <no-dsa> (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-54f7-vvj7-545w NOTE: https://github.com/Exiv2/exiv2/pull/1758 CVE-2021-37615 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> + - exiv2 0.27.5-1 [bullseye] - exiv2 <ignored> (Minor issue) [buster] - exiv2 <ignored> (Minor issue) [stretch] - exiv2 <no-dsa> (Minor issue) @@ -15759,8 +23105,8 @@ CVE-2021-37615 (Exiv2 is a command-line utility and C++ library for reading, wri NOTE: https://github.com/Exiv2/exiv2/pull/1758 CVE-2021-37614 (In certain Progress MOVEit Transfer versions before 2021.0.3 (aka 13.0 ...) NOT-FOR-US: MOVEit Transfer -CVE-2021-37613 - RESERVED +CVE-2021-37613 (Stormshield Network Security (SNS) 1.0.0 through 4.2.3 allows a Denial ...) + NOT-FOR-US: Stormshield Network Security (SNS) CVE-2021-37612 RESERVED CVE-2021-37611 @@ -15779,9 +23125,9 @@ CVE-2021-3669 [reading /proc/sysvipc/shm does not scale with large shared memory NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1986473 CVE-2021-37606 (Meow hash 0.5/calico does not sufficiently thwart key recovery by an a ...) NOT-FOR-US: Meow hash -CVE-2021-37605 (In the Microchip MiWi v6.5 software stack, there is a possibility of f ...) +CVE-2021-37605 (In version 6.5 Microchip MiWi software and all previous versions inclu ...) NOT-FOR-US: Microchip MiWi -CVE-2021-37604 (In the Microchip MiWi v6.5 software stack, there is a possibility of f ...) +CVE-2021-37604 (In version 6.5 of Microchip MiWi software and all previous versions in ...) NOT-FOR-US: Microchip MiWi CVE-2021-37603 RESERVED @@ -15832,10 +23178,10 @@ CVE-2021-37586 (The PowerPlay Web component of Mitel Interaction Recording Multi NOT-FOR-US: Mitel CVE-2021-37585 RESERVED -CVE-2021-37584 - RESERVED -CVE-2021-37583 - RESERVED +CVE-2021-37584 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-37583 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear CVE-2021-37582 RESERVED CVE-2021-37581 @@ -15862,32 +23208,32 @@ CVE-2021-37574 RESERVED CVE-2021-37573 (A reflected cross-site scripting (XSS) vulnerability in the web server ...) NOT-FOR-US: TTiny Java Web Server and Servlet Container (TJWS) -CVE-2021-37572 - RESERVED -CVE-2021-37571 - RESERVED -CVE-2021-37570 - RESERVED -CVE-2021-37569 - RESERVED -CVE-2021-37568 - RESERVED -CVE-2021-37567 - RESERVED -CVE-2021-37566 - RESERVED -CVE-2021-37565 - RESERVED -CVE-2021-37564 - RESERVED -CVE-2021-37563 - RESERVED -CVE-2021-37562 - RESERVED -CVE-2021-37561 - RESERVED -CVE-2021-37560 - RESERVED +CVE-2021-37572 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-37571 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-37570 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-37569 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-37568 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-37567 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-37566 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-37565 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-37564 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-37563 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-37562 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-37561 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-37560 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear CVE-2021-37559 RESERVED CVE-2021-37558 (A SQL injection vulnerability in a MediaWiki script in Centreon before ...) @@ -15954,10 +23300,22 @@ CVE-2021-37532 (SAP Business One version - 10, due to improper input validation, NOT-FOR-US: SAP CVE-2021-37531 (SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7. ...) NOT-FOR-US: SAP -CVE-2021-37530 - RESERVED -CVE-2021-37529 - RESERVED +CVE-2021-37530 (A denial of service vulnerabiity exists in fig2dev through 3.28a due t ...) + - fig2dev 1:3.2.8b-1 + [bullseye] - fig2dev <no-dsa> (Minor issue) + [buster] - fig2dev <no-dsa> (Minor issue) + [stretch] - fig2dev <no-dsa> (Minor issue) + - transfig <removed> + NOTE: https://sourceforge.net/p/mcj/tickets/126/ + NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/ff103511e49c44c83fc58e2092aa37e9019a3a9f/ +CVE-2021-37529 (A double-free vulnerability exists in fig2dev through 3.28a is affecte ...) + - fig2dev 1:3.2.8b-1 + [bullseye] - fig2dev <no-dsa> (Minor issue) + [buster] - fig2dev <no-dsa> (Minor issue) + [stretch] - fig2dev <no-dsa> (Minor issue) + - transfig <removed> + NOTE: https://sourceforge.net/p/mcj/tickets/125/ + NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/899ea1277387ca9e9853bf61d29b7419d5692691/ CVE-2021-37528 RESERVED CVE-2021-37527 @@ -16174,9 +23532,9 @@ CVE-2021-37422 (Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerabl NOT-FOR-US: Zoho ManageEngine CVE-2021-37421 (Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to a ...) NOT-FOR-US: Zoho ManageEngine -CVE-2021-37420 (ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoo ...) +CVE-2021-37420 (Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail ...) NOT-FOR-US: ManageEngine -CVE-2021-37419 (ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF. ...) +CVE-2021-37419 (Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF ...) NOT-FOR-US: ManageEngine CVE-2021-37418 REJECTED @@ -16231,10 +23589,10 @@ CVE-2021-3660 [bullseye] - cockpit <ignored> (Minor issue) [buster] - cockpit <ignored> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1980688 -CVE-2021-37401 - RESERVED -CVE-2021-37400 - RESERVED +CVE-2021-37401 (An attacker may obtain the user credentials from file servers, backup ...) + NOT-FOR-US: IDEC +CVE-2021-37400 (An attacker may obtain the user credentials from the communication bet ...) + NOT-FOR-US: IDEC CVE-2021-37399 RESERVED CVE-2021-37398 @@ -16325,8 +23683,8 @@ CVE-2021-37356 RESERVED CVE-2021-37355 RESERVED -CVE-2021-37354 - RESERVED +CVE-2021-37354 (Xerox Phaser 4622 v35.013.01.000 was discovered to contain a buffer ov ...) + NOT-FOR-US: Xerox CVE-2021-37353 (Nagios XI Docker Wizard before version 1.1.3 is vulnerable to SSRF due ...) NOT-FOR-US: Nagios XI CVE-2021-37352 (An open redirect vulnerability exists in Nagios XI before version 5.8. ...) @@ -16390,7 +23748,7 @@ CVE-2021-37324 CVE-2021-37323 RESERVED CVE-2021-37322 (GCC c++filt v2.26 was discovered to contain a use-after-free vulnerabi ...) - - binutils <unfixed> (unimportant) + - binutils 2.27.51.20161102-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99188 NOTE: binutils not covered by security support CVE-2021-37321 @@ -16439,8 +23797,10 @@ CVE-2021-37300 RESERVED CVE-2021-37299 RESERVED -CVE-2021-37298 - RESERVED +CVE-2021-37298 (Laravel v5.1 was discovered to contain a deserialization vulnerability ...) + - php-laravel-framework <undetermined> + NOTE: https://github.com/Stakcery/happywd/issues/1 + TODO: check, unclear status of report to upstream CVE-2021-37297 RESERVED CVE-2021-37296 @@ -16511,8 +23871,8 @@ CVE-2021-37264 RESERVED CVE-2021-37263 RESERVED -CVE-2021-37262 - RESERVED +CVE-2021-37262 (JFinal_cms 5.1.0 is vulnerable to regex injection that may lead to Den ...) + NOT-FOR-US: JFinal_cms CVE-2021-37261 RESERVED CVE-2021-37260 @@ -16529,8 +23889,8 @@ CVE-2021-37255 RESERVED CVE-2021-37254 (In M-Files Web product with versions before 20.10.9524.1 and 20.10.944 ...) NOT-FOR-US: M-Files -CVE-2021-37253 - RESERVED +CVE-2021-37253 (** DISPUTED ** M-Files Web before 20.10.9524.1 allows a denial of serv ...) + NOT-FOR-US: M-Files Web CVE-2021-37252 RESERVED CVE-2021-37251 @@ -16573,6 +23933,8 @@ CVE-2021-37233 RESERVED CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124.204813 ...) - atomicparsley 20210715.151551.e7ad03a-1 (bug #993366) + [bullseye] - atomicparsley <no-dsa> (Minor issue) + [buster] - atomicparsley <no-dsa> (Minor issue) [stretch] - atomicparsley <no-dsa> (Minor issue) - gtkpod <unfixed> (bug #993376) [bullseye] - gtkpod <ignored> (Minor issue) @@ -16582,6 +23944,8 @@ CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124. NOTE: https://github.com/wez/atomicparsley/issues/32 CVE-2021-37231 (A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499 ...) - atomicparsley 20210715.151551.e7ad03a-1 (bug #993372) + [bullseye] - atomicparsley <no-dsa> (Minor issue) + [buster] - atomicparsley <no-dsa> (Minor issue) [stretch] - atomicparsley <no-dsa> (Minor issue) - gtkpod <unfixed> (bug #993375) [bullseye] - gtkpod <ignored> (Minor issue) @@ -16621,6 +23985,7 @@ CVE-2021-37219 (HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer all NOTE: https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024 CVE-2021-37218 (HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server ...) - nomad <unfixed> + [bullseye] - nomad <no-dsa> (Minor issue) NOTE: https://discuss.hashicorp.com/t/hcsec-2021-21-nomad-raft-rpc-privilege-escalation/29023 NOTE: https://github.com/hashicorp/nomad/pull/11089 (main) NOTE: https://github.com/hashicorp/nomad/commit/768d7c72a77e9c0415d92900753fc83e8822145a (release-1.1.4) @@ -16663,10 +24028,10 @@ CVE-2021-37207 (A vulnerability has been identified in SENTRON powermanager V3 ( NOT-FOR-US: Siemens CVE-2021-37206 (A vulnerability has been identified in SIPROTEC 5 relays with CPU vari ...) NOT-FOR-US: Siemens -CVE-2021-37205 - RESERVED -CVE-2021-37204 - RESERVED +CVE-2021-37205 (A vulnerability has been identified in SIMATIC Drive Controller family ...) + NOT-FOR-US: Siemens +CVE-2021-37204 (A vulnerability has been identified in SIMATIC Drive Controller family ...) + NOT-FOR-US: Siemens CVE-2021-37203 (A vulnerability has been identified in NX 1980 Series (All versions &l ...) NOT-FOR-US: Siemens CVE-2021-37202 (A vulnerability has been identified in NX 1980 Series (All versions &l ...) @@ -16677,16 +24042,16 @@ CVE-2021-37200 (A vulnerability has been identified in SINEC NMS (All versions & NOT-FOR-US: Siemens CVE-2021-37199 (A vulnerability has been identified in SINUMERIK 808D (All versions), ...) NOT-FOR-US: Siemens -CVE-2021-37198 - RESERVED -CVE-2021-37197 - RESERVED -CVE-2021-37196 - RESERVED -CVE-2021-37195 - RESERVED -CVE-2021-37194 - RESERVED +CVE-2021-37198 (A vulnerability has been identified in COMOS V10.2 (All versions only ...) + NOT-FOR-US: Siemens +CVE-2021-37197 (A vulnerability has been identified in COMOS V10.2 (All versions only ...) + NOT-FOR-US: Siemens +CVE-2021-37196 (A vulnerability has been identified in COMOS V10.2 (All versions only ...) + NOT-FOR-US: Siemens +CVE-2021-37195 (A vulnerability has been identified in COMOS V10.2 (All versions only ...) + NOT-FOR-US: Siemens +CVE-2021-37194 (A vulnerability has been identified in COMOS V10.2 (All versions only ...) + NOT-FOR-US: Siemens CVE-2021-37193 (A vulnerability has been identified in SINEMA Remote Connect Server (A ...) NOT-FOR-US: Siemens CVE-2021-37192 (A vulnerability has been identified in SINEMA Remote Connect Server (A ...) @@ -16695,16 +24060,16 @@ CVE-2021-37191 (A vulnerability has been identified in SINEMA Remote Connect Ser NOT-FOR-US: Siemens CVE-2021-37190 (A vulnerability has been identified in SINEMA Remote Connect Server (A ...) NOT-FOR-US: Siemens -CVE-2021-37189 - RESERVED -CVE-2021-37188 - RESERVED -CVE-2021-37187 - RESERVED +CVE-2021-37189 (An issue was discovered on Digi TransPort Gateway devices through 5.2. ...) + NOT-FOR-US: Digi TransPort Gateway devices +CVE-2021-37188 (An issue was discovered on Digi TransPort devices through 2021-07-21. ...) + NOT-FOR-US: Digi TransPort devices +CVE-2021-37187 (An issue was discovered on Digi TransPort devices through 2021-07-21. ...) + NOT-FOR-US: Digi TransPort devices CVE-2021-37186 (A vulnerability has been identified in LOGO! CMR2020 (All versions < ...) NOT-FOR-US: Siemens -CVE-2021-37185 - RESERVED +CVE-2021-37185 (A vulnerability has been identified in SIMATIC Drive Controller family ...) + NOT-FOR-US: Siemens CVE-2021-37184 (A vulnerability has been identified in Industrial Edge Management (All ...) NOT-FOR-US: Siemens CVE-2021-37183 (A vulnerability has been identified in SINEMA Remote Connect Server (A ...) @@ -16764,7 +24129,7 @@ CVE-2021-37156 (Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://github.com/redmine/redmine/commit/ee0d822517154878a2ad33be66b820c6b68d077b CVE-2021-37155 (wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure ou ...) - - wolfssl <unfixed> (bug #991443) + - wolfssl 5.0.0-1 (bug #991443) [bullseye] - wolfssl <no-dsa> (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/pull/3990 NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v4.8.0-stable @@ -16776,10 +24141,14 @@ CVE-2021-37152 (Multiple XSS issues exist in Sonatype Nexus Repository Manager 3 NOT-FOR-US: Sonatype CVE-2021-37151 (CyberArk Identity 21.5.131, when handling an invalid authentication at ...) NOT-FOR-US: CyberArk Identity -CVE-2021-3657 - RESERVED +CVE-2021-3657 (A flaw was found in mbsync versions prior to 1.4.4. Due to inadequate ...) + - isync 1.4.4-1 + [bullseye] - isync 1.3.0-2.2+deb11u1 + [buster] - isync <no-dsa> (Minor issue) + [stretch] - isync <no-dsa> (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2021/12/03/1 CVE-2021-37159 (hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel throu ...) - {DLA-2785-1} + {DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 [bullseye] - linux 5.10.70-1 [buster] - linux 4.19.208-1 @@ -16807,7 +24176,7 @@ CVE-2021-37147 (Improper input validation vulnerability in header parsing of Apa CVE-2021-37146 (An infinite loop in Open Robotics ros_comm XMLRPC server in ROS Melodi ...) [experimental] - ros-ros-comm 1.15.13+ds1-1 - ros-ros-comm 1.15.13+ds1-2 - [bullseye] - ros-ros-comm <no-dsa> (Minor issue) + [bullseye] - ros-ros-comm 1.15.9+ds1-7+deb11u1 [buster] - ros-ros-comm <no-dsa> (Minor issue) [stretch] - ros-ros-comm <no-dsa> (Minor issue) NOTE: https://discourse.ros.org/t/new-packages-for-melodic-2021-09-27/22446 @@ -16855,62 +24224,62 @@ CVE-2021-37136 (The Bzip2 decompression decoder function doesn't allow setting s NOTE: Fixed by: https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020 (netty-4.1.68.Final) CVE-2021-37135 RESERVED -CVE-2021-37134 - RESERVED -CVE-2021-37133 - RESERVED -CVE-2021-37132 - RESERVED +CVE-2021-37134 (Location-related APIs exists a Race Condition vulnerability.Successful ...) + NOT-FOR-US: Huawei +CVE-2021-37133 (There is an Unauthorized file access vulnerability in Smartphones.Succ ...) + NOT-FOR-US: Huawei +CVE-2021-37132 (PackageManagerService has a Permissions, Privileges, and Access Contro ...) + NOT-FOR-US: Huawei CVE-2021-37131 (There is a CSV injection vulnerability in ManageOne, iManager NetEco a ...) NOT-FOR-US: Huawei CVE-2021-37130 (There is a path traversal vulnerability in Huawei FusionCube 6.0.2.The ...) NOT-FOR-US: Huawei CVE-2021-37129 (There is an out of bounds write vulnerability in some Huawei products. ...) NOT-FOR-US: Huawei -CVE-2021-37128 - RESERVED +CVE-2021-37128 (HwPCAssistant has a Path Traversal vulnerability .Successful exploitat ...) + NOT-FOR-US: Huawei CVE-2021-37127 (There is a signature management vulnerability in some huawei products. ...) NOT-FOR-US: Huawei -CVE-2021-37126 - RESERVED -CVE-2021-37125 - RESERVED +CVE-2021-37126 (Arbitrary file has a Exposure of Sensitive Information to an Unauthori ...) + NOT-FOR-US: Huawei +CVE-2021-37125 (Arbitrary file has a Exposure of Sensitive Information to an Unauthori ...) + NOT-FOR-US: Huawei CVE-2021-37124 (There is a path traversal vulnerability in Huawei PC product. Because ...) NOT-FOR-US: Huawei CVE-2021-37123 (There is an improper authentication vulnerability in Hero-CT060 before ...) NOT-FOR-US: Hero-CT060 CVE-2021-37122 (There is a use-after-free (UAF) vulnerability in Huawei products. An a ...) NOT-FOR-US: Huawei -CVE-2021-37121 - RESERVED -CVE-2021-37120 - RESERVED -CVE-2021-37119 - RESERVED -CVE-2021-37118 - RESERVED -CVE-2021-37117 - RESERVED -CVE-2021-37116 - RESERVED -CVE-2021-37115 - RESERVED -CVE-2021-37114 - RESERVED -CVE-2021-37113 - RESERVED -CVE-2021-37112 - RESERVED -CVE-2021-37111 - RESERVED -CVE-2021-37110 - RESERVED -CVE-2021-37109 - RESERVED +CVE-2021-37121 (There is a Configuration defects in Smartphone.Successful exploitation ...) + NOT-FOR-US: Huawei +CVE-2021-37120 (There is a Double free vulnerability in Smartphone.Successful exploita ...) + NOT-FOR-US: Huawei +CVE-2021-37119 (There is a Service logic vulnerability in Smartphone.Successful exploi ...) + NOT-FOR-US: Huawei +CVE-2021-37118 (The HwNearbyMain module has a Improper Handling of Exceptional Conditi ...) + NOT-FOR-US: Huawei +CVE-2021-37117 (There is a Service logic vulnerability in Smartphone.Successful exploi ...) + NOT-FOR-US: Huawei +CVE-2021-37116 (PCManager has a Weaknesses Introduced During Design vulnerability .Suc ...) + NOT-FOR-US: Huawei +CVE-2021-37115 (There is an unauthorized rewriting vulnerability with the memory acces ...) + NOT-FOR-US: Huawei +CVE-2021-37114 (There is an Out-of-bounds read vulnerability in Smartphone.Successful ...) + NOT-FOR-US: Huawei +CVE-2021-37113 (There is a Privilege escalation vulnerability with the file system com ...) + NOT-FOR-US: Huawei +CVE-2021-37112 (Hisuite module has a External Control of System or Configuration Setti ...) + NOT-FOR-US: Huawei +CVE-2021-37111 (There is a Memory leakage vulnerability in Smartphone.Successful explo ...) + NOT-FOR-US: Huawei +CVE-2021-37110 (There is a Timing design defects in Smartphone.Successful exploitation ...) + NOT-FOR-US: Huawei +CVE-2021-37109 (There is a security protection bypass vulnerability with the modem.Suc ...) + NOT-FOR-US: Huawei CVE-2021-37108 RESERVED -CVE-2021-37107 - RESERVED +CVE-2021-37107 (There is an improper memory access permission configuration on ACPU.Su ...) + NOT-FOR-US: Huawei CVE-2021-37106 (There is a command injection vulnerability in CMA service module of Fu ...) NOT-FOR-US: FusionCompute (Huawei) CVE-2021-37105 (There is an improper file upload control vulnerability in FusionComput ...) @@ -16923,134 +24292,134 @@ CVE-2021-37102 (There is a command injection vulnerability in CMA service module NOT-FOR-US: Huawei CVE-2021-37101 (There is an improper authorization vulnerability in AIS-BW50-00 9.0.6. ...) NOT-FOR-US: Huawei -CVE-2021-37100 - RESERVED -CVE-2021-37099 - RESERVED -CVE-2021-37098 - RESERVED -CVE-2021-37097 - RESERVED -CVE-2021-37096 - RESERVED -CVE-2021-37095 - RESERVED -CVE-2021-37094 - RESERVED -CVE-2021-37093 - RESERVED -CVE-2021-37092 - RESERVED -CVE-2021-37091 - RESERVED -CVE-2021-37090 - RESERVED -CVE-2021-37089 - RESERVED -CVE-2021-37088 - RESERVED -CVE-2021-37087 - RESERVED -CVE-2021-37086 - RESERVED -CVE-2021-37085 - RESERVED -CVE-2021-37084 - RESERVED -CVE-2021-37083 - RESERVED -CVE-2021-37082 - RESERVED -CVE-2021-37081 - RESERVED -CVE-2021-37080 - RESERVED -CVE-2021-37079 - RESERVED -CVE-2021-37078 - RESERVED -CVE-2021-37077 - RESERVED -CVE-2021-37076 - RESERVED -CVE-2021-37075 - RESERVED -CVE-2021-37074 - RESERVED -CVE-2021-37073 - RESERVED -CVE-2021-37072 - RESERVED -CVE-2021-37071 - RESERVED -CVE-2021-37070 - RESERVED -CVE-2021-37069 - RESERVED -CVE-2021-37068 - RESERVED -CVE-2021-37067 - RESERVED -CVE-2021-37066 - RESERVED -CVE-2021-37065 - RESERVED -CVE-2021-37064 - RESERVED -CVE-2021-37063 - RESERVED -CVE-2021-37062 - RESERVED -CVE-2021-37061 - RESERVED -CVE-2021-37060 - RESERVED -CVE-2021-37059 - RESERVED -CVE-2021-37058 - RESERVED -CVE-2021-37057 - RESERVED -CVE-2021-37056 - RESERVED -CVE-2021-37055 - RESERVED -CVE-2021-37054 - RESERVED -CVE-2021-37053 - RESERVED -CVE-2021-37052 - RESERVED -CVE-2021-37051 - RESERVED -CVE-2021-37050 - RESERVED -CVE-2021-37049 - RESERVED -CVE-2021-37048 - RESERVED -CVE-2021-37047 - RESERVED -CVE-2021-37046 - RESERVED -CVE-2021-37045 - RESERVED -CVE-2021-37044 - RESERVED -CVE-2021-37043 - RESERVED -CVE-2021-37042 - RESERVED -CVE-2021-37041 - RESERVED -CVE-2021-37040 - RESERVED -CVE-2021-37039 - RESERVED -CVE-2021-37038 - RESERVED -CVE-2021-37037 - RESERVED +CVE-2021-37100 (There is a Improper Authentication vulnerability in Huawei Smartphone. ...) + NOT-FOR-US: Huawei +CVE-2021-37099 (There is a Path Traversal vulnerability in Huawei Smartphone.Successfu ...) + NOT-FOR-US: Huawei +CVE-2021-37098 (Hilinksvc service exists a Data Processing Errors vulnerability .Succe ...) + NOT-FOR-US: Huawei +CVE-2021-37097 (There is a Code Injection vulnerability in Huawei Smartphone.Successfu ...) + NOT-FOR-US: Huawei +CVE-2021-37096 (There is a Improper Input Validation vulnerability in Huawei Smartphon ...) + NOT-FOR-US: Huawei +CVE-2021-37095 (There is a Integer Overflow or Wraparound vulnerability in Huawei Smar ...) + NOT-FOR-US: Huawei +CVE-2021-37094 (There is a Improper Input Validation vulnerability in Huawei Smartphon ...) + NOT-FOR-US: Huawei +CVE-2021-37093 (There is a Improper Access Control vulnerability in Huawei Smartphone. ...) + NOT-FOR-US: Huawei +CVE-2021-37092 (There is a Incomplete Cleanup vulnerability in Huawei Smartphone.Succe ...) + NOT-FOR-US: Huawei +CVE-2021-37091 (There is a Permissions,Privileges,and Access Controls vulnerability in ...) + NOT-FOR-US: Huawei +CVE-2021-37090 (There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Succe ...) + NOT-FOR-US: Huawei +CVE-2021-37089 (There is a Incomplete Cleanup vulnerability in Huawei Smartphone.Succe ...) + NOT-FOR-US: Huawei +CVE-2021-37088 (There is a Path Traversal vulnerability in Huawei Smartphone.Successfu ...) + NOT-FOR-US: Huawei +CVE-2021-37087 (There is a Path Traversal vulnerability in Huawei Smartphone.Successfu ...) + NOT-FOR-US: Huawei +CVE-2021-37086 (There is a Improper Preservation of Permissions vulnerability in Huawe ...) + NOT-FOR-US: Huawei +CVE-2021-37085 (There is a Encoding timing vulnerability in Huawei Smartphone.Successf ...) + NOT-FOR-US: Huawei +CVE-2021-37084 (There is a Improper Input Validation vulnerability in Huawei Smartphon ...) + NOT-FOR-US: Huawei +CVE-2021-37083 (There is a NULL Pointer Dereference vulnerability in Huawei Smartphone ...) + NOT-FOR-US: Huawei +CVE-2021-37082 (There is a Race Condition vulnerability in Huawei Smartphone.Successfu ...) + NOT-FOR-US: Huawei +CVE-2021-37081 (There is a Improper Input Validation vulnerability in Huawei Smartphon ...) + NOT-FOR-US: Huawei +CVE-2021-37080 (There is a Incomplete Cleanup vulnerability in Huawei Smartphone.Succe ...) + NOT-FOR-US: Huawei +CVE-2021-37079 (There is a Improper Input Validation vulnerability in Huawei Smartphon ...) + NOT-FOR-US: Huawei +CVE-2021-37078 (There is a Uncaught Exception vulnerability in Huawei Smartphone.Succe ...) + NOT-FOR-US: Huawei +CVE-2021-37077 (There is a NULL Pointer Dereference vulnerability in Huawei Smartphone ...) + NOT-FOR-US: Huawei +CVE-2021-37076 (There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Succe ...) + NOT-FOR-US: Huawei +CVE-2021-37075 (There is a Credentials Management Errors vulnerability in Huawei Smart ...) + NOT-FOR-US: Huawei +CVE-2021-37074 (There is a Race Condition vulnerability in Huawei Smartphone.Successfu ...) + NOT-FOR-US: Huawei +CVE-2021-37073 (There is a Race Condition vulnerability in Huawei Smartphone.Successfu ...) + NOT-FOR-US: Huawei +CVE-2021-37072 (There is a Incorrect Calculation of Buffer Size vulnerability in Huawe ...) + NOT-FOR-US: Huawei +CVE-2021-37071 (There is a Business Logic Errors vulnerability in Huawei Smartphone.Su ...) + NOT-FOR-US: Huawei +CVE-2021-37070 (There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Succe ...) + NOT-FOR-US: Huawei +CVE-2021-37069 (There is a Race Condition vulnerability in Huawei Smartphone.Successfu ...) + NOT-FOR-US: Huawei +CVE-2021-37068 (There is a Resource Management Errors vulnerability in Huawei Smartpho ...) + NOT-FOR-US: Huawei +CVE-2021-37067 (There is a Exposure of Sensitive Information to an Unauthorized Actor ...) + NOT-FOR-US: Huawei +CVE-2021-37066 (There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Succe ...) + NOT-FOR-US: Huawei +CVE-2021-37065 (There is a Integer Overflow or Wraparound vulnerability in Huawei Smar ...) + NOT-FOR-US: Huawei +CVE-2021-37064 (There is a Improper Limitation of a Pathname to a Restricted Directory ...) + NOT-FOR-US: Huawei +CVE-2021-37063 (There is a Cryptographic Issues vulnerability in Huawei Smartphone.Suc ...) + NOT-FOR-US: Huawei +CVE-2021-37062 (There is a Improper Validation of Array Index vulnerability in Huawei ...) + NOT-FOR-US: Huawei +CVE-2021-37061 (There is a Uncontrolled Resource Consumption vulnerability in Huawei S ...) + NOT-FOR-US: Huawei +CVE-2021-37060 (There is a Improper Input Validation vulnerability in Huawei Smartphon ...) + NOT-FOR-US: Huawei +CVE-2021-37059 (There is a Weaknesses Introduced During Design ...) + NOT-FOR-US: HarmonyOS +CVE-2021-37058 (There is a Permissions,Privileges,and Access Controls vulnerability in ...) + NOT-FOR-US: Huawei +CVE-2021-37057 (There is a Improper Validation of Array Index vulnerability in Huawei ...) + NOT-FOR-US: Huawei +CVE-2021-37056 (There is an Improper permission control vulnerability in Huawei Smartp ...) + NOT-FOR-US: Huawei +CVE-2021-37055 (There is a Logic bypass vulnerability in Huawei Smartphone.Successful ...) + NOT-FOR-US: Huawei +CVE-2021-37054 (There is an Identity spoofing and authentication bypass vulnerability ...) + NOT-FOR-US: Huawei +CVE-2021-37053 (There is a Service logic vulnerability in Huawei Smartphone.Successful ...) + NOT-FOR-US: Huawei +CVE-2021-37052 (There is an Exception log vulnerability in Huawei Smartphone.Successfu ...) + NOT-FOR-US: Huawei +CVE-2021-37051 (There is an Out-of-bounds read vulnerability in Huawei Smartphone.Succ ...) + NOT-FOR-US: Huawei +CVE-2021-37050 (There is a Missing sensitive data encryption vulnerability in Huawei S ...) + NOT-FOR-US: Huawei +CVE-2021-37049 (There is a Heap-based buffer overflow vulnerability in Huawei Smartpho ...) + NOT-FOR-US: Huawei +CVE-2021-37048 (There is a Improper Input Validation vulnerability in Huawei Smartphon ...) + NOT-FOR-US: Huawei +CVE-2021-37047 (There is an Input verification vulnerability in Huawei Smartphone.Succ ...) + NOT-FOR-US: Huawei +CVE-2021-37046 (There is a Memory leak vulnerability with the codec detection module i ...) + NOT-FOR-US: Huawei +CVE-2021-37045 (There is an UAF vulnerability in Huawei Smartphone.Successful exploita ...) + NOT-FOR-US: Huawei +CVE-2021-37044 (There is a Permission control vulnerability in Huawei Smartphone.Succe ...) + NOT-FOR-US: Huawei +CVE-2021-37043 (There is a Stack-based Buffer Overflow vulnerability in Huawei Smartph ...) + NOT-FOR-US: Huawei +CVE-2021-37042 (There is an Improper verification vulnerability in Huawei Smartphone.S ...) + NOT-FOR-US: Huawei +CVE-2021-37041 (There is an Improper verification vulnerability in Huawei Smartphone.S ...) + NOT-FOR-US: Huawei +CVE-2021-37040 (There is a Parameter injection vulnerability in Huawei Smartphone.Succ ...) + NOT-FOR-US: Huawei +CVE-2021-37039 (There is an Input verification vulnerability in Huawei Smartphone.Succ ...) + NOT-FOR-US: Huawei +CVE-2021-37038 (There is an Improper access control vulnerability in Huawei Smartphone ...) + NOT-FOR-US: Huawei +CVE-2021-37037 (There is an Invalid address access vulnerability in Huawei Smartphone. ...) + NOT-FOR-US: Huawei CVE-2021-37036 (There is an information leakage vulnerability in FusionCompute 6.5.1, ...) NOT-FOR-US: Huawei CVE-2021-37035 (There is a Remote DoS vulnerability in Huawei Smartphone.Successful ex ...) @@ -17081,10 +24450,10 @@ CVE-2021-37023 (There is a Improper Access Control vulnerability in Huawei Smart NOT-FOR-US: Huawei CVE-2021-37022 (There is a Heap-based Buffer Overflow vulnerability in Huawei Smartpho ...) NOT-FOR-US: Huawei -CVE-2021-37021 - RESERVED -CVE-2021-37020 - RESERVED +CVE-2021-37021 (There is a Stack-based Buffer Overflow vulnerability in Huawei Smartph ...) + NOT-FOR-US: Huawei +CVE-2021-37020 (There is a Stack-based Buffer Overflow vulnerability in Huawei Smartph ...) + NOT-FOR-US: Huawei CVE-2021-37019 (There is a Improper Input Validation vulnerability in Huawei Smartphon ...) NOT-FOR-US: Huawei CVE-2021-37018 (There is a Data Processing Errors vulnerability in Huawei Smartphone.S ...) @@ -17095,14 +24464,14 @@ CVE-2021-37016 (There is a Out-of-bounds Read vulnerability in Huawei Smartphone NOT-FOR-US: Huawei CVE-2021-37015 (There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Succe ...) NOT-FOR-US: Huawei -CVE-2021-37014 - RESERVED +CVE-2021-37014 (There is a Stack-based Buffer Overflow vulnerability in Huawei Smartph ...) + NOT-FOR-US: Huawei CVE-2021-37013 (There is a Improper Input Validation vulnerability in Huawei Smartphon ...) NOT-FOR-US: Huawei CVE-2021-37012 (There is a Data Processing Errors vulnerability in Huawei Smartphone.S ...) NOT-FOR-US: Huawei -CVE-2021-37011 - RESERVED +CVE-2021-37011 (There is a Stack-based Buffer Overflow vulnerability in Huawei Smartph ...) + NOT-FOR-US: Huawei CVE-2021-37010 (There is a Exposure of Sensitive Information to an Unauthorized Actor ...) NOT-FOR-US: Huawei CVE-2021-37009 (There is a Configuration vulnerability in Huawei Smartphone.Successful ...) @@ -17164,7 +24533,7 @@ CVE-2021-36982 (AIMANAGER before B115 on MONITORAPP Application Insight Web Appl CVE-2021-36981 (In the server in SerNet verinice before 1.22.2, insecure Java deserial ...) NOT-FOR-US: SerNet verinice CVE-2021-3655 (A vulnerability was found in the Linux kernel in versions prior to v5. ...) - {DLA-2785-1} + {DLA-2843-1 DLA-2785-1} - linux 5.10.46-3 [buster] - linux 4.19.208-1 CVE-2021-3654 [novnc allows open redirection] @@ -17182,7 +24551,7 @@ CVE-2021-23203 CVE-2021-23184 RESERVED CVE-2021-36980 (Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-f ...) - - openvswitch <unfixed> (bug #991308) + - openvswitch 2.15.0+ds1-10 (bug #991308) [bullseye] - openvswitch <no-dsa> (Minor issue) [buster] - openvswitch <not-affected> (Vulnerable code not present, introduced in 2.11) [stretch] - openvswitch <not-affected> (Vulnerable code not present, introduced in 2.11) @@ -17325,8 +24694,8 @@ CVE-2021-36922 (RtsUpx.sys in Realtek RtsUpx USB Utility Driver for Camera/Hub/A NOT-FOR-US: Realtek RtsUpx USB Utility Driver for Camera/Hub/Audio CVE-2021-36921 (AIMANAGER before B115 on MONITORAPP Application Insight Web Applicatio ...) NOT-FOR-US: MONITORAPP Application Insight Web Application Firewall (AIWAF) devices -CVE-2021-36920 - RESERVED +CVE-2021-36920 (Authenticated Reflected Cross-Site Scripting (XSS) vulnerability disco ...) + NOT-FOR-US: WordPress plugin CVE-2021-36919 (Multiple Authenticated Reflected Cross-Site Scripting (XSS) vulnerabil ...) NOT-FOR-US: WordPress plugin CVE-2021-36918 @@ -17343,8 +24712,8 @@ CVE-2021-36913 RESERVED CVE-2021-36912 RESERVED -CVE-2021-36911 - RESERVED +CVE-2021-36911 (Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPres ...) + NOT-FOR-US: WordPress plugin CVE-2021-36910 RESERVED CVE-2021-36909 (Authenticated Database Reset vulnerability in WordPress WP Reset PRO P ...) @@ -17387,16 +24756,16 @@ CVE-2021-36891 RESERVED CVE-2021-36890 RESERVED -CVE-2021-36889 - RESERVED -CVE-2021-36888 - RESERVED -CVE-2021-36887 - RESERVED -CVE-2021-36886 - RESERVED -CVE-2021-36885 - RESERVED +CVE-2021-36889 (Multiple Stored Authenticated Cross-Site Scripting (XSS) vulnerabiliti ...) + NOT-FOR-US: WordPress plugin +CVE-2021-36888 (Unauthenticated Arbitrary Options Update vulnerability leading to full ...) + NOT-FOR-US: WordPress plugin +CVE-2021-36887 (Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site ...) + NOT-FOR-US: WordPress plugin +CVE-2021-36886 (Cross-Site Request Forgery (CSRF) vulnerability discovered in Contact ...) + NOT-FOR-US: WordPress plugin +CVE-2021-36885 (Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discov ...) + NOT-FOR-US: WordPress plugin CVE-2021-36884 (Authenticated Persistent Cross-Site Scripting (XSS) vulnerability disc ...) NOT-FOR-US: WordPress plugin CVE-2021-36883 @@ -17603,12 +24972,12 @@ CVE-2021-36783 RESERVED CVE-2021-36782 RESERVED -CVE-2021-36781 - RESERVED -CVE-2021-36780 - RESERVED -CVE-2021-36779 - RESERVED +CVE-2021-36781 (A Incorrect Default Permissions vulnerability in the parsec package of ...) + NOT-FOR-US: Parsec +CVE-2021-36780 (A Improper Access Control vulnerability in longhorn of SUSE Longhorn a ...) + NOT-FOR-US: Longhorn +CVE-2021-36779 (A Improper Access Control vulnerability inf SUSE Longhorn allows any w ...) + NOT-FOR-US: Longhorn CVE-2021-36778 RESERVED CVE-2021-36777 @@ -17618,12 +24987,12 @@ CVE-2021-36776 CVE-2021-36775 RESERVED CVE-2021-3653 (A flaw was found in the KVM's AMD code for supporting SVM nested virtu ...) - {DSA-4978-1 DLA-2785-1} + {DSA-4978-1 DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 [buster] - linux 4.19.208-1 NOTE: https://www.openwall.com/lists/oss-security/2021/08/16/1 -CVE-2021-36774 - RESERVED +CVE-2021-36774 (Apache Kylin allows users to read data from other database systems usi ...) + NOT-FOR-US: Apache Kylin (different from Kylin desktop environment) CVE-2021-36773 (uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitr ...) - ublock-origin 1.37.0+dfsg-1 (bug #991386) [bullseye] - ublock-origin 1.37.0+dfsg-1~deb11u1 @@ -17666,7 +25035,7 @@ CVE-2021-3652 [CRYPT password hash with asterisk allows any bind attempt to succ NOTE: https://github.com/389ds/389-ds-base/issues/4817 NOTE: https://github.com/389ds/389-ds-base/commit/aeb90eb0c41fc48541d983f323c627b2e6c328c7 (master) NOTE: https://github.com/389ds/389-ds-base/commit/c1926dfc6591b55c4d33f9944de4d7ebe077e964 (1.4.4.x) -CVE-2021-36767 (In Digi RealPort through 4.8.488.0, authentication relies on a challen ...) +CVE-2021-36767 (In Digi RealPort through 4.10.490, authentication relies on a challeng ...) NOT-FOR-US: Digi RealPort CVE-2021-36766 (Concrete5 through 8.5.5 deserializes Untrusted Data. The vulnerable co ...) NOT-FOR-US: Concrete5 @@ -17680,8 +25049,8 @@ CVE-2021-36762 (An issue was discovered in HCC Embedded InterNiche NicheStack th NOT-FOR-US: HCC Embedded InterNiche NicheStack CVE-2021-36761 RESERVED -CVE-2021-36760 - RESERVED +CVE-2021-36760 (In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server ...) + NOT-FOR-US: WSO2 CVE-2021-36759 RESERVED CVE-2021-3651 @@ -17701,10 +25070,10 @@ CVE-2021-36753 (sharkdp BAT before 0.18.2 executes less.exe from the current wor NOT-FOR-US: sharkdp BAT CVE-2021-36752 RESERVED -CVE-2021-36751 - RESERVED -CVE-2021-36750 - RESERVED +CVE-2021-36751 (ENC DataVault 7.1.1W uses an inappropriate encryption algorithm, such ...) + NOT-FOR-US: ENC DataVault +CVE-2021-36750 (ENC DataVault before 7.2 and VaultAPI v67 mishandle key derivation, ma ...) + NOT-FOR-US: ENC CVE-2021-36749 (In the Druid ingestion system, the InputSource is used for reading dat ...) - druid <itp> (bug #825797) NOTE: https://www.openwall.com/lists/oss-security/2021/09/24/1 @@ -17729,11 +25098,7 @@ CVE-2021-36742 (A improper input validation vulnerability in Trend Micro Apex On CVE-2021-36741 (An improper input validation vulnerability in Trend Micro Apex One, Ap ...) NOT-FOR-US: Trend Micro CVE-2021-3648 - RESERVED - - binutils <unfixed> (unimportant) - NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100968 - NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99935 - NOTE: binutils not covered by security support + REJECTED CVE-2021-3647 (URI.js is vulnerable to URL Redirection to Untrusted Site ...) NOT-FOR-US: URI.js CVE-2021-3646 (btcpayserver is vulnerable to Improper Neutralization of Input During ...) @@ -17743,18 +25108,18 @@ CVE-2021-3645 (merge is vulnerable to Improperly Controlled Modification of Obje CVE-2021-3644 RESERVED - wildfly <itp> (bug #752018) -CVE-2021-36739 - RESERVED -CVE-2021-36738 - RESERVED -CVE-2021-36737 - RESERVED +CVE-2021-36739 (The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCB ...) + NOT-FOR-US: Apache Pluto MVCBean JSP portlet +CVE-2021-36738 (The input fields in the JSP version of the Apache Pluto Applicant MVCB ...) + NOT-FOR-US: Apache Pluto Applicant MVCBean CDI portlet +CVE-2021-36737 (The input fields of the Apache Pluto UrlTestPortlet are vulnerable to ...) + NOT-FOR-US: Apache Pluto UrlTestPortlet CVE-2021-36736 - RESERVED + REJECTED CVE-2021-36735 - RESERVED + REJECTED CVE-2021-36734 - RESERVED + REJECTED CVE-2021-36733 RESERVED CVE-2021-36732 @@ -17779,20 +25144,20 @@ CVE-2021-36726 RESERVED CVE-2021-36725 RESERVED -CVE-2021-36724 - RESERVED -CVE-2021-36723 - RESERVED -CVE-2021-36722 - RESERVED -CVE-2021-36721 - RESERVED -CVE-2021-36720 - RESERVED -CVE-2021-36719 - RESERVED -CVE-2021-36718 - RESERVED +CVE-2021-36724 (ForeScout - SecureConnector Local Service DoS - A low privilaged user ...) + NOT-FOR-US: ForeScout - SecureConnector +CVE-2021-36723 (Emuse - eServices / eNvoice Exposure Of Private Personal Information d ...) + NOT-FOR-US: Emuse - eServices / eNvoice +CVE-2021-36722 (Emuse - eServices / eNvoice SQL injection can be used in various ways ...) + NOT-FOR-US: Emuse - eServices / eNvoice +CVE-2021-36721 (Sysaid API User Enumeration - Attacker sending requests to specific ap ...) + NOT-FOR-US: Sysaid API +CVE-2021-36720 (PineApp - Mail Secure - Attacker sending a request to :/blocking.php?u ...) + NOT-FOR-US: PineApp - Mail Secure +CVE-2021-36719 (PineApp - Mail Secure - The attacker must be logged in as a user to th ...) + NOT-FOR-US: PineApp - Mail Secure +CVE-2021-36718 (SYNEL - eharmonynew / Synel Reports - The attacker can log in to the s ...) + NOT-FOR-US: SYNEL - eharmonynew / Synel Reports CVE-2021-36717 (Synerion TimeNet version 9.21 contains a directory traversal vulnerabi ...) NOT-FOR-US: Synerion TimeNet CVE-2021-36716 (A ReDoS (regular expression denial of service) flaw was found in the S ...) @@ -17856,9 +25221,14 @@ CVE-2021-36694 CVE-2021-36693 RESERVED CVE-2021-36692 (libjxl v0.3.7 is affected by a Divide By Zero in issue in lib/extras/c ...) - NOT-FOR-US: libjxl + - jpeg-xl <not-affected> (Fixed before initial upload to Debian) + NOTE: https://github.com/libjxl/libjxl/issues/308 + NOTE: https://github.com/libjxl/libjxl/pull/313 + NOTE: https://github.com/libjxl/libjxl/commit/7dfa400ded53919d986c5d3d23446a09e0cf481b (v0.5) CVE-2021-36691 (libjxl v0.5.0 is affected by a Assertion failed issue in lib/jxl/image ...) - NOT-FOR-US: libjxl + - jpeg-xl <unfixed> + NOTE: https://github.com/libjxl/libjxl/issues/422 + NOTE: Special case of https://github.com/libjxl/libjxl/issues/762 CVE-2021-36690 (** DISPUTED ** A segmentation fault can occur in the sqlite3.exe comma ...) - sqlite3 3.36.0-2 (unimportant) [stretch] - sqlite3 <not-affected> (vulnerable code is not present) @@ -18112,14 +25482,14 @@ CVE-2021-36569 RESERVED CVE-2021-36568 RESERVED -CVE-2021-36567 - RESERVED +CVE-2021-36567 (ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerabil ...) + NOT-FOR-US: ThinkPHP CVE-2021-36566 RESERVED CVE-2021-36565 RESERVED -CVE-2021-36564 - RESERVED +CVE-2021-36564 (ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerabil ...) + NOT-FOR-US: ThinkPHP CVE-2021-36563 (The CheckMK management web console (versions 1.5.0 to 2.0.0) does not ...) - check-mk <removed> CVE-2021-36562 @@ -18346,8 +25716,8 @@ CVE-2021-36452 RESERVED CVE-2021-36451 RESERVED -CVE-2021-36450 - RESERVED +CVE-2021-36450 (Verint Workforce Optimization (WFO) 15.2.8.10048 allows XSS via the co ...) + NOT-FOR-US: Verint CVE-2021-36449 RESERVED CVE-2021-36448 @@ -18414,28 +25784,50 @@ CVE-2021-36419 RESERVED CVE-2021-36418 RESERVED -CVE-2021-36417 - RESERVED +CVE-2021-36417 (A heap-based buffer overflow vulnerability exists in GPAC v1.0.1 in th ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1846 + NOTE: https://github.com/gpac/gpac/commit/737e1f39da80e02912953269966d89afd196ad30 CVE-2021-36416 RESERVED CVE-2021-36415 RESERVED -CVE-2021-36414 - RESERVED +CVE-2021-36414 (A heab-based buffer overflow vulnerability exists in MP4Box in GPAC 1. ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1840 + NOTE: https://github.com/gpac/gpac/commit/6007c7145eb0fcd29fe05b6e5983a065b42c6b21 CVE-2021-36413 RESERVED -CVE-2021-36412 - RESERVED -CVE-2021-36411 - RESERVED -CVE-2021-36410 - RESERVED +CVE-2021-36412 (A heap-based buffer overflow vulnerability exists in MP4Box in GPAC 1. ...) + - gpac <unfixed> + NOTE: https://github.com/gpac/gpac/issues/1838 + NOTE: https://github.com/gpac/gpac/commit/828188475084db87cebc34208b6bd2509709845e +CVE-2021-36411 (An issue has been found in libde265 v1.0.8 due to incorrect access con ...) + - libde265 <unfixed> + [bullseye] - libde265 <no-dsa> (Minor issue) + [buster] - libde265 <no-dsa> (Minor issue) + [stretch] - libde265 <no-dsa> (Minor issue) + NOTE: https://github.com/strukturag/libde265/issues/302 +CVE-2021-36410 (A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion. ...) + - libde265 <unfixed> + [bullseye] - libde265 <no-dsa> (Minor issue) + [buster] - libde265 <no-dsa> (Minor issue) + [stretch] - libde265 <no-dsa> (Minor issue) + NOTE: https://github.com/strukturag/libde265/issues/301 CVE-2021-3641 (Improper Link Resolution Before File Access ('Link Following') vulnera ...) NOT-FOR-US: Bitdefender -CVE-2021-36409 - RESERVED -CVE-2021-36408 - RESERVED +CVE-2021-36409 (There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at ...) + - libde265 <unfixed> + [bullseye] - libde265 <no-dsa> (Minor issue) + [buster] - libde265 <no-dsa> (Minor issue) + [stretch] - libde265 <no-dsa> (Minor issue) + NOTE: https://github.com/strukturag/libde265/issues/300 +CVE-2021-36408 (An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-f ...) + - libde265 <unfixed> + [bullseye] - libde265 <no-dsa> (Minor issue) + [buster] - libde265 <no-dsa> (Minor issue) + [stretch] - libde265 <no-dsa> (Minor issue) + NOTE: https://github.com/strukturag/libde265/issues/299 CVE-2021-36407 RESERVED CVE-2021-36406 @@ -18572,6 +25964,7 @@ CVE-2021-36351 (SQL Injection Vulnerability in Care2x Open Source Hospital Infor CVE-2021-3640 [Linux kernel: UAF in sco_send_frame function] RESERVED - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 NOTE: https://www.openwall.com/lists/oss-security/2021/07/22/1 CVE-2021-3639 [Prevent redirect to URLs that begin with '///'] RESERVED @@ -18580,36 +25973,36 @@ CVE-2021-3639 [Prevent redirect to URLs that begin with '///'] [buster] - libapache2-mod-auth-mellon <no-dsa> (Minor issue) [stretch] - libapache2-mod-auth-mellon <no-dsa> (Minor issue) NOTE: https://github.com/latchset/mod_auth_mellon/commit/42a11261b9dad2e48d70bdff7c53dd57a12db6f5 -CVE-2021-36350 - RESERVED -CVE-2021-36349 - RESERVED -CVE-2021-36348 - RESERVED -CVE-2021-36347 - RESERVED -CVE-2021-36346 - RESERVED +CVE-2021-36350 (Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain an authenticati ...) + NOT-FOR-US: Dell +CVE-2021-36349 (Dell EMC Data Protection Central versions 19.5 and prior contain a Ser ...) + NOT-FOR-US: EMC +CVE-2021-36348 (iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnera ...) + NOT-FOR-US: Dell +CVE-2021-36347 (iDRAC9 versions prior to 5.00.20.00 and iDRAC8 versions prior to 2.82. ...) + NOT-FOR-US: Dell +CVE-2021-36346 (Dell iDRAC 8 prior to version 2.82.82.82 contain a denial of service v ...) + NOT-FOR-US: Dell CVE-2021-36345 RESERVED CVE-2021-36344 RESERVED -CVE-2021-36343 - RESERVED -CVE-2021-36342 - RESERVED -CVE-2021-36341 - RESERVED +CVE-2021-36343 (Dell BIOS contains an improper input validation vulnerability. A local ...) + NOT-FOR-US: Dell +CVE-2021-36342 (Dell BIOS contains an improper input validation vulnerability. A local ...) + NOT-FOR-US: Dell +CVE-2021-36341 (Dell Wyse Device Agent version 14.5.4.1 and below contain a sensitive ...) + NOT-FOR-US: Dell CVE-2021-36340 (Dell EMC SCG 5.00.00.10 and earlier, contain a sensitive information d ...) NOT-FOR-US: EMC -CVE-2021-36339 - RESERVED -CVE-2021-36338 - RESERVED -CVE-2021-36337 - RESERVED -CVE-2021-36336 - RESERVED +CVE-2021-36339 (The Dell EMC Virtual Appliances before 9.2.2.2 contain undocumented us ...) + NOT-FOR-US: EMC +CVE-2021-36338 (Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege ...) + NOT-FOR-US: Unisphere for PowerMax +CVE-2021-36337 (Dell Wyse Management Suite version 3.3.1 and prior support insecure Tr ...) + NOT-FOR-US: Dell +CVE-2021-36336 (Wyse Management Suite 3.3.1 and below versions contain a deserializati ...) + NOT-FOR-US: Dell CVE-2021-36335 (Dell EMC CloudLink 7.1 and all prior versions contain an Improper Inpu ...) NOT-FOR-US: EMC CVE-2021-36334 (Dell EMC CloudLink 7.1 and all prior versions contain a CSV formula In ...) @@ -18620,16 +26013,16 @@ CVE-2021-36332 (Dell EMC CloudLink 7.1 and all prior versions contain a HTML and NOT-FOR-US: EMC CVE-2021-36331 RESERVED -CVE-2021-36330 - RESERVED -CVE-2021-36329 - RESERVED -CVE-2021-36328 - RESERVED -CVE-2021-36327 - RESERVED -CVE-2021-36326 - RESERVED +CVE-2021-36330 (Dell EMC Streaming Data Platform versions before 1.3 contain an Insuff ...) + NOT-FOR-US: Dell EMC Streaming Data Platform +CVE-2021-36329 (Dell EMC Streaming Data Platform versions before 1.3 contain an Indire ...) + NOT-FOR-US: Dell EMC Streaming Data Platform +CVE-2021-36328 (Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Inj ...) + NOT-FOR-US: Dell EMC Streaming Data Platform +CVE-2021-36327 (Dell EMC Streaming Data Platform versions before 1.3 contain a Server ...) + NOT-FOR-US: Dell EMC Streaming Data Platform +CVE-2021-36326 (Dell EMC Streaming Data Platform, versions prior to 1.3 contain an SSL ...) + NOT-FOR-US: Dell EMC Streaming Data Platform CVE-2021-36325 (Dell BIOS contains an improper input validation vulnerability. A local ...) NOT-FOR-US: Dell CVE-2021-36324 (Dell BIOS contains an improper input validation vulnerability. A local ...) @@ -18644,12 +26037,12 @@ CVE-2021-36320 (Dell Networking X-Series firmware versions prior to 3.0.1.8 cont NOT-FOR-US: Dell CVE-2021-36319 (Dell Networking OS10 versions 10.4.3.x, 10.5.0.x and 10.5.1.x contain ...) NOT-FOR-US: Dell -CVE-2021-36318 - RESERVED -CVE-2021-36317 - RESERVED -CVE-2021-36316 - RESERVED +CVE-2021-36318 (Dell EMC Avamar versions 18.2,19.1,19.2,19.3,19.4 contain a plain-text ...) + NOT-FOR-US: EMC +CVE-2021-36317 (Dell EMC Avamar Server version 19.4 contains a plain-text password sto ...) + NOT-FOR-US: EMC +CVE-2021-36316 (Dell EMC Avamar Server versions 18.2, 19.1, 19.2, 19.3, and 19.4 conta ...) + NOT-FOR-US: EMC CVE-2021-36315 (Dell EMC PowerScale Nodes contain a hardware design flaw. This may all ...) NOT-FOR-US: EMC CVE-2021-36314 (Dell EMC CloudLink 7.1 and all prior versions contain an Arbitrary Fil ...) @@ -18676,8 +26069,8 @@ CVE-2021-36304 RESERVED CVE-2021-36303 RESERVED -CVE-2021-36302 - RESERVED +CVE-2021-36302 (All Dell EMC Integrated System for Microsoft Azure Stack Hub versions ...) + NOT-FOR-US: EMC CVE-2021-36301 (Dell iDRAC 9 prior to version 4.40.40.00 and iDRAC 8 prior to version ...) NOT-FOR-US: Dell CVE-2021-36300 (iDRAC9 versions prior to 5.00.00.00 contain an improper input validati ...) @@ -18688,12 +26081,12 @@ CVE-2021-36298 (Dell EMC InsightIQ, versions prior to 4.1.4, contain risky crypt NOT-FOR-US: EMC CVE-2021-36297 (SupportAssist Client version 3.8 and 3.9 contains an Untrusted search ...) NOT-FOR-US: SupportAssist Client (Dell) -CVE-2021-36296 - RESERVED -CVE-2021-36295 - RESERVED -CVE-2021-36294 - RESERVED +CVE-2021-36296 (Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain an auth ...) + NOT-FOR-US: Dell +CVE-2021-36295 (Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain an auth ...) + NOT-FOR-US: Dell +CVE-2021-36294 (Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain an auth ...) + NOT-FOR-US: Dell CVE-2021-36293 RESERVED CVE-2021-36292 @@ -18702,8 +26095,8 @@ CVE-2021-36291 RESERVED CVE-2021-36290 RESERVED -CVE-2021-36289 - RESERVED +CVE-2021-36289 (Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain a sensi ...) + NOT-FOR-US: Dell CVE-2021-36288 RESERVED CVE-2021-36287 @@ -18851,9 +26244,10 @@ CVE-2021-36222 (ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center NOTE: https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562 NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=9007 CVE-2021-36221 (Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that c ...) + {DLA-2892-1 DLA-2891-1} - golang-1.16 1.16.7-1 - golang-1.15 1.15.15-1 (bug #991961) - [bullseye] - golang-1.15 <no-dsa> (Minor issue) + [bullseye] - golang-1.15 1.15.15-1~deb11u1 - golang-1.11 <removed> [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <removed> @@ -18908,30 +26302,30 @@ CVE-2021-36201 RESERVED CVE-2021-36200 RESERVED -CVE-2021-36199 - RESERVED -CVE-2021-36198 - RESERVED +CVE-2021-36199 (Running a vulnerability scanner against VideoEdge NVRs can cause some ...) + NOT-FOR-US: Sensormatic Electronics, LLC, a subsidiary of Johnson Controls, Inc. +CVE-2021-36198 (Successful exploitation of this vulnerability could allow an unauthori ...) + NOT-FOR-US: Sensormatic Electronics, LLC CVE-2021-36197 RESERVED CVE-2021-36196 RESERVED -CVE-2021-36195 - RESERVED -CVE-2021-36194 - RESERVED -CVE-2021-36193 - RESERVED +CVE-2021-36195 (Multiple command injection vulnerabilities in the command line interpr ...) + NOT-FOR-US: FortiGuard +CVE-2021-36194 (Multiple stack-based buffer overflows in the API controllers of FortiW ...) + NOT-FOR-US: FortiGuard +CVE-2021-36193 (Multiple stack-based buffer overflows in the command line interpreter ...) + NOT-FOR-US: FortiGuard CVE-2021-36192 (An exposure of sensitive information to an unauthorized actor [CWE-200 ...) NOT-FOR-US: Fortiguard -CVE-2021-36191 - RESERVED -CVE-2021-36190 - RESERVED -CVE-2021-36189 - RESERVED -CVE-2021-36188 - RESERVED +CVE-2021-36191 (A url redirection to untrusted site ('open redirect') in Fortinet Fort ...) + NOT-FOR-US: FortiGuard +CVE-2021-36190 (A unintended proxy or intermediary ('confused deputy') in Fortinet For ...) + NOT-FOR-US: FortiGuard +CVE-2021-36189 (A missing encryption of sensitive data in Fortinet FortiClientEMS vers ...) + NOT-FOR-US: FortiGuard +CVE-2021-36188 (A improper neutralization of input during web page generation ('cross- ...) + NOT-FOR-US: FortiGuard CVE-2021-36187 (A uncontrolled resource consumption in Fortinet FortiWeb version 6.4.0 ...) NOT-FOR-US: Fortiguard CVE-2021-36186 (A stack-based buffer overflow in Fortinet FortiWeb version 6.4.0, vers ...) @@ -18946,34 +26340,34 @@ CVE-2021-36182 (A Improper neutralization of special elements used in a command NOT-FOR-US: FortiGuard CVE-2021-36181 (A concurrent execution using shared resource with improper Synchroniza ...) NOT-FOR-US: Fortiguard -CVE-2021-36180 - RESERVED +CVE-2021-36180 (Multiple improper neutralization of special elements used in a command ...) + NOT-FOR-US: FortiGuard CVE-2021-36179 (A stack-based buffer overflow in Fortinet FortiWeb version 6.3.14 and ...) NOT-FOR-US: FortiGuard CVE-2021-36178 (A insufficiently protected credentials in Fortinet FortiSDNConnector v ...) NOT-FOR-US: Fortiguard -CVE-2021-36177 - RESERVED +CVE-2021-36177 (An improper access control vulnerability [CWE-284] in FortiAuthenticat ...) + NOT-FOR-US: FortiGuard CVE-2021-36176 (Multiple uncontrolled resource consumption vulnerabilities in the web ...) NOT-FOR-US: Fortiguard CVE-2021-36175 (An improper neutralization of input vulnerability [CWE-79] in FortiWeb ...) NOT-FOR-US: Fortiguard CVE-2021-36174 (A memory allocation with excessive size value vulnerability in the lic ...) NOT-FOR-US: Fortiguard -CVE-2021-36173 - RESERVED +CVE-2021-36173 (A heap-based buffer overflow in the firmware signature verification fu ...) + NOT-FOR-US: FortiGuard CVE-2021-36172 (An improper restriction of XML external entity reference vulnerability ...) NOT-FOR-US: Fortiguard CVE-2021-36171 RESERVED CVE-2021-36170 (An information disclosure vulnerability [CWE-200] in FortiAnalyzerVM a ...) NOT-FOR-US: Fortiguard -CVE-2021-36169 - RESERVED +CVE-2021-36169 (A Hidden Functionality in Fortinet FortiOS 7.x before 7.0.1, FortiOS 6 ...) + NOT-FOR-US: FortiGuard CVE-2021-36168 (A Improper Limitation of a Pathname to a Restricted Directory ('Path T ...) NOT-FOR-US: Fortinet -CVE-2021-36167 - RESERVED +CVE-2021-36167 (An improper authorization vulnerabiltiy [CWE-285] in FortiClient Windo ...) + NOT-FOR-US: FortiGuard CVE-2021-36166 RESERVED CVE-2021-36165 (RICON Industrial Cellular Router S9922L 16.10.3(3794) is affected by c ...) @@ -18996,6 +26390,7 @@ CVE-2021-36160 (A carefully crafted request uri-path can cause mod_proxy_uwsgi t NOTE: uwsgi since 2.0.15-11 drops building the libapache2-mod-proxy-uwsgi{,-dbg} NOTE: packages which are provided by src:apache2 itself. NOTE: Regression report: https://bz.apache.org/bugzilla/show_bug.cgi?id=65616 + NOTE: Regression patch: https://github.com/apache/httpd/commit/8966e290a6e947fad0289bf4e243b0b552e13726 (2.4.x) CVE-2021-36159 (libfetch before 2021-07-26, as used in apk-tools, xbps, and other prod ...) NOT-FOR-US: libfetch CVE-2021-36158 (In the xrdp package (in branches through 3.14) for Alpine Linux, RDP s ...) @@ -19010,10 +26405,10 @@ CVE-2021-36154 (HTTP2ToRawGRPCServerCodec in gRPC Swift 1.1.1 and earlier allows NOT-FOR-US: gRPC Swift CVE-2021-36153 (Mismanaged state in GRPCWebToHTTP2ServerCodec.swift in gRPC Swift 1.1. ...) NOT-FOR-US: gRPC Swift -CVE-2021-36152 - RESERVED -CVE-2021-36151 - RESERVED +CVE-2021-36152 (Apache Gobblin trusts all certificates used for LDAP connections in Go ...) + NOT-FOR-US: Apache Gobblin +CVE-2021-36151 (In Apache Gobblin, the Hadoop token is written to a temp file that is ...) + NOT-FOR-US: Apache Gobblin CVE-2021-3636 (It was found in OpenShift, before version 4.8, that the generated cert ...) NOT-FOR-US: OpenShift CVE-2021-3635 (A flaw was found in the Linux kernel netfilter implementation in versi ...) @@ -19063,8 +26458,8 @@ CVE-2021-36135 RESERVED CVE-2021-36134 (Out of bounds write vulnerability in the JPEG parsing code of Netop Vi ...) NOT-FOR-US: McAfee -CVE-2021-36133 - RESERVED +CVE-2021-36133 (The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks security access ...) + NOT-FOR-US: OP-TEE CVE-2021-36132 (An issue was discovered in the FileImporter extension in MediaWiki thr ...) NOT-FOR-US: FileImport MediaWiki extension NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/M7MVMBYMLNIVLHCWL2KKZGH36HYN4YON/ @@ -19471,8 +26866,8 @@ CVE-2021-35980 RESERVED CVE-2021-35979 (An issue was discovered in Digi RealPort through 4.8.488.0. The 'encry ...) NOT-FOR-US: Digi RealPort -CVE-2021-35978 - RESERVED +CVE-2021-35978 (An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. The ...) + NOT-FOR-US: Digi TransPort devices CVE-2021-35977 (An issue was discovered in Digi RealPort for Windows through 4.8.488.0 ...) NOT-FOR-US: Digi RealPort CVE-2021-35976 (The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0 ...) @@ -19489,8 +26884,8 @@ CVE-2021-35971 (Veeam Backup and Replication 10 before 10.0.1.4854 P20210609 and NOT-FOR-US: Veeam CVE-2021-35970 (Talk 4 in Coral before 4.12.1 allows remote attackers to discover e-ma ...) NOT-FOR-US: Coral -CVE-2021-35969 - RESERVED +CVE-2021-35969 (Pexip Infinity before 26 allows temporary remote Denial of Service (ab ...) + NOT-FOR-US: Pexip Infinity CVE-2021-35968 (The directory list page parameter of the Orca HCM digital learning pla ...) NOT-FOR-US: Orca HCM digital learning platform CVE-2021-35967 (The directory page parameter of the Orca HCM digital learning platform ...) @@ -19552,7 +26947,7 @@ CVE-2021-35942 (The wordexp function in the GNU C Library (aka glibc) through 2. CVE-2021-35941 (Western Digital WD My Book Live (2.x and later) and WD My Book Live Du ...) NOT-FOR-US: Western Digital CVE-2021-3630 (An out-of-bounds write vulnerability was found in DjVuLibre in DJVU::D ...) - {DLA-2702-1} + {DSA-5032-1 DLA-2702-1} - djvulibre 3.5.27.1-12 NOTE: https://sourceforge.net/p/djvu/bugs/302/ NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/7b0ef20690e08f1fe124aebbf42f6310e2f40f81/ @@ -20098,16 +27493,16 @@ CVE-2021-35689 RESERVED CVE-2021-35688 RESERVED -CVE-2021-35687 - RESERVED -CVE-2021-35686 - RESERVED +CVE-2021-35687 (Vulnerability in the Oracle Financial Services Analytical Applications ...) + NOT-FOR-US: Oracle +CVE-2021-35686 (Vulnerability in the Oracle Financial Services Analytical Applications ...) + NOT-FOR-US: Oracle CVE-2021-35685 RESERVED CVE-2021-35684 RESERVED -CVE-2021-35683 - RESERVED +CVE-2021-35683 (Vulnerability in the Oracle Essbase Administration Services product of ...) + NOT-FOR-US: Oracle CVE-2021-35682 RESERVED CVE-2021-35681 @@ -20266,16 +27661,15 @@ CVE-2021-35606 (Vulnerability in the PeopleSoft Enterprise CS Campus Community p CVE-2021-35605 RESERVED CVE-2021-35604 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mariadb-10.5 <unfixed> + - mariadb-10.5 <removed> [bullseye] - mariadb-10.5 <no-dsa> (Minor issue) - mariadb-10.3 <removed> [buster] - mariadb-10.3 <no-dsa> (Minor issue) - mysql-8.0 <unfixed> - mysql-5.7 <removed> NOTE: Fixed in MariaDB: 10.5.13, 10.3.32 - TODO: clarify MariaDB 10.6 status CVE-2021-35603 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) - {DSA-5012-1 DSA-5000-1 DLA-2814-1} + {DSA-5000-2 DSA-5012-1 DSA-5000-1 DLA-2814-1} - openjdk-17 17.0.1+12-1 - openjdk-11 11.0.13+8-1 - openjdk-8 8u312-b07-1 @@ -20310,10 +27704,10 @@ CVE-2021-35589 (Vulnerability in the Oracle Solaris product of Oracle Systems (c CVE-2021-35588 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) {DLA-2814-1} - openjdk-8 8u312-b07-1 -CVE-2021-35587 - RESERVED +CVE-2021-35587 (Vulnerability in the Oracle Access Manager product of Oracle Fusion Mi ...) + NOT-FOR-US: Oracle CVE-2021-35586 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) - {DSA-5012-1 DSA-5000-1 DLA-2814-1} + {DSA-5000-2 DSA-5012-1 DSA-5000-1 DLA-2814-1} - openjdk-17 17.0.1+12-1 - openjdk-11 11.0.13+8-1 - openjdk-8 8u312-b07-1 @@ -20332,7 +27726,7 @@ CVE-2021-35580 (Vulnerability in the Oracle Applications Manager product of Orac CVE-2021-35579 RESERVED CVE-2021-35578 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) - {DSA-5012-1 DSA-5000-1 DLA-2814-1} + {DSA-5000-2 DSA-5012-1 DSA-5000-1 DLA-2814-1} - openjdk-17 17.0.1+12-1 - openjdk-11 11.0.13+8-1 - openjdk-8 8u312-b07-1 @@ -20357,18 +27751,18 @@ CVE-2021-35569 (Vulnerability in the Oracle Applications Manager product of Orac CVE-2021-35568 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2021-35567 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) - {DSA-5012-1 DSA-5000-1 DLA-2814-1} + {DSA-5000-2 DSA-5012-1 DSA-5000-1 DLA-2814-1} - openjdk-17 17.0.1+12-1 - openjdk-11 11.0.13+8-1 - openjdk-8 8u312-b07-1 CVE-2021-35566 (Vulnerability in the Oracle Applications Manager product of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2021-35565 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) - {DSA-5000-1 DLA-2814-1} + {DSA-5000-2 DSA-5000-1 DLA-2814-1} - openjdk-11 11.0.13+8-1 - openjdk-8 8u312-b07-1 CVE-2021-35564 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) - {DSA-5012-1 DSA-5000-1 DLA-2814-1} + {DSA-5000-2 DSA-5012-1 DSA-5000-1 DLA-2814-1} - openjdk-17 17.0.1+12-1 - openjdk-11 11.0.13+8-1 - openjdk-8 8u312-b07-1 @@ -20377,14 +27771,14 @@ CVE-2021-35563 (Vulnerability in the Oracle Shipping Execution product of Oracle CVE-2021-35562 (Vulnerability in the Oracle Universal Work Queue product of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2021-35561 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) - {DSA-5012-1 DSA-5000-1 DLA-2814-1} + {DSA-5000-2 DSA-5012-1 DSA-5000-1 DLA-2814-1} - openjdk-17 17.0.1+12-1 - openjdk-11 11.0.13+8-1 - openjdk-8 8u312-b07-1 CVE-2021-35560 (Vulnerability in the Java SE product of Oracle Java SE (component: Dep ...) - openjdk-8 <not-affected> (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2021-35559 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) - {DSA-5012-1 DSA-5000-1 DLA-2814-1} + {DSA-5000-2 DSA-5012-1 DSA-5000-1 DLA-2814-1} - openjdk-17 17.0.1+12-1 - openjdk-11 11.0.13+8-1 - openjdk-8 8u312-b07-1 @@ -20393,7 +27787,7 @@ CVE-2021-35558 (Vulnerability in the Core RDBMS component of Oracle Database Ser CVE-2021-35557 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2021-35556 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) - {DSA-5012-1 DSA-5000-1 DLA-2814-1} + {DSA-5000-2 DSA-5012-1 DSA-5000-1 DLA-2814-1} - openjdk-17 17.0.1+12-1 - openjdk-11 11.0.13+8-1 - openjdk-8 8u312-b07-1 @@ -20408,7 +27802,7 @@ CVE-2021-35552 (Vulnerability in the Oracle WebLogic Server product of Oracle Fu CVE-2021-35551 (Vulnerability in the RDBMS Security component of Oracle Database Serve ...) NOT-FOR-US: Oracle CVE-2021-35550 (Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition produc ...) - {DSA-5000-1 DLA-2814-1} + {DSA-5000-2 DSA-5000-1 DLA-2814-1} - openjdk-11 11.0.13+8-1 - openjdk-8 8u312-b07-1 CVE-2021-35549 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) @@ -20444,7 +27838,7 @@ CVE-2021-35535 (Insecure Boot Image vulnerability in Hitachi Energy Relion Relio CVE-2021-35534 (Insufficient security control vulnerability in internal database acces ...) NOT-FOR-US: Hitachi CVE-2021-35533 (Improper Input Validation vulnerability in the APDU parser in the Bidi ...) - TODO: check + NOT-FOR-US: Hitachi CVE-2021-35532 RESERVED CVE-2021-35531 @@ -20467,7 +27861,7 @@ CVE-2021-3624 [buffer-overflow caused by integer-overflow in foveon_load_camf()] [stretch] - dcraw <no-dsa> (Minor issue) CVE-2021-3623 [out-of-bounds access when trying to resume the state of the vTPM] RESERVED - - libtpms <unfixed> (bug #990522) + - libtpms 0.9.1-1 (bug #990522) NOTE: https://github.com/stefanberger/libtpms/pull/223 NOTE: https://github.com/stefanberger/libtpms/commit/2f30d620d3c053f20d38b54bf76ac0907821d263 NOTE: https://github.com/stefanberger/libtpms/commit/7981d9ad90a5043a05004e4ca7b46beab8ca7809 @@ -20549,8 +27943,7 @@ CVE-2021-35503 (Afian FileRun 2021.03.26 allows stored XSS via an HTTP X-Forward NOT-FOR-US: Afian FileRun CVE-2021-35502 (app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp ...) NOT-FOR-US: MISP -CVE-2021-3622 - RESERVED +CVE-2021-3622 (A flaw was found in the hivex library. This flaw allows an attacker to ...) - hivex 1.3.21-1 (bug #991860) [bullseye] - hivex <no-dsa> (Minor issue) [buster] - hivex <no-dsa> (Minor issue) @@ -20559,8 +27952,7 @@ CVE-2021-3622 NOTE: https://github.com/libguestfs/hivex/commit/771728218dac2fbf6997a7e53225e75a4c6b7255 CVE-2021-35501 (PandoraFMS <=7.54 allows Stored XSS by placing a payload in the nam ...) NOT-FOR-US: PandoraFMS -CVE-2021-3621 [shell command injection in sssctl] - RESERVED +CVE-2021-3621 (A flaw was found in SSSD, where the sssctl command was vulnerable to s ...) {DLA-2758-1} - sssd 2.5.2-1 (bug #992710) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975142 @@ -20571,10 +27963,10 @@ CVE-2021-3620 - ansible <unfixed> [bullseye] - ansible <postponed> (Minor issue, revisit when/if fixed upstream) [buster] - ansible <postponed> (Minor issue, revisit when/if fixed upstream) - - ansible-base <unfixed> + - ansible-base <removed> NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975767 -CVE-2021-35500 - RESERVED +CVE-2021-35500 (The Data Virtualization Server component of TIBCO Software Inc.'s TIBC ...) + NOT-FOR-US: TIBCO CVE-2021-35499 (The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus cont ...) NOT-FOR-US: TIBCO CVE-2021-35498 (The TIBCO EBX Web Server component of TIBCO Software Inc.'s TIBCO EBX, ...) @@ -20595,8 +27987,8 @@ CVE-2021-35492 (Wowza Streaming Engine through 4.8.11+5 could allow an authentic NOT-FOR-US: Wowza Streaming Engine CVE-2021-35491 (A Cross-Site Request Forgery (CSRF) vulnerability in Wowza Streaming E ...) NOT-FOR-US: Wowza Streaming Engine -CVE-2021-35490 - RESERVED +CVE-2021-35490 (Thruk before 2.44 allows XSS for a quick command. ...) + NOT-FOR-US: Thruk CVE-2021-35489 (Thruk 2.40-2 allows /thruk/#cgi-bin/extinfo.cgi?type=2&host={HOSTN ...) NOT-FOR-US: Thruk CVE-2021-35488 (Thruk 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&titl ...) @@ -20719,8 +28111,9 @@ CVE-2021-35454 RESERVED CVE-2021-35453 RESERVED -CVE-2021-35452 - RESERVED +CVE-2021-35452 (An Incorrect Access Control vulnerability exists in libde265 v1.0.8 du ...) + - libde265 <unfixed> + NOTE: https://github.com/strukturag/libde265/issues/298 CVE-2021-35451 (In Teradici PCoIP Management Console-Enterprise 20.07.0, an unauthenti ...) NOT-FOR-US: Teradici PCoIP Management Console-Enterprise CVE-2021-35450 (A Server Side Template Injection in the Entando Admin Console 6.3.9 an ...) @@ -20794,12 +28187,12 @@ CVE-2021-35417 RESERVED CVE-2021-35416 RESERVED -CVE-2021-35415 - RESERVED -CVE-2021-35414 - RESERVED -CVE-2021-35413 - RESERVED +CVE-2021-35415 (A stored cross-site scripting (XSS) vulnerability allows attackers to ...) + NOT-FOR-US: Chamilo LMS +CVE-2021-35414 (Chamilo LMS v1.11.x was discovered to contain a SQL injection via the ...) + NOT-FOR-US: Chamilo LMS +CVE-2021-35413 (A remote code execution (RCE) vulnerability in course_intro_pdf_import ...) + NOT-FOR-US: Chamilo LMS CVE-2021-35412 RESERVED CVE-2021-35411 @@ -20864,8 +28257,8 @@ CVE-2021-35382 RESERVED CVE-2021-35381 RESERVED -CVE-2021-35380 - RESERVED +CVE-2021-35380 (A Directory Traversal vulnerability exists in Solari di Udine TermTalk ...) + NOT-FOR-US: Solari di Udine TermTalk Server (TTServer) CVE-2021-35379 RESERVED CVE-2021-35378 @@ -20939,12 +28332,12 @@ CVE-2021-35348 RESERVED CVE-2021-35347 RESERVED -CVE-2021-35346 - RESERVED +CVE-2021-35346 (tsMuxer v2.6.16 was discovered to contain a heap-based buffer overflow ...) + NOT-FOR-US: tsMuxer CVE-2021-35345 RESERVED -CVE-2021-35344 - RESERVED +CVE-2021-35344 (tsMuxer v2.6.16 was discovered to contain a heap-based buffer overflow ...) + NOT-FOR-US: tsMuxer CVE-2021-35343 (Cross-Site Request Forgery (CSRF) vulnerability in the /op/op.Ajax.php ...) NOT-FOR-US: SeedDMS CVE-2021-35342 (The useradm service 1.14.0 (in Northern.tech Mender Enterprise 2.7.x b ...) @@ -21157,20 +28550,20 @@ CVE-2021-35250 RESERVED CVE-2021-35249 RESERVED -CVE-2021-35248 - RESERVED -CVE-2021-35247 - RESERVED +CVE-2021-35248 (It has been reported that any Orion user, e.g. guest accounts can quer ...) + NOT-FOR-US: SolarWinds +CVE-2021-35247 (Serv-U web login screen to LDAP authentication was allowing characters ...) + NOT-FOR-US: SolarWinds CVE-2021-35246 RESERVED -CVE-2021-35245 - RESERVED -CVE-2021-35244 - RESERVED -CVE-2021-35243 - RESERVED -CVE-2021-35242 - RESERVED +CVE-2021-35245 (When a user has admin rights in Serv-U Console, the user can move, cre ...) + NOT-FOR-US: SolarWinds +CVE-2021-35244 (The "Log alert to a file" action within action management enables any ...) + NOT-FOR-US: SolarWinds +CVE-2021-35243 (The HTTP PUT and DELETE methods were enabled in the Web Help Desk web ...) + NOT-FOR-US: SolarWinds +CVE-2021-35242 (Serv-U server responds with valid CSRFToken when the request contains ...) + NOT-FOR-US: SolarWinds CVE-2021-35241 RESERVED CVE-2021-35240 (A security researcher stored XSS via a Help Server setting. This affec ...) @@ -21185,12 +28578,12 @@ CVE-2021-35236 (The Secure flag is not set in the SSL Cookie of Kiwi Syslog Serv NOT-FOR-US: SolarWinds CVE-2021-35235 (The ASP.NET debug feature is enabled by default in Kiwi Syslog Server ...) NOT-FOR-US: Kiwi Syslog Server -CVE-2021-35234 - RESERVED +CVE-2021-35234 (Numerous exposed dangerous functions within Orion Core has allows for ...) + NOT-FOR-US: SolarWinds CVE-2021-35233 (The HTTP TRACK & TRACE methods were enabled in Kiwi Syslog Server ...) NOT-FOR-US: Kiwi Syslog Server -CVE-2021-35232 - RESERVED +CVE-2021-35232 (Hard coded credentials discovered in SolarWinds Web Help Desk product. ...) + NOT-FOR-US: SolarWinds CVE-2021-35231 (As a result of an unquoted service path vulnerability present in the K ...) NOT-FOR-US: Kiwi Syslog Server Installation Wizard CVE-2021-35230 (As a result of an unquoted service path vulnerability present in the K ...) @@ -21475,8 +28868,8 @@ CVE-2021-35095 RESERVED CVE-2021-35094 RESERVED -CVE-2021-35093 - RESERVED +CVE-2021-35093 (Possible memory corruption in BT controller when it receives an oversi ...) + NOT-FOR-US: Qualcomm CVE-2021-35092 RESERVED CVE-2021-35091 @@ -21507,14 +28900,14 @@ CVE-2021-35079 RESERVED CVE-2021-35078 RESERVED -CVE-2021-35077 - RESERVED +CVE-2021-35077 (Possible use after free scenario in compute offloads to DSP while mult ...) + NOT-FOR-US: Qualcomm CVE-2021-35076 RESERVED -CVE-2021-35075 - RESERVED -CVE-2021-35074 - RESERVED +CVE-2021-35075 (Possible null pointer dereference due to lack of WDOG structure valida ...) + NOT-FOR-US: Qualcomm +CVE-2021-35074 (Possible integer overflow due to improper fragment datatype while calc ...) + NOT-FOR-US: Qualcomm CVE-2021-35073 RESERVED CVE-2021-35072 @@ -21523,14 +28916,14 @@ CVE-2021-35071 RESERVED CVE-2021-35070 RESERVED -CVE-2021-35069 - RESERVED -CVE-2021-35068 - RESERVED +CVE-2021-35069 (Improper validation of data length received from DMA buffer can lead t ...) + NOT-FOR-US: Qualcomm +CVE-2021-35068 (Lack of null check while freeing the device information buffer in the ...) + NOT-FOR-US: Qualcomm CVE-2021-35067 (Meross MSG100 devices before 3.2.3 allow an attacker to replay the sam ...) NOT-FOR-US: Meross MSG100 devices CVE-2021-3612 (An out-of-bounds memory write flaw was found in the Linux kernel's joy ...) - {DLA-2785-1} + {DLA-2843-1 DLA-2785-1} - linux 5.10.46-3 [buster] - linux 4.19.208-1 NOTE: Introduced by: https://lore.kernel.org/linux-input/20210219083215.GS2087@kadam/ @@ -21560,8 +28953,8 @@ CVE-2021-35057 RESERVED CVE-2021-35056 (Unisys Stealth 5.1 before 5.1.025.0 and 6.0 before 6.0.055.0 has an un ...) NOT-FOR-US: Unisys -CVE-2021-35055 - RESERVED +CVE-2021-35055 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear CVE-2021-35054 (Minecraft before 1.17.1, when online-mode=false is configured, allows ...) NOT-FOR-US: Minecraft CVE-2021-3611 [QEMU: intel-hda: segmentation fault due to stack overflow] @@ -21573,6 +28966,7 @@ CVE-2021-3611 [QEMU: intel-hda: segmentation fault due to stack overflow] NOTE: https://bugs.launchpad.net/qemu/+bug/1907497 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/542 NOTE: Introduced by: https://git.qemu.org/?p=qemu.git;a=commit;h=a9d8ba2be58e067bdfbff830eb9ff438d8db7f10 (v5.0.0-rc0) + NOTE: Proposed fix: https://lore.kernel.org/qemu-devel/20211218160912.1591633-1-philmd@redhat.com/ CVE-2021-3610 [heap-based buffer overflow in ReadTIFFImage() in coders/tiff.c] RESERVED - imagemagick <not-affected> (Specific to Imagemagick 7) @@ -21626,16 +29020,16 @@ CVE-2021-35037 (Jamf Pro before 10.30.1 allows for an unvalidated URL redirect v NOT-FOR-US: Jamf Pro CVE-2021-35036 RESERVED -CVE-2021-35035 - RESERVED -CVE-2021-35034 - RESERVED +CVE-2021-35035 (A cleartext storage of sensitive information vulnerability in the Zyxe ...) + NOT-FOR-US: Zyxel +CVE-2021-35034 (An insufficient session expiration vulnerability in the CGI program of ...) + NOT-FOR-US: Zyxel CVE-2021-35033 (A vulnerability in specific versions of Zyxel NBG6818, NBG7815, WSQ20, ...) NOT-FOR-US: Zyxel -CVE-2021-35032 - RESERVED -CVE-2021-35031 - RESERVED +CVE-2021-35032 (A vulnerability in the 'libsal.so' of the Zyxel GS1900 series firmware ...) + NOT-FOR-US: Zyxel +CVE-2021-35031 (A vulnerability in the TFTP client of Zyxel GS1900 series firmware, XG ...) + NOT-FOR-US: Zyxel CVE-2021-35030 (A vulnerability was found in the CGI program in Zyxel GS1900-8 firmwar ...) NOT-FOR-US: Zyxel CVE-2021-35029 (An authentication bypasss vulnerability in the web-based management in ...) @@ -21686,12 +29080,12 @@ CVE-2021-35007 RESERVED CVE-2021-35006 RESERVED -CVE-2021-35005 - RESERVED -CVE-2021-35004 - RESERVED -CVE-2021-35003 - RESERVED +CVE-2021-35005 (This vulnerability allows local attackers to disclose sensitive inform ...) + NOT-FOR-US: TeamViewer +CVE-2021-35004 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: TP-Link +CVE-2021-35003 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: TP-Link CVE-2021-35002 RESERVED CVE-2021-35001 @@ -21700,18 +29094,18 @@ CVE-2021-35000 RESERVED CVE-2021-34999 RESERVED -CVE-2021-34998 - RESERVED -CVE-2021-34997 - RESERVED -CVE-2021-34996 - RESERVED -CVE-2021-34995 - RESERVED -CVE-2021-34994 - RESERVED -CVE-2021-34993 - RESERVED +CVE-2021-34998 (This vulnerability allows local attackers to escalate privileges on af ...) + NOT-FOR-US: Panda Security Free Antivirus +CVE-2021-34997 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Commvault CommCell +CVE-2021-34996 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Commvault CommCell +CVE-2021-34995 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Commvault CommCell +CVE-2021-34994 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Commvault CommCell +CVE-2021-34993 (This vulnerability allows remote attackers to bypass authentication on ...) + NOT-FOR-US: Commvault CommCell CVE-2021-34992 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Orckestra C1 CMS CVE-2021-34991 (This vulnerability allows network-adjacent attackers to execute arbitr ...) @@ -21726,10 +29120,10 @@ CVE-2021-34987 RESERVED CVE-2021-34986 RESERVED -CVE-2021-34985 - RESERVED -CVE-2021-34984 - RESERVED +CVE-2021-34985 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley ContextCapture +CVE-2021-34984 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley ContextCapture CVE-2021-34983 RESERVED CVE-2021-34982 @@ -21741,14 +29135,14 @@ CVE-2021-34981 [Bluetooth CMTP Module Double Free Privilege Escalation Vulnerabi [stretch] - linux 4.9.272-1 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-21-1223/ NOTE: https://git.kernel.org/linus/3cfdf8fcaafa62a4123f92eb0f4a72650da3a479 (5.14-rc1) -CVE-2021-34980 - RESERVED -CVE-2021-34979 - RESERVED -CVE-2021-34978 - RESERVED -CVE-2021-34977 - RESERVED +CVE-2021-34980 (This vulnerability allows network-adjacent attackers to execute arbitr ...) + NOT-FOR-US: Netgear +CVE-2021-34979 (This vulnerability allows network-adjacent attackers to execute arbitr ...) + NOT-FOR-US: Netgear +CVE-2021-34978 (This vulnerability allows network-adjacent attackers to execute arbitr ...) + NOT-FOR-US: Netgear +CVE-2021-34977 (This vulnerability allows network-adjacent attackers to bypass authent ...) + NOT-FOR-US: Netgear CVE-2021-34976 RESERVED CVE-2021-34975 @@ -21809,175 +29203,174 @@ CVE-2021-34948 RESERVED CVE-2021-34947 RESERVED -CVE-2021-34946 - RESERVED -CVE-2021-34945 - RESERVED -CVE-2021-34944 - RESERVED -CVE-2021-34943 - RESERVED -CVE-2021-34942 - RESERVED -CVE-2021-34941 - RESERVED -CVE-2021-34940 - RESERVED -CVE-2021-34939 - RESERVED -CVE-2021-34938 - RESERVED -CVE-2021-34937 - RESERVED -CVE-2021-34936 - RESERVED -CVE-2021-34935 - RESERVED -CVE-2021-34934 - RESERVED -CVE-2021-34933 - RESERVED -CVE-2021-34932 - RESERVED -CVE-2021-34931 - RESERVED -CVE-2021-34930 - RESERVED -CVE-2021-34929 - RESERVED -CVE-2021-34928 - RESERVED -CVE-2021-34927 - RESERVED -CVE-2021-34926 - RESERVED -CVE-2021-34925 - RESERVED -CVE-2021-34924 - RESERVED -CVE-2021-34923 - RESERVED -CVE-2021-34922 - RESERVED -CVE-2021-34921 - RESERVED -CVE-2021-34920 - RESERVED -CVE-2021-34919 - RESERVED -CVE-2021-34918 - RESERVED -CVE-2021-34917 - RESERVED -CVE-2021-34916 - RESERVED -CVE-2021-34915 - RESERVED -CVE-2021-34914 - RESERVED -CVE-2021-34913 - RESERVED -CVE-2021-34912 - RESERVED -CVE-2021-34911 - RESERVED -CVE-2021-34910 - RESERVED -CVE-2021-34909 - RESERVED -CVE-2021-34908 - RESERVED -CVE-2021-34907 - RESERVED -CVE-2021-34906 - RESERVED -CVE-2021-34905 - RESERVED -CVE-2021-34904 - RESERVED -CVE-2021-34903 - RESERVED -CVE-2021-34902 - RESERVED -CVE-2021-34901 - RESERVED -CVE-2021-34900 - RESERVED -CVE-2021-34899 - RESERVED -CVE-2021-34898 - RESERVED -CVE-2021-34897 - RESERVED -CVE-2021-34896 - RESERVED -CVE-2021-34895 - RESERVED -CVE-2021-34894 - RESERVED -CVE-2021-34893 - RESERVED -CVE-2021-34892 - RESERVED -CVE-2021-34891 - RESERVED -CVE-2021-34890 - RESERVED -CVE-2021-34889 - RESERVED -CVE-2021-34888 - RESERVED -CVE-2021-34887 - RESERVED -CVE-2021-34886 - RESERVED -CVE-2021-34885 - RESERVED -CVE-2021-34884 - RESERVED -CVE-2021-34883 - RESERVED -CVE-2021-34882 - RESERVED -CVE-2021-34881 - RESERVED -CVE-2021-34880 - RESERVED -CVE-2021-34879 - RESERVED -CVE-2021-34878 - RESERVED -CVE-2021-34877 - RESERVED -CVE-2021-34876 - RESERVED -CVE-2021-34875 - RESERVED -CVE-2021-34874 - RESERVED -CVE-2021-34873 - RESERVED -CVE-2021-34872 - RESERVED -CVE-2021-34871 - RESERVED -CVE-2021-34870 - RESERVED -CVE-2021-34869 - RESERVED -CVE-2021-34868 - RESERVED -CVE-2021-34867 - RESERVED -CVE-2021-34866 - RESERVED +CVE-2021-34946 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34945 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34944 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34943 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34942 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34941 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34940 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34939 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34938 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34937 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34936 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34935 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34934 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34933 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34932 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34931 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34930 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34929 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34928 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34927 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34926 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34925 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34924 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34923 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34922 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34921 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34920 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34919 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34918 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34917 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34916 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34915 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34914 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34913 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34912 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34911 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34910 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34909 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34908 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34907 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34906 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34905 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34904 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34903 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34902 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34901 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34900 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34899 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34898 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34897 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34896 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34895 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34894 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34893 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34892 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34891 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34890 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34889 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34888 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34887 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34886 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34885 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34884 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34883 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34882 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34881 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Bentley View +CVE-2021-34880 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34879 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34878 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34877 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34876 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34875 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34874 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34873 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34872 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34871 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Bentley View +CVE-2021-34870 (This vulnerability allows network-adjacent attackers to disclose sensi ...) + NOT-FOR-US: Netgear +CVE-2021-34869 (This vulnerability allows local attackers to escalate privileges on af ...) + NOT-FOR-US: Parallels Desktop +CVE-2021-34868 (This vulnerability allows local attackers to escalate privileges on af ...) + NOT-FOR-US: Parallels Desktop +CVE-2021-34867 (This vulnerability allows local attackers to escalate privileges on af ...) + NOT-FOR-US: Parallels Desktop +CVE-2021-34866 (This vulnerability allows local attackers to escalate privileges on af ...) - linux 5.14.6-1 [bullseye] - linux 5.10.70-1 [buster] - linux <not-affected> (Vulnerable code introduced later) [stretch] - linux <not-affected> (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/5b029a32cfe4600f5e10e36b41778506b90fd4de (5.14) -CVE-2021-34865 - RESERVED +CVE-2021-34865 (This vulnerability allows network-adjacent attackers to bypass authent ...) + NOT-FOR-US: Netgear CVE-2021-34864 (This vulnerability allows local attackers to escalate privileges on af ...) NOT-FOR-US: Parallels Desktop CVE-2021-34863 (This vulnerability allows network-adjacent attackers to execute arbitr ...) @@ -21990,8 +29383,8 @@ CVE-2021-34860 (This vulnerability allows network-adjacent attackers to disclose NOT-FOR-US: D-Link CVE-2021-34859 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: TeamViewer -CVE-2021-34858 - RESERVED +CVE-2021-34858 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: TeamViewer CVE-2021-34857 (This vulnerability allows local attackers to escalate privileges on af ...) NOT-FOR-US: Parallels Desktop CVE-2021-34856 (This vulnerability allows local attackers to escalate privileges on af ...) @@ -22060,6 +29453,7 @@ CVE-2021-3608 [pvrdma: uninitialized memory unmap in pvrdma_ring_init()] [buster] - qemu <no-dsa> (Minor issue) [stretch] - qemu <not-affected> (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973383 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=66ae37d8cc313f89272e711174a846a229bcdbd3 CVE-2021-3607 [pvrdma: unchecked malloc size due to integer overflow in init_dev_ring()] RESERVED - qemu 1:5.2+dfsg-11 (bug #990564) @@ -22071,7 +29465,7 @@ CVE-2021-3606 (OpenVPN before version 2.5.3 on Windows allows local users to loa CVE-2021-34826 RESERVED CVE-2021-34825 (Quassel through 0.13.1, when --require-ssl is enabled, launches withou ...) - - quassel <unfixed> (bug #990567) + - quassel 1:0.14.0-1 (bug #990567) [bullseye] - quassel <no-dsa> (Minor issue) [buster] - quassel <no-dsa> (Minor issue) [stretch] - quassel <no-dsa> (Minor issue) @@ -22102,7 +29496,7 @@ CVE-2021-34814 (Proofpoint Spam Engine before 8.12.0-2106240000 has a Security C NOT-FOR-US: Proofpoint CVE-2021-34813 (Matrix libolm before 3.2.3 allows a malicious Matrix homeserver to cra ...) [experimental] - olm 3.2.3~dfsg-1 - - olm <unfixed> (bug #989997) + - olm 3.2.3~dfsg-3 (bug #989997) [bullseye] - olm <no-dsa> (Minor issue) [buster] - olm <no-dsa> (Minor issue) NOTE: https://gitlab.matrix.org/matrix-org/olm/-/commit/ccc0d122ee1b4d5e5ca4ec1432086be17d5f901b @@ -22122,8 +29516,8 @@ CVE-2021-34807 (An open redirect vulnerability exists in the /preauth Servlet in NOT-FOR-US: Zimbra CVE-2021-34806 RESERVED -CVE-2021-34805 - RESERVED +CVE-2021-34805 (An issue was discovered in FAUST iServer before 9.0.019.019.7. For eac ...) + NOT-FOR-US: FAUST iServer CVE-2021-34804 RESERVED CVE-2021-34803 (TeamViewer before 14.7.48644 on Windows loads untrusted DLLs in certai ...) @@ -22132,8 +29526,8 @@ CVE-2021-34802 (A failure in resetting the security context in some transaction NOT-FOR-US: Neo4j CVE-2021-34801 (Valine 1.4.14 allows remote attackers to cause a denial of service (ap ...) NOT-FOR-US: Valine -CVE-2021-34800 - RESERVED +CVE-2021-34800 (Sensitive information could be logged. The following products are affe ...) + NOT-FOR-US: Acronis CVE-2021-34799 RESERVED CVE-2021-34798 (Malformed requests may cause the server to dereference a NULL pointer. ...) @@ -22143,8 +29537,8 @@ CVE-2021-34798 (Malformed requests may cause the server to dereference a NULL po NOTE: https://github.com/apache/httpd/commit/fa7b2a5250e54363b3a6c8ac3aaa7de4e8da9b2e (candidate-2.4.49-rc1) CVE-2021-3604 (Secure 8 (Evalos) does not validate user input data correctly, allowin ...) NOT-FOR-US: Secure 8 (Evalos) -CVE-2021-34797 - RESERVED +CVE-2021-34797 (Apache Geode versions up to 1.12.4 and 1.13.4 are vulnerable to a log ...) + NOT-FOR-US: Apache Geode CVE-2021-34796 RESERVED CVE-2021-34795 (Multiple vulnerabilities in the web-based management interface of the ...) @@ -22329,8 +29723,8 @@ CVE-2021-34706 (A vulnerability in the web-based management interface of Cisco I NOT-FOR-US: Cisco CVE-2021-34705 (A vulnerability in the Voice Telephony Service Provider (VTSP) service ...) NOT-FOR-US: Cisco -CVE-2021-34704 - RESERVED +CVE-2021-34704 (A vulnerability in the web services interface of Cisco Adaptive Securi ...) + NOT-FOR-US: Cisco CVE-2021-34703 (A vulnerability in the Link Layer Discovery Protocol (LLDP) message pa ...) NOT-FOR-US: Cisco CVE-2021-34702 (A vulnerability in the web-based management interface of Cisco Identit ...) @@ -22594,10 +29988,10 @@ CVE-2021-34602 RESERVED CVE-2021-34601 RESERVED -CVE-2021-34600 - RESERVED -CVE-2021-34599 - RESERVED +CVE-2021-34600 (Telenot CompasX versions prior to 32.0 use a weak seed for random numb ...) + NOT-FOR-US: Telenot CompasX +CVE-2021-34599 (Affected versions of CODESYS Git in Versions prior to V1.1.0.0 lack ce ...) + NOT-FOR-US: CODESYS CVE-2021-34598 (In Phoenix Contact FL MGUARD 1102 and 1105 in Versions 1.4.0, 1.4.1 an ...) NOT-FOR-US: Phoenix CVE-2021-34597 (Improper Input Validation vulnerability in PC Worx Automation Suite of ...) @@ -22678,8 +30072,12 @@ CVE-2021-34560 (In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.9 a form contain NOT-FOR-US: PEPPERL+FUCHS WirelessHART-Gateway CVE-2021-34559 (In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 a vulnerability may ...) NOT-FOR-US: PEPPERL+FUCHS WirelessHART-Gateway -CVE-2021-3596 +CVE-2021-3596 [NULL pointer dereference in ReadSVGImage() in coders/svg.c] RESERVED + - imagemagick 8:6.9.11.57+dfsg-1 + NOTE: https://github.com/ImageMagick/ImageMagick/issues/2624 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/43dfb1894761c4929d5d5c98dc80ba4e59a0d114 + NOTE: https://github.com/ImageMagick/ImageMagick6/commit/27f314e2e6eb44b661e65008ce1ce46b85a5628b CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP network ...) {DLA-2753-1} - libslirp 4.6.1-1 (bug #989996) @@ -22776,10 +30174,10 @@ CVE-2021-34546 (An unauthenticated attacker with physical access to a computer w NOT-FOR-US: NetSetMan Pro CVE-2021-34545 RESERVED -CVE-2021-34544 - RESERVED -CVE-2021-34543 - RESERVED +CVE-2021-34544 (An issue was discovered in Solar-Log 500 before 2.8.2 Build 52 23.04.2 ...) + NOT-FOR-US: Solar-Log +CVE-2021-34543 (The web administration server in Solar-Log 500 before 2.8.2 Build 52 d ...) + NOT-FOR-US: Solar-Log CVE-2021-34542 RESERVED CVE-2021-34541 @@ -23019,6 +30417,7 @@ CVE-2021-34432 (In Eclipse Mosquitto versions 2.07 and earlier, the server will NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=574141 CVE-2021-34431 (In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client ...) - mosquitto 2.0.11-1 + [bullseye] - mosquitto <no-dsa> (Minor issue) [buster] - mosquitto <not-affected> (Vulnerable code introduced later) [stretch] - mosquitto <not-affected> (Vulnerable code introduced later) NOTE: https://mosquitto.org/blog/2021/06/version-2-0-11-released/ @@ -23042,10 +30441,10 @@ CVE-2021-34428 (For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11. NOTE: https://github.com/eclipse/jetty.project/commit/087f486b4461746b4ded45833887b3ccb136ee85 (jetty-9.4.x) CVE-2021-34427 (In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query ...) NOT-FOR-US: Eclipse BIRT -CVE-2021-34426 - RESERVED -CVE-2021-34425 - RESERVED +CVE-2021-34426 (A vulnerability was discovered in the Keybase Client for Windows befor ...) + NOT-FOR-US: Keybase Client for Windows +CVE-2021-34425 (The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, L ...) + NOT-FOR-US: Zoom CVE-2021-34424 (A vulnerability was discovered in the Zoom Client for Meetings (for An ...) NOT-FOR-US: Zoom CVE-2021-34423 (A buffer overflow vulnerability was discovered in Zoom Client for Meet ...) @@ -23076,24 +30475,24 @@ CVE-2021-34411 (During the installation process forZoom Rooms for Conference Roo NOT-FOR-US: Zoom CVE-2021-34410 (A user-writable application bundle unpacked during the install for all ...) NOT-FOR-US: Zoom Plugin for Microsoft Outlook for Mac -CVE-2021-34409 (User-writable pre and post-install scripts unpacked during the Zoom Cl ...) +CVE-2021-34409 (It was discovered that the installation packages of the Zoom Client fo ...) NOT-FOR-US: Zoom Plugin for Microsoft Outlook for Mac CVE-2021-34408 (The Zoom Client for Meetings for Windows in all versions before versio ...) NOT-FOR-US: Zoom Client for Meetings for Windows CVE-2021-34407 REJECTED -CVE-2021-34406 - RESERVED -CVE-2021-34405 - RESERVED -CVE-2021-34404 - RESERVED -CVE-2021-34403 - RESERVED -CVE-2021-34402 - RESERVED -CVE-2021-34401 - RESERVED +CVE-2021-34406 (NVIDIA Tegra kernel driver contains a vulnerability in NVHost, where a ...) + NOT-FOR-US: NVIDIA +CVE-2021-34405 (NVIDIA Linux distributions contain a vulnerability in TrustZone’ ...) + NOT-FOR-US: NVIDIA +CVE-2021-34404 (Android images for T210 provided by NVIDIA contain a vulnerability in ...) + NOT-FOR-US: NVIDIA +CVE-2021-34403 (NVIDIA Linux distributions contain a vulnerability in nvmap ioctl, whi ...) + NOT-FOR-US: NVIDIA +CVE-2021-34402 (NVIDIA Tegra kernel driver contains a vulnerability in NVIDIA NVDEC, w ...) + NOT-FOR-US: NVIDIA +CVE-2021-34401 (NVIDIA Linux kernel distributions contain a vulnerability in nvmap NVG ...) + NOT-FOR-US: NVIDIA CVE-2021-34400 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) NOT-FOR-US: NVIDIA CVE-2021-34399 (NVIDIA GPU and Tegra hardware contain a vulnerability in the internal ...) @@ -23241,17 +30640,25 @@ CVE-2021-34338 RESERVED - ming <removed> NOTE: https://github.com/libming/libming/issues/201 -CVE-2021-34337 +CVE-2021-34337 [password checking timing attack in administrative REST API] RESERVED + - mailman3 <unfixed> (bug #1004934) + [bullseye] - mailman3 <no-dsa> (Minor issue) + [buster] - mailman3 <no-dsa> (Minor issue; will be fixed via point release) + NOTE: Fixed by: https://gitlab.com/mailman/mailman/-/commit/e4a39488c4510fcad8851217f10e7337a196bb51 (3.3.5b1) CVE-2021-34336 RESERVED CVE-2021-34335 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> (bug #992707) + - exiv2 0.27.5-1 (bug #992707) + [bullseye] - exiv2 <ignored> (Minor issue) + [buster] - exiv2 <ignored> (Minor issue) [stretch] - exiv2 <no-dsa> (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-pvjp-m4f6-q984 NOTE: https://github.com/Exiv2/exiv2/pull/1750 CVE-2021-34334 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> (bug #992706) + - exiv2 0.27.5-1 (bug #992706) + [bullseye] - exiv2 <ignored> (Minor issue) + [buster] - exiv2 <ignored> (Minor issue) [stretch] - exiv2 <no-dsa> (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-hqjh-hpv8-8r9p NOTE: https://github.com/Exiv2/exiv2/pull/1766 @@ -23348,14 +30755,13 @@ CVE-2021-3585 RESERVED - tripleo-heat-templates <removed> NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1968247 -CVE-2021-3584 - RESERVED +CVE-2021-3584 (A server side remote code execution vulnerability was found in Foreman ...) - foreman <itp> (bug #663101) CVE-2021-3583 (A flaw was found in Ansible, where a user's controller is vulnerable t ...) - ansible <unfixed> [bullseye] - ansible <no-dsa> (Minor issue) [buster] - ansible <no-dsa> (Minor issue) - - ansible-base <unfixed> + - ansible-base <removed> NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1968412 NOTE: https://github.com/ansible/ansible/commit/4c8c40fd3d4a58defdc80e7d22aa8d26b731353e.patch CVE-2021-34290 @@ -23468,8 +30874,8 @@ CVE-2021-34237 RESERVED CVE-2021-34236 RESERVED -CVE-2021-34235 - RESERVED +CVE-2021-34235 (Tokheim Profleet DiaLOG 11.005.02 is affected by SQL Injection. The co ...) + NOT-FOR-US: Tokheim Profleet DiaLOG CVE-2021-34234 RESERVED CVE-2021-34233 @@ -23572,9 +30978,8 @@ CVE-2021-34185 (Miniaudio 0.10.35 has an integer-based buffer overflow caused by NOT-FOR-US: Miniaudio CVE-2021-34184 (Miniaudio 0.10.35 has a Double free vulnerability that could cause a b ...) NOT-FOR-US: Miniaudio -CVE-2021-34183 (ImageMagick 7.0.11-14 has a memory leak in AcquireSemaphoreMemory in s ...) - - imagemagick <unfixed> (unimportant) - NOTE: https://github.com/ImageMagick/ImageMagick/issues/3767 +CVE-2021-34183 + REJECTED CVE-2021-34182 RESERVED CVE-2021-34181 @@ -23657,8 +31062,11 @@ CVE-2021-34143 (The Bluetooth Classic implementation in the Zhuhai Jieli AC6366C NOT-FOR-US: Zhuhai Jieli CVE-2021-34142 RESERVED -CVE-2021-34141 - RESERVED +CVE-2021-34141 (An incomplete string comparison in the numpy.core component in NumPy b ...) + - numpy <unfixed> + [bullseye] - numpy <no-dsa> (Minor issue) + NOTE: https://github.com/numpy/numpy/issues/18993 + NOTE: https://github.com/numpy/numpy/commit/eeef9d4646103c3b1afd3085f1393f2b3f9575b2 (v1.23.0.dev0) CVE-2021-34140 RESERVED CVE-2021-34139 @@ -23765,10 +31173,10 @@ CVE-2021-34089 RESERVED CVE-2021-34088 RESERVED -CVE-2021-34087 - RESERVED -CVE-2021-34086 - RESERVED +CVE-2021-34087 (In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D pr ...) + NOT-FOR-US: Ultimaker +CVE-2021-34086 (In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D pr ...) + NOT-FOR-US: Ultimaker CVE-2021-34085 RESERVED CVE-2021-34084 @@ -23793,8 +31201,8 @@ CVE-2021-34075 (In Artica Pandora FMS <=754 in the File Manager component, th NOT-FOR-US: Artica Pandora FMS CVE-2021-34074 (PandoraFMS <=7.54 allows arbitrary file upload, it leading to remot ...) NOT-FOR-US: PandoraFMS -CVE-2021-34073 - RESERVED +CVE-2021-34073 (A Cross Site Scripting (XSS) vulnerabilty exists in Sourcecodester Gad ...) + NOT-FOR-US: Sourcecodester CVE-2021-34072 RESERVED CVE-2021-34071 (Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause ...) @@ -24007,16 +31415,19 @@ CVE-2021-33968 RESERVED CVE-2021-33967 RESERVED -CVE-2021-33966 - RESERVED -CVE-2021-33965 - RESERVED -CVE-2021-33964 - RESERVED -CVE-2021-33963 - RESERVED -CVE-2021-33962 - RESERVED +CVE-2021-33966 (Cross site scripting (XSS) vulnerability in spotweb 1.4.9, allows auth ...) + - spotweb <removed> + [buster] - spotweb <no-dsa> (Minor issue) + [stretch] - spotweb <postponed> (Minor issue; possible reflected XSS with unconclusive PoC "proof") + NOTE: https://packetstormsecurity.com/files/162731/Spotweb-Develop-1.4.9-Cross-Site-Scripting.html +CVE-2021-33965 (China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /a ...) + NOT-FOR-US: China Mobile An Lianbao WF-1 router +CVE-2021-33964 (China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /a ...) + NOT-FOR-US: China Mobile An Lianbao WF-1 router +CVE-2021-33963 (China Mobile An Lianbao WF-1 v1.0.1 router web interface through /api/ ...) + NOT-FOR-US: China Mobile An Lianbao WF-1 router web interface +CVE-2021-33962 (China Mobile An Lianbao WF-1 router v1.0.1 is affected by an OS comman ...) + NOT-FOR-US: China Mobile An Lianbao WF-1 router CVE-2021-33961 RESERVED CVE-2021-33960 @@ -24049,8 +31460,8 @@ CVE-2021-33947 RESERVED CVE-2021-33946 RESERVED -CVE-2021-33945 - RESERVED +CVE-2021-33945 (RICOH Printer series SP products 320DN, SP 325DNw, SP 320SN, SP 320SFN ...) + NOT-FOR-US: RICOH CVE-2021-33944 RESERVED CVE-2021-33943 @@ -24129,10 +31540,22 @@ CVE-2021-33915 RESERVED CVE-2021-33914 RESERVED -CVE-2021-33913 - RESERVED -CVE-2021-33912 - RESERVED +CVE-2021-33913 (libspf2 before 1.2.11 has a heap-based buffer overflow that might allo ...) + {DLA-2890-1} + - libspf2 1.2.10-7.1 + [bullseye] - libspf2 1.2.10-7.1~deb11u1 + [buster] - libspf2 1.2.10-7.1~deb10u1 + NOTE: https://nathanielbennett.com/blog/libspf2-cve-jan-2022-disclosure + NOTE: https://github.com/shevek/libspf2/pull/35 + NOTE: https://github.com/shevek/libspf2/commit/f06fef6cede4c4cb42f2c617496e6041782d7070 +CVE-2021-33912 (libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that ...) + {DLA-2890-1} + - libspf2 1.2.10-7.1 + [bullseye] - libspf2 1.2.10-7.1~deb11u1 + [buster] - libspf2 1.2.10-7.1~deb10u1 + NOTE: https://nathanielbennett.com/blog/libspf2-cve-jan-2022-disclosure + NOTE: https://github.com/shevek/libspf2/pull/35 + NOTE: https://github.com/shevek/libspf2/commit/28faf4624a6a371b11afdb9820078d3b0ee3803d CVE-2021-33911 (Zoho ManageEngine ADManager Plus before 7110 allows remote code execut ...) NOT-FOR-US: Zoho CVE-2021-33910 (basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 ...) @@ -24320,9 +31743,9 @@ CVE-2021-33835 CVE-2021-33834 RESERVED CVE-2021-33833 (ConnMan (aka Connection Manager) 1.30 through 1.39 has a stack-based b ...) + {DLA-2915-1} - connman 1.36-2.2 (bug #989662) [buster] - connman 1.36-2.1~deb10u2 - [stretch] - connman <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/06/09/1 NOTE: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c CVE-2021-33832 @@ -24337,10 +31760,10 @@ CVE-2021-33829 (A cross-site scripting (XSS) vulnerability in the HTML Data Proc [buster] - ckeditor <no-dsa> (Minor issue) NOTE: https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser NOTE: https://github.com/ckeditor/ckeditor4/commit/3e426ce34f7fc7bf784624358831ef9e189bb6ed -CVE-2021-33828 - RESERVED -CVE-2021-33827 - RESERVED +CVE-2021-33828 (The files_antivirus component before 1.0.0 for ownCloud mishandles the ...) + - owncloud <removed> +CVE-2021-33827 (The files_antivirus component before 1.0.0 for ownCloud allows OS Comm ...) + - owncloud <removed> CVE-2021-33826 RESERVED CVE-2021-33825 @@ -24398,8 +31821,7 @@ CVE-2021-33807 (Cartadis Gespage through 8.2.1 allows Directory Traversal in ges NOT-FOR-US: Cartadis Gespage CVE-2021-3579 (Incorrect Default Permissions vulnerability in the bdservicehost.exe a ...) NOT-FOR-US: Bitdefender -CVE-2021-3578 [possible remote code execution in isync/mbsync] - RESERVED +CVE-2021-3578 (A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecke ...) - isync 1.3.0-2.2 (bug #989564) [buster] - isync 1.3.0-2.2~deb10u1 [stretch] - isync <no-dsa> (Minor issue) @@ -24816,20 +32238,25 @@ CVE-2021-33629 (isula-build before 0.9.5-6 can cause a program crash, when build NOT-FOR-US: isula-build CVE-2021-33628 RESERVED -CVE-2021-33627 - RESERVED -CVE-2021-33626 (In the kernel in Insyde InsydeH2O 5.x, certain SMM drivers did not cor ...) +CVE-2021-33627 (An issue was discovered in Insyde InsydeH2O 5.x, affecting FwBlockServ ...) + NOT-FOR-US: Insyde +CVE-2021-33626 (A vulnerability exists in SMM (System Management Mode) branch that reg ...) + NOT-FOR-US: Insyde +CVE-2021-33625 (An issue was discovered in Kernel 5.x in Insyde InsydeH2O, affecting H ...) NOT-FOR-US: Insyde -CVE-2021-33625 - RESERVED CVE-2021-33624 (In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch ...) {DLA-2785-1} - linux 5.10.46-1 [buster] - linux 4.19.208-1 NOTE: https://www.openwall.com/lists/oss-security/2021/06/21/1 CVE-2021-33623 (The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.j ...) - NOT-FOR-US: Node.js trim-newlines package + - node-trim-newlines 3.0.0+~3.0.0-1 + [bullseye] - node-trim-newlines <no-dsa> (Minor issue) + [buster] - node-trim-newlines <no-dsa> (Minor issue) + [stretch] - node-trim-newlines <end-of-life> (Nodejs in stretch not covered by security support) + NOTE: https://github.com/advisories/GHSA-7p7h-4mm5-852v CVE-2021-33622 (Sylabs Singularity 3.5.x and 3.6.x, and SingularityPRO before 3.5-8, h ...) + [experimental] - singularity-container 3.9.4+ds2-1 - singularity-container <unfixed> (bug #990201) NOTE: https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622- CVE-2021-33621 @@ -24973,6 +32400,7 @@ CVE-2021-33572 (A Denial-of-Service (DoS) vulnerability was discovered in F-Secu CVE-2021-33571 (In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, ...) {DLA-2676-1} - python-django 2:2.2.24-1 (bug #989394) + [buster] - python-django <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/06/02/1 NOTE: https://github.com/django/django/commit/e1d787f1b36d13b95187f8f425425ae1b98da188 (main) NOTE: https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc (2.2.24) @@ -25157,10 +32585,10 @@ CVE-2021-33501 (Overwolf Client 0.169.0.22 allows XSS, with resultant Remote Cod NOT-FOR-US: Overwolf CVE-2021-33500 (PuTTY before 0.75 on Windows allows remote servers to cause a denial o ...) - putty <not-affected> (Windows-specific) -CVE-2021-33499 - RESERVED -CVE-2021-33498 - RESERVED +CVE-2021-33499 (Pexip Infinity before 26 allows remote denial of service because of mi ...) + NOT-FOR-US: Pexip Infinity +CVE-2021-33498 (Pexip Infinity before 26 allows remote denial of service because of mi ...) + NOT-FOR-US: Pexip Infinity CVE-2021-3563 RESERVED - keystone <unfixed> (bug #989998) @@ -25213,8 +32641,7 @@ CVE-2021-3561 (An Out of Bounds flaw was found fig2dev version 3.2.8a. A flawed NOTE: https://sourceforge.net/p/mcj/tickets/116/ NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/6827c09d2d6491cb2ae3ac7196439ff3aa791fd9/ NOTE: Depends on CVE-2019-19797 fix -CVE-2021-3560 [local privilege escalation using polkit_system_bus_name_get_creds_sync()] - RESERVED +CVE-2021-3560 (It was found that polkit could be tricked into bypassing the credentia ...) - policykit-1 0.105-31 (bug #989429) [buster] - policykit-1 <not-affected> (Vulnerable code introduced later) [stretch] - policykit-1 <not-affected> (Vulnerable code introduced later) @@ -25317,8 +32744,12 @@ CVE-2021-33432 RESERVED CVE-2021-33431 RESERVED -CVE-2021-33430 - RESERVED +CVE-2021-33430 (** DISPUTED ** A Buffer Overflow vulnerability exists in NumPy 1.9.x i ...) + - numpy 1:1.21.4-2 + [bullseye] - numpy <no-dsa> (Minor issue) + NOTE: https://github.com/numpy/numpy/issues/18939 + NOTE: https://github.com/numpy/numpy/pull/18989 + NOTE: https://github.com/numpy/numpy/commit/16f7824b4d935b6aee98298ca4123d57174a6f2e (v1.22.0.dev0) CVE-2021-33429 RESERVED CVE-2021-33428 @@ -25676,26 +33107,26 @@ CVE-2021-33276 RESERVED CVE-2021-33275 RESERVED -CVE-2021-33274 - RESERVED +CVE-2021-33274 (D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_201 ...) + NOT-FOR-US: D-Link CVE-2021-33273 RESERVED CVE-2021-33272 RESERVED -CVE-2021-33271 - RESERVED -CVE-2021-33270 - RESERVED -CVE-2021-33269 - RESERVED -CVE-2021-33268 - RESERVED -CVE-2021-33267 - RESERVED -CVE-2021-33266 - RESERVED -CVE-2021-33265 - RESERVED +CVE-2021-33271 (D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_201 ...) + NOT-FOR-US: D-Link +CVE-2021-33270 (D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_201 ...) + NOT-FOR-US: D-Link +CVE-2021-33269 (D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_201 ...) + NOT-FOR-US: D-Link +CVE-2021-33268 (D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_201 ...) + NOT-FOR-US: D-Link +CVE-2021-33267 (D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_201 ...) + NOT-FOR-US: D-Link +CVE-2021-33266 (D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_201 ...) + NOT-FOR-US: D-Link +CVE-2021-33265 (D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_201 ...) + NOT-FOR-US: D-Link CVE-2021-33264 RESERVED CVE-2021-33263 @@ -25823,8 +33254,7 @@ CVE-2021-3559 (A flaw was found in libvirt in the virConnectListAllNodeDevices A CVE-2021-3558 RESERVED - moodle <removed> -CVE-2021-3557 - RESERVED +CVE-2021-3557 (A flaw was found in argocd. Any unprivileged user is able to deploy ar ...) NOT-FOR-US: Argo CD CVE-2021-3556 REJECTED @@ -25836,6 +33266,7 @@ CVE-2021-33204 (In the pg_partman (aka PG Partition Manager) extension before 4. CVE-2021-33203 (Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a ...) {DLA-2676-1} - python-django 2:2.2.24-1 (bug #989394) + [buster] - python-django <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/06/02/1 NOTE: https://github.com/django/django/commit/46572de2e92fdeaf047f80c44d52269e54ad68db (main) NOTE: https://github.com/django/django/commit/053cc9534d174dc89daba36724ed2dcb36755b90 (2.2.24) @@ -25875,14 +33306,13 @@ CVE-2021-33197 (In Go before 1.15.13 and 1.16.x before 1.16.5, some configuratio NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI NOTE: https://github.com/golang/go/commit/cbd1ca84453fecf3825a6bb9f985823e8bc32b76 (1.15) CVE-2021-33196 (In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafte ...) + {DLA-2892-1 DLA-2891-1} - golang-1.16 1.16.5-1 (bug #989492) - golang-1.15 1.15.9-4 - golang-1.11 <removed> [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <removed> - [stretch] - golang-1.8 <postponed> (Minor issue, OOM, requires rebuilding reverse-dependencies) - golang-1.7 <removed> - [stretch] - golang-1.7 <postponed> (Minor issue, OOM, requires rebuilding reverse-dependencies) NOTE: https://github.com/golang/go/issues/46242 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33912 NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI @@ -25891,6 +33321,7 @@ CVE-2021-33196 (In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a CVE-2021-33195 (Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS looku ...) - golang-1.16 1.16.5-1 - golang-1.15 1.15.9-5 + [bullseye] - golang-1.15 <no-dsa> (Minor issue; will be fixed via point release) - golang-1.11 <removed> [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <removed> @@ -25970,8 +33401,11 @@ CVE-2021-33180 (Improper neutralization of special elements used in an SQL comma NOT-FOR-US: Synology CVE-2021-33179 (The general user interface in Nagios XI versions prior to 5.8.4 is vul ...) NOT-FOR-US: Nagios XI -CVE-2021-33178 (The Manage Backgrounds functionality within Nagvis versions prior to 2 ...) - - nagvis <undetermined> +CVE-2021-33178 (The Manage Backgrounds functionality within NagVis versions prior to 1 ...) + - nagvis 1:1.9.29-1 + [bullseye] - nagvis <no-dsa> (Minor issue) + [buster] - nagvis <no-dsa> (Minor issue) + [stretch] - nagvis <no-dsa> (Minor issue) TODO: check, affects nagvis plugin used in Nagios XI and should be fixed in 2.0.9, https://www.synopsys.com/blogs/software-security/cyrc-advisory-nagios-xi/ CVE-2021-33177 (The Bulk Modifications functionality in Nagios XI versions prior to 5. ...) NOT-FOR-US: Nagios XI @@ -25995,8 +33429,8 @@ CVE-2021-33168 RESERVED CVE-2021-33167 RESERVED -CVE-2021-33166 - RESERVED +CVE-2021-33166 (Incorrect default permissions for the Intel(R) RXT for Chromebook appl ...) + NOT-FOR-US: Intel CVE-2021-33165 RESERVED CVE-2021-33164 @@ -26017,8 +33451,10 @@ CVE-2021-33157 RESERVED CVE-2021-33156 RESERVED -CVE-2021-33155 - RESERVED +CVE-2021-33155 (Improper input validation in firmware for some Intel(R) Wireless Bluet ...) + - firmware-nonfree <undetermined> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00604.html + TODO: check in which firmware versions fixed CVE-2021-33154 RESERVED CVE-2021-33153 @@ -26033,8 +33469,8 @@ CVE-2021-33149 RESERVED CVE-2021-33148 RESERVED -CVE-2021-33147 - RESERVED +CVE-2021-33147 (Improper conditions check in the Intel(R) IPP Crypto library before ve ...) + NOT-FOR-US: Intel CVE-2021-33146 RESERVED CVE-2021-33145 @@ -26049,12 +33485,14 @@ CVE-2021-33141 RESERVED CVE-2021-33140 RESERVED -CVE-2021-33139 - RESERVED +CVE-2021-33139 (Improper conditions check in firmware for some Intel(R) Wireless Bluet ...) + - firmware-nonfree <undetermined> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00604.html + TODO: check in which firmware versions fixed CVE-2021-33138 RESERVED -CVE-2021-33137 - RESERVED +CVE-2021-33137 (Out-of-bounds write in the Intel(R) Kernelflinger project may allow an ...) + NOT-FOR-US: Intel CVE-2021-33136 RESERVED CVE-2021-33135 @@ -26069,8 +33507,8 @@ CVE-2021-33131 RESERVED CVE-2021-33130 RESERVED -CVE-2021-33129 - RESERVED +CVE-2021-33129 (Incorrect default permissions in the software installer for the Intel( ...) + NOT-FOR-US: Intel CVE-2021-33128 RESERVED CVE-2021-33127 @@ -26087,38 +33525,40 @@ CVE-2021-33122 RESERVED CVE-2021-33121 RESERVED -CVE-2021-33120 - RESERVED -CVE-2021-33119 - RESERVED +CVE-2021-33120 (Out of bounds read under complex microarchitectural condition in memor ...) + - intel-microcode <unfixed> + [bullseye] - intel-microcode <postponed> (Wait until exposed in unstable; tendency to point release) + [buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release) + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00589.html +CVE-2021-33119 (Improper access control in the Intel(R) RealSense(TM) DCM before versi ...) + NOT-FOR-US: Intel CVE-2021-33118 (Improper access control in the software installer for the Intel(R) Ser ...) NOT-FOR-US: Intel CVE-2021-33117 RESERVED CVE-2021-33116 RESERVED -CVE-2021-33115 - RESERVED -CVE-2021-33114 - RESERVED -CVE-2021-33113 - RESERVED +CVE-2021-33115 (Improper input validation for some Intel(R) PROSet/Wireless WiFi in UE ...) + NOT-FOR-US: Intel +CVE-2021-33114 (Improper input validation for some Intel(R) PROSet/Wireless WiFi in mu ...) + NOT-FOR-US: Intel +CVE-2021-33113 (Improper input validation for some Intel(R) PROSet/Wireless WiFi in mu ...) + NOT-FOR-US: Intel CVE-2021-33112 RESERVED CVE-2021-33111 RESERVED -CVE-2021-33110 - RESERVED +CVE-2021-33110 (Improper input validation for some Intel(R) Wireless Bluetooth(R) prod ...) + NOT-FOR-US: Intel CVE-2021-33109 RESERVED CVE-2021-33108 RESERVED -CVE-2021-33107 - RESERVED +CVE-2021-33107 (Insufficiently protected credentials in USB provisioning for Intel(R) ...) + NOT-FOR-US: Intel CVE-2021-33106 (Integer overflow in the Safestring library maintained by Intel(R) may ...) NOT-FOR-US: Intel -CVE-2021-33105 - RESERVED +CVE-2021-33105 (Out-of-bounds read in some Intel(R) Core(TM) processors with Radeon(TM ...) NOT-FOR-US: Intel CVE-2021-33104 RESERVED @@ -26126,19 +33566,21 @@ CVE-2021-33103 RESERVED CVE-2021-33102 RESERVED -CVE-2021-33101 - RESERVED +CVE-2021-33101 (Uncontrolled search path in the Intel(R) GPA software before version 2 ...) + NOT-FOR-US: Intel CVE-2021-33100 RESERVED CVE-2021-33099 RESERVED CVE-2021-33098 (Improper input validation in the Intel(R) Ethernet ixgbe driver for Li ...) + - linux 5.10.46-1 + [buster] - linux 4.19.194-1 + NOTE: https://git.kernel.org/linus/63e39d29b3da02e901349f6cd71159818a4737a6 (5.13-rc4) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00555.html - TODO: check, might affect src:linux CVE-2021-33097 (Time-of-check time-of-use vulnerability in the Crypto API Toolkit for ...) NOT-FOR-US: Intel -CVE-2021-33096 - RESERVED +CVE-2021-33096 (Improper isolation of shared resources in network on chip for the Inte ...) + NOT-FOR-US: Intel CVE-2021-33095 (Unquoted search path in the installer for the Intel(R) NUC M15 Laptop ...) NOT-FOR-US: Intel CVE-2021-33094 (Insecure inherited permissions in the installer for the Intel(R) NUC M ...) @@ -26193,8 +33635,8 @@ CVE-2021-33070 RESERVED CVE-2021-33069 RESERVED -CVE-2021-33068 - RESERVED +CVE-2021-33068 (Null pointer dereference in subsystem for Intel(R) AMT before versions ...) + NOT-FOR-US: Intel CVE-2021-33067 RESERVED CVE-2021-33066 @@ -26207,8 +33649,9 @@ CVE-2021-33063 (Uncontrolled search path in the Intel(R) RealSense(TM) D400 Seri NOT-FOR-US: Intel CVE-2021-33062 (Incorrect default permissions in the software installer for the Intel( ...) NOT-FOR-US: Intel -CVE-2021-33061 - RESERVED +CVE-2021-33061 (Insufficient control flow management for the Intel(R) 82599 Ethernet C ...) + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00571.html + TODO: check, might affect the src:linux ixgbe driver CVE-2021-33060 RESERVED CVE-2021-33059 (Improper input validation in the Intel(R) Administrative Tools for Int ...) @@ -26222,7 +33665,7 @@ CVE-2021-33056 (Belledonne Belle-sip before 4.5.20, as used in Linphone and othe CVE-2021-33055 (Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticat ...) NOT-FOR-US: Zoho ManageEngine CVE-2021-33054 (SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not valida ...) - {DLA-2707-1} + {DSA-5029-1 DLA-2707-1} - sogo 5.1.1-1 (bug #989479) NOTE: https://www.sogo.nu/news/2021/saml-vulnerability.html NOTE: https://blogs.akamai.com/2021/06/saml-implementation-vulnerability-impacting-some-akamai-services.html @@ -26245,8 +33688,8 @@ CVE-2021-33048 RESERVED CVE-2021-33047 RESERVED -CVE-2021-33046 - RESERVED +CVE-2021-33046 (Some Dahua products have access control vulnerability in the password ...) + NOT-FOR-US: Dahua CVE-2021-33045 (The identity authentication bypass vulnerability found in some Dahua p ...) NOT-FOR-US: Dahua CVE-2021-33044 (The identity authentication bypass vulnerability found in some Dahua p ...) @@ -26263,8 +33706,8 @@ CVE-2021-33042 RESERVED CVE-2021-33041 (vmd through 1.34.0 allows 'div class="markdown-body"' XSS, as demonstr ...) NOT-FOR-US: vmd -CVE-2021-33040 - RESERVED +CVE-2021-33040 (managers/views/iframe.js in FuturePress EPub.js before 0.3.89 allows X ...) + NOT-FOR-US: FuturePress EPub.js CVE-2021-33039 RESERVED CVE-2021-33038 (An issue was discovered in management/commands/hyperkitty_import.py in ...) @@ -26331,8 +33774,8 @@ CVE-2021-33019 (A stack-based buffer overflow vulnerability in Delta Electronics NOT-FOR-US: Delta Electronics CVE-2021-33018 RESERVED -CVE-2021-33017 - RESERVED +CVE-2021-33017 (The standard access path of the IntelliBridge EC 40 and 60 Hub (C.00.0 ...) + NOT-FOR-US: Philips CVE-2021-33016 RESERVED CVE-2021-33015 (Cscape (All Versions prior to 9.90 SP5) lacks proper validation of use ...) @@ -26369,18 +33812,18 @@ CVE-2021-33000 (Parsing a maliciously crafted project file may cause a heap-base NOT-FOR-US: WebAccess HMI Designer CVE-2021-32999 (Improper handling of exceptional conditions in SuiteLink server while ...) NOT-FOR-US: Suitelink -CVE-2021-32998 - RESERVED +CVE-2021-32998 (The FANUC R-30iA and R-30iB series controllers are vulnerable to an ou ...) + NOT-FOR-US: FANUC CVE-2021-32997 RESERVED -CVE-2021-32996 - RESERVED +CVE-2021-32996 (The FANUC R-30iA and R-30iB series controllers are vulnerable to integ ...) + NOT-FOR-US: FANUC CVE-2021-32995 (Cscape (All Versions prior to 9.90 SP5) lacks proper validation of use ...) NOT-FOR-US: Cscape CVE-2021-32994 RESERVED -CVE-2021-32993 - RESERVED +CVE-2021-32993 (IntelliBridge EC 40 and 60 Hub (C.00.04 and prior) contains hard-coded ...) + NOT-FOR-US: Philips CVE-2021-32992 (FATEK Automation WinProladder Versions 3.30 and prior do not properly ...) NOT-FOR-US: FATEK Automation WinProladder CVE-2021-32991 (Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to ...) @@ -26515,8 +33958,7 @@ CVE-2021-32927 RESERVED CVE-2021-32926 (When an authenticated password change request takes place, this vulner ...) NOT-FOR-US: Rockwell Automation -CVE-2021-3551 - RESERVED +CVE-2021-3551 (A flaw was found in the PKI-server, where the spkispawn command, when ...) - dogtag-pki 10.10.6-1 (bug #991665) [bullseye] - dogtag-pki <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1959971 @@ -26710,8 +34152,8 @@ CVE-2021-32851 RESERVED CVE-2021-32850 RESERVED -CVE-2021-32849 - RESERVED +CVE-2021-32849 (Gerapy is a distributed crawler management framework. Prior to version ...) + NOT-FOR-US: Gerapy CVE-2021-32848 RESERVED CVE-2021-32847 @@ -26724,14 +34166,25 @@ CVE-2021-32844 RESERVED CVE-2021-32843 RESERVED -CVE-2021-32842 - RESERVED -CVE-2021-32841 - RESERVED -CVE-2021-32840 - RESERVED +CVE-2021-32842 (SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starti ...) + - mono <not-affected> (Vulnerable code not yet uploaded) + NOTE: https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/ + NOTE: https://github.com/icsharpcode/SharpZipLib/commit/5c3b293de5d65b108e7f2cd0ea8f81c1b8273f78 (v1.3.3) + NOTE: Introduced by https://github.com/icsharpcode/SharpZipLib/commit/0cbdef20f1d5654ab5b93a6ce1ff8a917d3b905b +CVE-2021-32841 (SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starti ...) + - mono <not-affected> (Vulnerable code not yet uploaded) + NOTE: https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/ + NOTE: https://github.com/icsharpcode/SharpZipLib/commit/5c3b293de5d65b108e7f2cd0ea8f81c1b8273f78 (v1.3.3) + NOTE: Introduced by https://github.com/icsharpcode/SharpZipLib/commit/0cbdef20f1d5654ab5b93a6ce1ff8a917d3b905b +CVE-2021-32840 (SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior ...) + - mono <not-affected> (Vulnerable code not yet uploaded) + NOTE: https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/ + NOTE: https://github.com/icsharpcode/SharpZipLib/commit/5c3b293de5d65b108e7f2cd0ea8f81c1b8273f78 (v1.3.3) + NOTE: CVE refers to the commit for the test case: + NOTE: https://github.com/icsharpcode/SharpZipLib/commit/a0e96de70b5264f4c919b09253b1522bc7a221cc + NOTE: Introduced by https://github.com/icsharpcode/SharpZipLib/commit/0cbdef20f1d5654ab5b93a6ce1ff8a917d3b905b CVE-2021-32839 (sqlparse is a non-validating SQL parser module for Python. In sqlparse ...) - - sqlparse <unfixed> (bug #994841) + - sqlparse 0.4.2-1 (bug #994841) [bullseye] - sqlparse <no-dsa> (Minor issue) [buster] - sqlparse <not-affected> (Vulnerable code introduced later) [stretch] - sqlparse <not-affected> (Vulnerable code introduced later) @@ -26791,7 +34244,9 @@ CVE-2021-32817 (express-hbs is an Express handlebars template engine. express-hb CVE-2021-32816 (ProtonMail Web Client is the official AngularJS web client for the Pro ...) NOT-FOR-US: ProtonMail Web Client CVE-2021-32815 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> (bug #992705) + - exiv2 0.27.5-1 (bug #992705) + [bullseye] - exiv2 <ignored> (Minor issue) + [buster] - exiv2 <ignored> (Minor issue) [stretch] - exiv2 <no-dsa> (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-mv9g-fxh2-m49m NOTE: https://github.com/Exiv2/exiv2/pull/1739 @@ -26836,7 +34291,9 @@ CVE-2021-32807 (The module `AccessControl` defines security policies for Python CVE-2021-32806 (Products.isurlinportal is a replacement for isURLInPortal method in Pl ...) NOT-FOR-US: Plone CVE-2021-32805 (Flask-AppBuilder is an application development framework, built on top ...) - NOT-FOR-US: Flask-AppBuilder + - flask-appbuilder <itp> (bug #998029) + NOTE: https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-624f-cqvr-3qw4 + NOTE: https://github.com/dpgaspar/Flask-AppBuilder/commit/6af28521589599b1dbafd6313256229ee9a4fa74 (v3.3.2) CVE-2021-32804 (The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4 ...) - node-tar 6.1.7+~cs11.3.10-1 (bug #992111) [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1 @@ -27035,6 +34492,8 @@ CVE-2021-32743 (Icinga is a monitoring system which checks the availability of n {DLA-2816-1} [experimental] - icinga2 2.12.5-1~exp1 - icinga2 2.12.5-1 (bug #991494) + [bullseye] - icinga2 <no-dsa> (Minor issue) + [buster] - icinga2 <no-dsa> (Minor issue) NOTE: https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ NOTE: https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 NOTE: https://github.com/Icinga/icinga2/commit/843353ab69f79b3abfeb38ac249b05e1944369ab (v2.12.5) @@ -27051,6 +34510,8 @@ CVE-2021-32739 (Icinga is a monitoring system which checks the availability of n {DLA-2816-1} [experimental] - icinga2 2.12.5-1~exp1 - icinga2 2.12.5-1 (bug #991494) + [bullseye] - icinga2 <no-dsa> (Minor issue) + [buster] - icinga2 <no-dsa> (Minor issue) NOTE: https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ NOTE: https://github.com/Icinga/icinga2/security/advisories/GHSA-98wp-jc6q-x5q5 NOTE: https://github.com/Icinga/icinga2/commit/b5b83fa51564662ff2e78d7529ff77e1085d4522 (v2.12.5) @@ -27066,8 +34527,8 @@ CVE-2021-32734 (Nextcloud Server is a Nextcloud package that handles data storag - nextcloud-server <itp> (bug #941708) CVE-2021-32733 (Nextcloud Text is a collaborative document editing application that us ...) NOT-FOR-US: Nextcloud Text -CVE-2021-32732 - RESERVED +CVE-2021-32732 (### Impact It's possible to know if a user has or not an account in a ...) + NOT-FOR-US: XWiki CVE-2021-32731 (XWiki Platform is a generic wiki platform offering runtime services fo ...) NOT-FOR-US: XWiki CVE-2021-32730 (XWiki Platform is a generic wiki platform offering runtime services fo ...) @@ -27096,19 +34557,24 @@ CVE-2021-32721 (PowerMux is a drop-in replacement for Go's http.ServeMux. In Pow CVE-2021-32720 (Sylius is an Open Source eCommerce platform on top of Symfony. In vers ...) NOT-FOR-US: Sylius CVE-2021-32719 (RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prio ...) - - rabbitmq-server <unfixed> (bug #990524) + - rabbitmq-server 3.9.4-1 (bug #990524) [bullseye] - rabbitmq-server <no-dsa> (Minor issue) [buster] - rabbitmq-server <no-dsa> (Minor issue) [stretch] - rabbitmq-server <not-affected> (Vulnerable code not present) NOTE: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/3122 + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/f01f0f2d840b98128cdb7ff966d8234b06ef7c75 (master) + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/51df93b45fb05f935456f09b88e7554e0b36317f (v3.9.0-beta.1) + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/08beb82e9ab8923ded88ece2800cd80971e2bd05 (v3.8.18) CVE-2021-32718 (RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prio ...) - - rabbitmq-server <unfixed> (bug #990524) + - rabbitmq-server 3.9.4-1 (bug #990524) [bullseye] - rabbitmq-server <no-dsa> (Minor issue) [buster] - rabbitmq-server <no-dsa> (Minor issue) [stretch] - rabbitmq-server <not-affected> (Vulnerable code not present) NOTE: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772 NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/3028 + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/a8dffdf7de9793a76fc4685c89b968d8eddca4ca (v3.9.0-beta.1) + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/a7373585faeac0aaede5a9c245094d8022e81299 (v3.8.17-rc.1) CVE-2021-32717 (Shopware is an open source eCommerce platform. In versions prior to 6. ...) NOT-FOR-US: Shopware CVE-2021-32716 (Shopware is an open source eCommerce platform. In versions prior to 6. ...) @@ -27187,11 +34653,11 @@ CVE-2021-32686 (PJSIP is a free and open source multimedia communication library [stretch] - asterisk <not-affected> (Vulnerable code not present) - pjproject <removed> [stretch] - pjproject <no-dsa> (Minor issue; https://people.debian.org/~abhijith/upload/CVE-2021-32686.patch) + - ring <unfixed> NOTE: https://downloads.asterisk.org/pub/security/AST-2021-009.html NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr NOTE: https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd NOTE: https://github.com/pjsip/pjproject/pull/2716 - TODO: check, might affect in impact src:ring CVE-2021-32685 (tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser ( ...) NOT-FOR-US: tEnvoy CVE-2021-32684 (magento-scripts contains scripts and configuration used by Create Mage ...) @@ -27269,10 +34735,10 @@ CVE-2021-32652 (Nextcloud Mail is a mail app for the Nextcloud platform. A missi - nextcloud-server <itp> (bug #941708) CVE-2021-32651 (OneDev is a development operations platform. If the LDAP external auth ...) NOT-FOR-US: OneDev -CVE-2021-32650 - RESERVED -CVE-2021-32649 - RESERVED +CVE-2021-32650 (October CMS is a self-hosted content management system (CMS) platform ...) + NOT-FOR-US: October CMS +CVE-2021-32649 (October CMS is a self-hosted content management system (CMS) platform ...) + NOT-FOR-US: October CMS CVE-2021-32648 (octobercms in a CMS platform based on the Laravel PHP Framework. In af ...) NOT-FOR-US: October CMS CVE-2021-32647 (Emissary is a P2P based data-driven workflow engine. Affected versions ...) @@ -27358,7 +34824,7 @@ CVE-2021-32619 (Deno is a runtime for JavaScript and TypeScript that uses V8 and CVE-2021-32618 (The Python "Flask-Security-Too" package is used for adding security fe ...) NOT-FOR-US: Flask-Security-Too CVE-2021-32617 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> (bug #988731) + - exiv2 0.27.5-1 (bug #988731) [bullseye] - exiv2 <no-dsa> (Minor issue) [buster] - exiv2 <no-dsa> (Minor issue) [stretch] - exiv2 <no-dsa> (Minor issue) @@ -27378,7 +34844,7 @@ CVE-2021-32614 (A flaw was found in dmg2img through 20170502. fill_mishblk() doe NOTE: https://github.com/Lekensteyn/dmg2img/issues/11 NOTE: Crash in CLI tool, no security impact CVE-2021-32613 (In radare2 through 5.3.0 there is a double free vulnerability in the p ...) - - radare2 <unfixed> (bug #989067) + - radare2 5.5.0+dfsg-1 (bug #989067) NOTE: https://github.com/radareorg/radare2/issues/18679 NOTE: https://github.com/radareorg/radare2/commit/049de62730f4954ef9a642f2eeebbca30a8eccdc CVE-2021-32612 (The VeryFitPro (com.veryfit2hr.second) application 3.2.8 for Android d ...) @@ -27432,10 +34898,10 @@ CVE-2021-32594 (An unrestricted file upload vulnerability in the web interface o NOT-FOR-US: FortiPortal CVE-2021-32593 RESERVED -CVE-2021-32592 - RESERVED -CVE-2021-32591 - RESERVED +CVE-2021-32592 (An unsafe search path vulnerability in FortiClientWindows 7.0.0, 6.4.6 ...) + NOT-FOR-US: FortiGuard +CVE-2021-32591 (A missing cryptographic steps vulnerability in the function that encry ...) + NOT-FOR-US: FortiGuard CVE-2021-32590 (Multiple improper neutralization of special elements used in an SQL co ...) NOT-FOR-US: FortiPortal CVE-2021-32589 @@ -27472,7 +34938,7 @@ CVE-2021-32606 (In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net CVE-2021-3545 (An information disclosure vulnerability was found in the virtio vhost- ...) {DSA-4980-1} - qemu 1:6.1+dfsg-1 (bug #989042) - [buster] - qemu <no-dsa> (Minor issue) + [buster] - qemu <not-affected> (Only minimal support present and not installed in binary packages) [stretch] - qemu <not-affected> (The vulnerable code was introduced later) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01155.html NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01153.html @@ -27480,7 +34946,7 @@ CVE-2021-3545 (An information disclosure vulnerability was found in the virtio v CVE-2021-3544 (Several memory leaks were found in the virtio vhost-user GPU device (v ...) {DSA-4980-1} - qemu 1:6.1+dfsg-1 (bug #989042) - [buster] - qemu <no-dsa> (Minor issue) + [buster] - qemu <not-affected> (Only minimal support present and not installed in binary packages) [stretch] - qemu <not-affected> (The vulnerable code was introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1958935 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01155.html @@ -27584,8 +35050,8 @@ CVE-2021-32547 (It was discovered that read_file() in apport/hookutils.py would NOT-FOR-US: Apport CVE-2021-32546 RESERVED -CVE-2021-32545 - RESERVED +CVE-2021-32545 (Pexip Infinity before 26 allows remote denial of service because of mi ...) + NOT-FOR-US: Pexip Infinity CVE-2021-32544 (Special characters of IGT search function in igt+ are not filtered in ...) NOT-FOR-US: igt+ CVE-2021-32543 (The CTS Web transaction system related to authentication management is ...) @@ -27676,12 +35142,12 @@ CVE-2021-32501 RESERVED CVE-2021-32500 RESERVED -CVE-2021-32499 - RESERVED -CVE-2021-32498 - RESERVED -CVE-2021-32497 - RESERVED +CVE-2021-32499 (SICK SOPAS ET before version 4.8.0 allows attackers to manipulate the ...) + NOT-FOR-US: SICK SOPAS ET +CVE-2021-32498 (SICK SOPAS ET before version 4.8.0 allows attackers to manipulate the ...) + NOT-FOR-US: SICK SOPAS ET +CVE-2021-32497 (SICK SOPAS ET before version 4.8.0 allows attackers to wrap any execut ...) + NOT-FOR-US: SICK SOPAS ET CVE-2021-32496 (SICK Visionary-S CX up version 5.21.2.29154R are vulnerable to an Inad ...) NOT-FOR-US: SICK Visionary-S CX CVE-2021-32495 @@ -27719,7 +35185,7 @@ CVE-2021-32563 (An issue was discovered in Thunar before 4.16.7 and 4.17.x befor CVE-2021-3546 (An out-of-bounds write vulnerability was found in the virtio vhost-use ...) {DSA-4980-1} - qemu 1:6.1+dfsg-1 (bug #989042) - [buster] - qemu <no-dsa> (Minor issue) + [buster] - qemu <not-affected> (Only minimal support present and not installed in binary packages) [stretch] - qemu <not-affected> (The vulnerable code was introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1958978 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01155.html @@ -27728,22 +35194,22 @@ CVE-2021-3546 (An out-of-bounds write vulnerability was found in the virtio vhos CVE-2021-3542 REJECTED CVE-2021-32493 (A flaw was found in djvulibre-3.5.28 and earlier. A heap buffer overfl ...) - {DLA-2667-1} + {DSA-5032-1 DLA-2667-1} - djvulibre 3.5.28-2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1943424 NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6/ (chunk #3 / Patch12) CVE-2021-32492 (A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds rea ...) - {DLA-2667-1} + {DSA-5032-1 DLA-2667-1} - djvulibre 3.5.28-2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1943410 NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6/ (chunk #1 / Patch10) CVE-2021-32491 (A flaw was found in djvulibre-3.5.28 and earlier. An integer overflow ...) - {DLA-2667-1} + {DSA-5032-1 DLA-2667-1} - djvulibre 3.5.28-2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1943409 NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6/ (chunk #5 / Patch9) CVE-2021-32490 (A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds wri ...) - {DLA-2667-1} + {DSA-5032-1 DLA-2667-1} - djvulibre 3.5.28-2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1943408 NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6/ (chunk #4 / Patch8) @@ -27775,12 +35241,12 @@ CVE-2021-32471 (Insufficient input validation in the Marvin Minsky 1967 implemen NOT-FOR-US: Marvin Minsky 1967 implementation of the Universal Turing Machine CVE-2021-32470 (Craft CMS before 3.6.13 has an XSS vulnerability. ...) NOT-FOR-US: Craft CMS -CVE-2021-32469 - RESERVED -CVE-2021-32468 - RESERVED -CVE-2021-32467 - RESERVED +CVE-2021-32469 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-32468 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear +CVE-2021-32467 (MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and ...) + NOT-FOR-US: Netgear CVE-2021-32466 (An uncontrolled search path element privilege escalation vulnerability ...) NOT-FOR-US: Trend Micro CVE-2021-32465 (An incorrect permission preservation vulnerability in Trend Micro Apex ...) @@ -28706,11 +36172,10 @@ CVE-2021-32068 (The AWV and MiCollab Client Service components in Mitel MiCollab CVE-2021-32067 (The MiCollab Client Service component in Mitel MiCollab before 9.3 cou ...) NOT-FOR-US: Mitel CVE-2021-32066 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, an ...) - {DLA-2780-1} + {DSA-5066-1 DLA-2780-1} - ruby2.7 2.7.4-1 (bug #990815) - ruby2.5 <removed> - ruby2.3 <removed> - [buster] - ruby2.3 <no-dsa> (Minor issue) - jruby <unfixed> [buster] - jruby <no-dsa> (Minor issue) [stretch] - jruby <no-dsa> (Minor issue) @@ -28747,7 +36212,7 @@ CVE-2021-3536 (A flaw was found in Wildfly in versions before 23.0.2.Final while CVE-2021-3535 (Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting ...) NOT-FOR-US: Rapid7 CVE-2021-32061 (S3Scanner before 2.0.2 allows Directory Traversal via a crafted bucket ...) - TODO: check + NOT-FOR-US: S3Scanner CVE-2021-32060 RESERVED CVE-2021-32059 @@ -28794,14 +36259,18 @@ CVE-2021-32041 RESERVED CVE-2021-32040 RESERVED -CVE-2021-32039 - RESERVED +CVE-2021-32039 (Users with appropriate file access may be able to access unencrypted u ...) + NOT-FOR-US: MongoDB VSCode Extension CVE-2021-32038 RESERVED CVE-2021-32037 (An authorized user may trigger an invariant which may result in denial ...) - TODO: check -CVE-2021-32036 - RESERVED + - mongodb <removed> + [stretch] - mongodb <end-of-life> (https://lists.debian.org/debian-lts/2020/11/msg00058.html) + NOTE: https://jira.mongodb.org/browse/SERVER-59071 +CVE-2021-32036 (An authenticated user without any specific authorizations may be able ...) + - mongodb <removed> + [stretch] - mongodb <end-of-life> (https://lists.debian.org/debian-lts/2020/11/msg00058.html) + NOTE: https://jira.mongodb.org/browse/SERVER-59294 CVE-2021-32035 RESERVED CVE-2021-32034 @@ -28846,19 +36315,19 @@ CVE-2021-32027 (A flaw was found in postgresql in versions before 13.3, before 1 NOTE: https://www.postgresql.org/about/news/postgresql-133-127-1112-1017-and-9622-released-2210/ NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=467395bfdf33f1ccf67ca388ffdcc927271544cb (REL_13_3) CVE-2021-3534 - RESERVED + REJECTED CVE-2021-3533 (A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR ...) - ansible <unfixed> [bullseye] - ansible <postponed> (Minor issue, revisit when/if fixed upstream) [buster] - ansible <postponed> (Minor issue, revisit when/if fixed upstream) - - ansible-base <unfixed> + - ansible-base <removed> NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956477 CVE-2021-32026 RESERVED CVE-2021-32025 RESERVED -CVE-2021-32024 - RESERVED +CVE-2021-32024 (A remote code execution vulnerability in the BMP image codec of BlackB ...) + NOT-FOR-US: BlackBerry CVE-2021-32023 (An elevation of privilege vulnerability in the message broker of Black ...) NOT-FOR-US: BlackBerry CVE-2021-32022 (A low privileged delete vulnerability using CEF RPC server of BlackBer ...) @@ -28887,7 +36356,7 @@ CVE-2021-3532 (A flaw was found in Ansible where the secret information present - ansible <unfixed> [bullseye] - ansible <postponed> (Minor issue, revisit when/if fixed upstream) [buster] - ansible <postponed> (Minor issue, revisit when/if fixed upstream) - - ansible-base <unfixed> + - ansible-base <removed> NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956464 CVE-2021-3531 (A flaw was found in the Red Hat Ceph Storage RGW in versions before 14 ...) - ceph 14.2.21-1 (bug #988890) @@ -29061,8 +36530,8 @@ CVE-2021-31934 (OX App Suite 7.10.4 and earlier allows XSS via a crafted contact NOT-FOR-US: OX App Suite CVE-2021-31933 (A remote code execution vulnerability exists in Chamilo through 1.11.1 ...) NOT-FOR-US: Chamilo -CVE-2021-31932 - RESERVED +CVE-2021-31932 (Nokia BTS TRS web console FTM_W20_FP2_2019.08.16_0010 allows Authentic ...) + NOT-FOR-US: Nokia CVE-2021-31931 RESERVED CVE-2021-31930 (Persistent cross-site scripting (XSS) in the web interface of Concerto ...) @@ -29098,6 +36567,8 @@ CVE-2021-3527 (A flaw was found in the USB redirector device (usb-redir) of QEMU NOTE: Initial patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00564.html NOTE: Revisited: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01372.html NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01373.html + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c CVE-2021-3526 REJECTED CVE-2021-3525 @@ -29304,16 +36775,16 @@ CVE-2021-31855 (KDE Messagelib through 5.17.0 reveals cleartext of encrypted mes [stretch] - kdepim4 <no-dsa> (Minor issue) NOTE: https://kde.org/info/security/advisory-20210429-1.txt NOTE: https://commits.kde.org/messagelib/3b5b171e91ce78b966c98b1292a1bcbc8d984799 -CVE-2021-31854 - RESERVED +CVE-2021-31854 (A command Injection Vulnerability in McAfee Agent (MA) for Windows pri ...) + NOT-FOR-US: McAfee CVE-2021-31853 (DLL Search Order Hijacking Vulnerability in McAfee Drive Encryption (M ...) NOT-FOR-US: McAfee CVE-2021-31852 (A Reflected Cross-Site Scripting vulnerability in McAfee Policy Audito ...) NOT-FOR-US: McAfee CVE-2021-31851 (A Reflected Cross-Site Scripting vulnerability in McAfee Policy Audito ...) NOT-FOR-US: McAfee -CVE-2021-31850 - RESERVED +CVE-2021-31850 (A denial-of-service vulnerability in Database Security (DBS) prior to ...) + NOT-FOR-US: McAfee CVE-2021-31849 (SQL injection vulnerability in McAfee Data Loss Prevention (DLP) ePO e ...) NOT-FOR-US: McAfee CVE-2021-31848 (Cross site scripting (XSS) vulnerability in McAfee Data Loss Preventio ...) @@ -29346,8 +36817,8 @@ CVE-2021-31835 (Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrato NOT-FOR-US: McAfee CVE-2021-31834 (Stored Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrat ...) NOT-FOR-US: McAfee -CVE-2021-31833 - RESERVED +CVE-2021-31833 (Potential product security bypass vulnerability in McAfee Application ...) + NOT-FOR-US: McAfee CVE-2021-31832 (Improper Neutralization of Input in the ePO administrator extension fo ...) NOT-FOR-US: McAfee CVE-2021-31831 (Incorrect access to deleted scripts vulnerability in McAfee Database S ...) @@ -29399,8 +36870,8 @@ CVE-2021-31823 RESERVED CVE-2021-31822 (When Octopus Tentacle is installed on a Linux operating system, the sy ...) NOT-FOR-US: Octopus Tentacle -CVE-2021-31821 - RESERVED +CVE-2021-31821 (When the Windows Tentacle docker image starts up it logs all the comma ...) + NOT-FOR-US: Octopus Tentacle CVE-2021-31820 (In Octopus Server after version 2018.8.2 if the Octopus Server Web Req ...) NOT-FOR-US: Octopus Server CVE-2021-31819 (In Halibut versions prior to 4.4.7 there is a deserialisation vulnerab ...) @@ -29415,8 +36886,8 @@ CVE-2021-3513 NOT-FOR-US: Keycloak CVE-2021-31815 (GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on A ...) NOT-FOR-US: GAEN (aka Google/Apple Exposure Notifications) -CVE-2021-31814 - RESERVED +CVE-2021-31814 (In Stormshield 1.1.0, and 2.1.0 through 2.9.0, an attacker can block a ...) + NOT-FOR-US: Stormshield CVE-2021-31813 (Zoho ManageEngine Applications Manager before 15130 is vulnerable to S ...) NOT-FOR-US: Zoho CVE-2021-31812 (In Apache PDFBox, a carefully crafted PDF file can trigger an infinite ...) @@ -29440,10 +36911,9 @@ CVE-2021-31811 (In Apache PDFBox, a carefully crafted PDF file can trigger an Ou NOTE: https://www.openwall.com/lists/oss-security/2021/06/12/2 NOTE: https://github.com/apache/pdfbox/commit/cd17a19e9ab1028dc662e972dd8dbb3fa68b4a33 CVE-2021-31810 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, an ...) - {DLA-2780-1} + {DSA-5066-1 DLA-2780-1} - ruby2.7 2.7.4-1 (bug #990815) - ruby2.5 <removed> - [buster] - ruby2.5 <no-dsa> (Minor issue) - ruby2.3 <removed> - jruby <unfixed> [buster] - jruby <no-dsa> (Minor issue) @@ -29498,10 +36968,9 @@ CVE-2021-31800 (Multiple path traversal vulnerabilities exist in smbserver.py in [stretch] - impacket <no-dsa> (Minor issue) NOTE: https://github.com/SecureAuthCorp/impacket/commit/49c643bf66620646884ed141c94e5fdd85bcdd2f CVE-2021-31799 (In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby throug ...) - {DLA-2780-1} + {DSA-5066-1 DLA-2780-1} - ruby2.7 2.7.4-1 (bug #990815) - ruby2.5 <removed> - [buster] - ruby2.5 <no-dsa> (Minor issue) - ruby2.3 <removed> NOTE: Introduced in (rdoc): https://github.com/ruby/rdoc/commit/4a8b7bed7cd5647db92c620bc6f33e4c309d2212 (v3.11) NOTE: Fixed in (rdoc): https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7 (v6.3.1) @@ -29530,8 +36999,8 @@ CVE-2021-31789 RESERVED CVE-2021-31788 RESERVED -CVE-2021-31787 - RESERVED +CVE-2021-31787 (The Bluetooth Classic implementation on Actions ATS2815 chipsets does ...) + NOT-FOR-US: Bluetooth Classic implementation on Actions ATS2815 chipsets CVE-2021-31786 (The Bluetooth Classic Audio implementation on Actions ATS2815 and ATS2 ...) NOT-FOR-US: Actions ATS CVE-2021-31785 (The Bluetooth Classic implementation on Actions ATS2815 and ATS2819 ch ...) @@ -29562,8 +37031,8 @@ CVE-2021-31773 RESERVED CVE-2021-31772 RESERVED -CVE-2021-31771 (Splinterware System Scheduler Professional version 5.30 is subject to ...) - NOT-FOR-US: Splinterware +CVE-2021-31771 + REJECTED CVE-2021-31770 RESERVED CVE-2021-31769 (MyQ Server in MyQ X Smart before 8.2 allows remote code execution by u ...) @@ -29610,12 +37079,12 @@ CVE-2021-31749 RESERVED CVE-2021-31748 RESERVED -CVE-2021-31747 - RESERVED -CVE-2021-31746 - RESERVED -CVE-2021-31745 - RESERVED +CVE-2021-31747 (Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in upd ...) + NOT-FOR-US: Pluck CMS +CVE-2021-31746 (Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to ...) + NOT-FOR-US: Pluck CMS +CVE-2021-31745 (Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 ...) + NOT-FOR-US: Pluck CMS CVE-2021-31744 RESERVED CVE-2021-31743 @@ -29843,10 +37312,10 @@ CVE-2021-31634 RESERVED CVE-2021-31633 RESERVED -CVE-2021-31632 - RESERVED -CVE-2021-31631 - RESERVED +CVE-2021-31632 (b2evolution CMS v7.2.3 was discovered to contain a SQL injection vulne ...) + NOT-FOR-US: b2evolution CMS +CVE-2021-31631 (b2evolution CMS v7.2.3 was discovered to contain a Cross-Site Request ...) + NOT-FOR-US: b2evolution CMS CVE-2021-31630 (Command Injection in Open PLC Webserver v3 allows remote attackers to ...) NOT-FOR-US: Open PLC webserver CVE-2021-31629 @@ -29878,8 +37347,8 @@ CVE-2021-31618 (Apache HTTP Server protocol handler for the HTTP/2 protocol chec NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618 NOTE: https://github.com/apache/httpd/commit/a4fba223668c554e06bc78d6e3a88f33d4238ae4 NOTE: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_stream.c?r1=1889759&r2=1889758&pathrev=1889759 -CVE-2021-31617 - RESERVED +CVE-2021-31617 (In ASQ in Stormshield Network Security (SNS) 1.0.0 through 2.7.8, 2.8. ...) + NOT-FOR-US: Stormshield Network Security (SNS) CVE-2021-31616 (Insufficient length checks in the ShapeShift KeepKey hardware wallet f ...) NOT-FOR-US: ShapeShift KeepKey hardware wallet firmware CVE-2021-31615 (Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Spec ...) @@ -29903,6 +37372,8 @@ CVE-2021-31607 (In SaltStack Salt 2016.9 through 3002.6, a command injection vul - salt 3002.6+dfsg1-2 (bug #987496) [buster] - salt 2018.3.4+dfsg1-6+deb10u3 NOTE: https://sec.stealthcopter.com/saltstack-snapper-minion-privledge-escaltion/ + NOTE: Introduced by: https://gitlab.com/saltstack/open/salt/-/commit/1343078d03613e33eec9e5ec5095d2e0b0aa2e59 (v2016.9) + NOTE: Combined fix and regression fix: https://salsa.debian.org/salt-team/salt/-/commit/71f7f30851f9609bfda5a1b0f5b115d2743372cd CVE-2021-31606 (furlongm openvpn-monitor through 1.1.3 allows Authorization Bypass to ...) NOT-FOR-US: openvpn-monitor CVE-2021-31605 (furlongm openvpn-monitor through 1.1.3 allows %0a command injection vi ...) @@ -29956,8 +37427,8 @@ CVE-2021-31591 RESERVED CVE-2021-31590 (PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtok ...) NOT-FOR-US: PwnDoc -CVE-2021-31589 - RESERVED +CVE-2021-31589 (A cross-site scripting (XSS) vulnerability has been reported and confi ...) + NOT-FOR-US: BeyondTrust CVE-2021-31588 RESERVED CVE-2021-31587 @@ -30037,6 +37508,7 @@ CVE-2021-31543 CVE-2021-31542 (In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, M ...) {DLA-2651-1} - python-django 2:2.2.21-1 (bug #988053) + [buster] - python-django <no-dsa> (Minor issue) NOTE: https://www.djangoproject.com/weblog/2021/may/04/security-releases/ NOTE: https://github.com/django/django/commit/0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (main) NOTE: https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d (2.2.21) @@ -30132,8 +37604,8 @@ CVE-2021-23169 (A heap-buffer overflow was found in the copyIntoFrameBuffer func NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/ae6d203892cc9311917a7f4f05354ef792b3e58e CVE-2021-31524 RESERVED -CVE-2021-31522 - RESERVED +CVE-2021-31522 (Kylin can receive user input and load any class through Class.forName( ...) + NOT-FOR-US: Apache Kylin (different from Kylin desktop environment) CVE-2021-3510 (Zephyr JSON decoder incorrectly decodes array of array. Zephyr version ...) NOT-FOR-US: Zephyr, different from src:zephyr CVE-2021-3509 (A flaw was found in Red Hat Ceph Storage 4, in the Dashboard component ...) @@ -30167,6 +37639,7 @@ CVE-2021-3507 (A heap buffer overflow was found in the floppy disk emulator of Q [buster] - qemu <no-dsa> (Minor issue) [stretch] - qemu <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1951118 + NOTE: No upstream patch as of 2022-01-28 CVE-2021-3506 (An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c ...) {DLA-2690-1} - linux 5.10.38-1 @@ -30449,9 +37922,8 @@ CVE-2021-3502 (A flaw was found in avahi 0.8-5. A reachable assertion is present NOTE: Fixed by: https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c NOTE: Introduced by: https://github.com/lathiat/avahi/commit/80c98fa16782e921f5b5d5c880f1d80f5c43bd49 (v0.8) CVE-2021-3500 (A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in ...) - {DLA-2667-1} + {DSA-5032-1 DLA-2667-1} - djvulibre 3.5.28-2 (bug #988215) - [buster] - djvulibre <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1943685 NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/djvulibre/c/fc359410f7131e4ea0a892ef78e6da72f29afeee.patch NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6/ (chunk #2 / Patch11) (fixed differently) @@ -30926,10 +38398,10 @@ CVE-2021-31217 (In SolarWinds DameWare Mini Remote Control Server 12.0.1.200, in CVE-2021-31216 (Siren Investigate before 11.1.1 contains a server side request forgery ...) NOT-FOR-US: Siren Investigate CVE-2021-31215 (SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11. ...) + {DLA-2886-1} - slurm-wlm 20.11.7+really20.11.4-2 (bug #988439) - slurm-llnl <removed> [buster] - slurm-llnl <no-dsa> (Minor issue) - [stretch] - slurm-llnl <not-affected> (env is already SPANKed) NOTE: https://github.com/SchedMD/slurm/commit/a9e9e2fedbd200ca545ab67dd753bd52c919f236 (2.11.7) NOTE: Initially already fixed in 20.11.7-1 (the tracker would do the right thing) NOTE: but the unstable upload invalidated the changelog 20.11.7-1 so use 20.11.7+really20.11.4-2 @@ -31381,154 +38853,182 @@ CVE-2021-30998 REJECTED CVE-2021-30997 REJECTED -CVE-2021-30996 - REJECTED -CVE-2021-30995 - REJECTED +CVE-2021-30996 (A race condition was addressed with improved state handling. This issu ...) + NOT-FOR-US: Apple +CVE-2021-30995 (A race condition was addressed with improved state handling. This issu ...) + NOT-FOR-US: Apple CVE-2021-30994 REJECTED -CVE-2021-30993 - REJECTED -CVE-2021-30992 - REJECTED -CVE-2021-30991 - REJECTED -CVE-2021-30990 - REJECTED +CVE-2021-30993 (A buffer overflow issue was addressed with improved memory handling. T ...) + NOT-FOR-US: Apple +CVE-2021-30992 (This issue was addressed with improved handling of file metadata. This ...) + NOT-FOR-US: Apple +CVE-2021-30991 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) + NOT-FOR-US: Apple +CVE-2021-30990 (A logic issue was addressed with improved validation. This issue is fi ...) + NOT-FOR-US: Apple CVE-2021-30989 REJECTED -CVE-2021-30988 - REJECTED -CVE-2021-30987 - REJECTED -CVE-2021-30986 - REJECTED -CVE-2021-30985 - REJECTED -CVE-2021-30984 - REJECTED -CVE-2021-30983 - REJECTED -CVE-2021-30982 - REJECTED -CVE-2021-30981 - REJECTED -CVE-2021-30980 - REJECTED -CVE-2021-30979 - REJECTED +CVE-2021-30988 (Description: A permissions issue was addressed with improved validatio ...) + NOT-FOR-US: Apple +CVE-2021-30987 (An access issue was addressed with improved access restrictions. This ...) + NOT-FOR-US: Apple +CVE-2021-30986 (A device configuration issue was addressed with an updated configurati ...) + NOT-FOR-US: Apple +CVE-2021-30985 (An out-of-bounds write issue was addressed with improved bounds checki ...) + NOT-FOR-US: Apple +CVE-2021-30984 (A race condition was addressed with improved state handling. This issu ...) + {DSA-5061-1 DSA-5060-1} + - webkit2gtk 2.34.4-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.4-1 + NOTE: https://webkitgtk.org/security/WSA-2022-0001.html +CVE-2021-30983 (A buffer overflow issue was addressed with improved memory handling. T ...) + NOT-FOR-US: Apple +CVE-2021-30982 (A race condition was addressed with improved locking. This issue is fi ...) + NOT-FOR-US: Apple +CVE-2021-30981 (A buffer overflow was addressed with improved bounds checking. This is ...) + NOT-FOR-US: Apple +CVE-2021-30980 (A use after free issue was addressed with improved memory management. ...) + NOT-FOR-US: Apple +CVE-2021-30979 (A buffer overflow issue was addressed with improved memory handling. T ...) + NOT-FOR-US: Apple CVE-2021-30978 REJECTED -CVE-2021-30977 - REJECTED -CVE-2021-30976 - REJECTED -CVE-2021-30975 - REJECTED +CVE-2021-30977 (A buffer overflow was addressed with improved bounds checking. This is ...) + NOT-FOR-US: Apple +CVE-2021-30976 (A logic issue was addressed with improved state management. This issue ...) + NOT-FOR-US: Apple +CVE-2021-30975 (This issue was addressed by disabling execution of JavaScript when vie ...) + NOT-FOR-US: Apple CVE-2021-30974 REJECTED -CVE-2021-30973 - REJECTED +CVE-2021-30973 (An out-of-bounds read was addressed with improved input validation. Th ...) + NOT-FOR-US: Apple CVE-2021-30972 REJECTED -CVE-2021-30971 - REJECTED -CVE-2021-30970 - REJECTED -CVE-2021-30969 - REJECTED -CVE-2021-30968 - REJECTED -CVE-2021-30967 - REJECTED -CVE-2021-30966 - REJECTED -CVE-2021-30965 - REJECTED -CVE-2021-30964 - REJECTED -CVE-2021-30963 - REJECTED +CVE-2021-30971 (An out-of-bounds write issue was addressed with improved bounds checki ...) + NOT-FOR-US: Apple +CVE-2021-30970 (A logic issue was addressed with improved state management. This issue ...) + NOT-FOR-US: Apple +CVE-2021-30969 (A path handling issue was addressed with improved validation. This iss ...) + NOT-FOR-US: Apple +CVE-2021-30968 (A validation issue related to hard link behavior was addressed with im ...) + NOT-FOR-US: Apple +CVE-2021-30967 (Description: A permissions issue was addressed with improved validatio ...) + NOT-FOR-US: Apple +CVE-2021-30966 (A logic issue was addressed with improved state management. This issue ...) + NOT-FOR-US: Apple +CVE-2021-30965 (A logic issue was addressed with improved state management. This issue ...) + NOT-FOR-US: Apple +CVE-2021-30964 (An inherited permissions issue was addressed with additional restricti ...) + NOT-FOR-US: Apple +CVE-2021-30963 (A buffer overflow issue was addressed with improved memory handling. T ...) + NOT-FOR-US: Apple CVE-2021-30962 REJECTED -CVE-2021-30961 - REJECTED -CVE-2021-30960 - REJECTED -CVE-2021-30959 - REJECTED -CVE-2021-30958 - REJECTED -CVE-2021-30957 - REJECTED +CVE-2021-30961 (A buffer overflow issue was addressed with improved memory handling. T ...) + NOT-FOR-US: Apple +CVE-2021-30960 (A buffer overflow issue was addressed with improved memory handling. T ...) + NOT-FOR-US: Apple +CVE-2021-30959 (A buffer overflow issue was addressed with improved memory handling. T ...) + NOT-FOR-US: Apple +CVE-2021-30958 (An out-of-bounds read was addressed with improved input validation. Th ...) + NOT-FOR-US: Apple +CVE-2021-30957 (A buffer overflow issue was addressed with improved memory handling. T ...) + NOT-FOR-US: Apple CVE-2021-30956 REJECTED -CVE-2021-30955 - REJECTED -CVE-2021-30954 - REJECTED -CVE-2021-30953 - REJECTED -CVE-2021-30952 - REJECTED -CVE-2021-30951 - REJECTED -CVE-2021-30950 - REJECTED -CVE-2021-30949 - REJECTED -CVE-2021-30948 - REJECTED -CVE-2021-30947 - REJECTED -CVE-2021-30946 - REJECTED -CVE-2021-30945 - REJECTED +CVE-2021-30955 (A race condition was addressed with improved state handling. This issu ...) + NOT-FOR-US: Apple +CVE-2021-30954 (A type confusion issue was addressed with improved memory handling. Th ...) + {DSA-5061-1 DSA-5060-1} + - webkit2gtk 2.34.4-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.4-1 + NOTE: https://webkitgtk.org/security/WSA-2022-0001.html +CVE-2021-30953 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) + {DSA-5061-1 DSA-5060-1} + - webkit2gtk 2.34.4-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.4-1 + NOTE: https://webkitgtk.org/security/WSA-2022-0001.html +CVE-2021-30952 (An integer overflow was addressed with improved input validation. This ...) + {DSA-5061-1 DSA-5060-1} + - webkit2gtk 2.34.4-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.4-1 + NOTE: https://webkitgtk.org/security/WSA-2022-0001.html +CVE-2021-30951 (A use after free issue was addressed with improved memory management. ...) + {DSA-5061-1 DSA-5060-1} + - webkit2gtk 2.34.4-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.4-1 + NOTE: https://webkitgtk.org/security/WSA-2022-0001.html +CVE-2021-30950 (A logic issue was addressed with improved state management. This issue ...) + NOT-FOR-US: Apple +CVE-2021-30949 (A memory corruption issue was addressed with improved state management ...) + NOT-FOR-US: Apple +CVE-2021-30948 (An inconsistent user interface issue was addressed with improved state ...) + NOT-FOR-US: Apple +CVE-2021-30947 (An access issue was addressed with additional sandbox restrictions. Th ...) + NOT-FOR-US: Apple +CVE-2021-30946 (A logic issue was addressed with improved restrictions. This issue is ...) + NOT-FOR-US: Apple +CVE-2021-30945 (This issue was addressed with improved checks. This issue is fixed in ...) + NOT-FOR-US: Apple CVE-2021-30944 REJECTED CVE-2021-30943 REJECTED -CVE-2021-30942 - REJECTED -CVE-2021-30941 - REJECTED -CVE-2021-30940 - REJECTED -CVE-2021-30939 - REJECTED -CVE-2021-30938 - REJECTED -CVE-2021-30937 - REJECTED -CVE-2021-30936 - REJECTED -CVE-2021-30935 - REJECTED -CVE-2021-30934 - REJECTED +CVE-2021-30942 (Description: A memory corruption issue in the processing of ICC profil ...) + NOT-FOR-US: Apple +CVE-2021-30941 (A buffer overflow issue was addressed with improved memory handling. T ...) + NOT-FOR-US: Apple +CVE-2021-30940 (A buffer overflow issue was addressed with improved memory handling. T ...) + NOT-FOR-US: Apple +CVE-2021-30939 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) + NOT-FOR-US: Apple +CVE-2021-30938 (This issue was addressed with improved checks. This issue is fixed in ...) + NOT-FOR-US: Apple +CVE-2021-30937 (A memory corruption vulnerability was addressed with improved locking. ...) + NOT-FOR-US: Apple +CVE-2021-30936 (A use after free issue was addressed with improved memory management. ...) + {DSA-5061-1 DSA-5060-1} + - webkit2gtk 2.34.4-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.4-1 + NOTE: https://webkitgtk.org/security/WSA-2022-0001.html +CVE-2021-30935 (A logic issue was addressed with improved validation. This issue is fi ...) + NOT-FOR-US: Apple +CVE-2021-30934 (A buffer overflow issue was addressed with improved memory handling. T ...) + {DSA-5061-1 DSA-5060-1} + - webkit2gtk 2.34.4-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.4-1 + NOTE: https://webkitgtk.org/security/WSA-2022-0001.html CVE-2021-30933 REJECTED -CVE-2021-30932 - REJECTED -CVE-2021-30931 - REJECTED -CVE-2021-30930 - REJECTED -CVE-2021-30929 - REJECTED +CVE-2021-30932 (The issue was addressed with improved permissions logic. This issue is ...) + NOT-FOR-US: Apple +CVE-2021-30931 (A logic issue was addressed with improved validation. This issue is fi ...) + NOT-FOR-US: Apple +CVE-2021-30930 (A logic issue was addressed with improved state management. This issue ...) + NOT-FOR-US: Apple +CVE-2021-30929 (An out-of-bounds write issue was addressed with improved bounds checki ...) + NOT-FOR-US: Apple CVE-2021-30928 REJECTED -CVE-2021-30927 - REJECTED -CVE-2021-30926 - REJECTED +CVE-2021-30927 (A use after free issue was addressed with improved memory management. ...) + NOT-FOR-US: Apple +CVE-2021-30926 (Description: A memory corruption issue in the processing of ICC profil ...) + NOT-FOR-US: Apple CVE-2021-30925 REJECTED -CVE-2021-30924 - REJECTED -CVE-2021-30923 - REJECTED +CVE-2021-30924 (A denial of service issue was addressed with improved state handling. ...) + NOT-FOR-US: Apple +CVE-2021-30923 (A race condition was addressed with improved locking. This issue is fi ...) + NOT-FOR-US: Apple CVE-2021-30922 REJECTED CVE-2021-30921 @@ -31565,8 +39065,8 @@ CVE-2021-30906 (This issue was addressed with improved checks. This issue is fix NOT-FOR-US: Apple CVE-2021-30905 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple -CVE-2021-30904 - REJECTED +CVE-2021-30904 (A sync issue was addressed with improved state validation. This issue ...) + NOT-FOR-US: Apple CVE-2021-30903 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2021-30902 (A use after free issue was addressed with improved memory management. ...) @@ -31579,8 +39079,8 @@ CVE-2021-30899 (A race condition was addressed with improved state handling. Thi NOT-FOR-US: Apple CVE-2021-30898 REJECTED -CVE-2021-30897 - REJECTED +CVE-2021-30897 (An issue existed in the specification for the resource timing API. The ...) + NOT-FOR-US: Apple CVE-2021-30896 (A logic issue was addressed with improved restrictions. This issue is ...) NOT-FOR-US: Apple CVE-2021-30895 (A logic issue was addressed with improved restrictions. This issue is ...) @@ -31594,19 +39094,39 @@ CVE-2021-30892 (An inherited permissions issue was addressed with additional res CVE-2021-30891 REJECTED CVE-2021-30890 (A logic issue was addressed with improved state management. This issue ...) - NOT-FOR-US: Apple + {DSA-5031-1 DSA-5030-1} + - webkit2gtk 2.34.3-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.3-1 + NOTE: https://webkitgtk.org/security/WSA-2021-0007.html CVE-2021-30889 (A buffer overflow issue was addressed with improved memory handling. T ...) - NOT-FOR-US: Apple + {DSA-4996-1 DSA-4995-1} + - webkit2gtk 2.34.1-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.1-1 + NOTE: https://webkitgtk.org/security/WSA-2021-0007.html CVE-2021-30888 (An information leakage issue was addressed. This issue is fixed in iOS ...) - NOT-FOR-US: Apple + {DSA-4996-1 DSA-4995-1} + - webkit2gtk 2.34.1-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.1-1 + NOTE: https://webkitgtk.org/security/WSA-2021-0007.html CVE-2021-30887 (A logic issue was addressed with improved restrictions. This issue is ...) - NOT-FOR-US: Apple + {DSA-5031-1 DSA-5030-1} + - webkit2gtk 2.34.3-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.3-1 + NOTE: https://webkitgtk.org/security/WSA-2021-0007.html CVE-2021-30886 (A use after free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2021-30885 REJECTED CVE-2021-30884 (The issue was resolved with additional restrictions on CSS compositing ...) - NOT-FOR-US: Apple + {DSA-4996-1 DSA-4995-1} + - webkit2gtk 2.34.1-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.1-1 + NOTE: https://webkitgtk.org/security/WSA-2021-0007.html CVE-2021-30883 (A memory corruption issue was addressed with improved memory handling. ...) NOT-FOR-US: Apple CVE-2021-30882 (A logic issue was addressed with improved validation. This issue is fi ...) @@ -31724,7 +39244,11 @@ CVE-2021-30838 (A memory corruption issue was addressed with improved memory han CVE-2021-30837 (A memory consumption issue was addressed with improved memory handling ...) NOT-FOR-US: Apple CVE-2021-30836 (An out-of-bounds read was addressed with improved input validation. Th ...) - NOT-FOR-US: Apple + {DSA-4976-1 DSA-4975-1} + - webkit2gtk 2.32.4-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.32.4-1 + NOTE: https://webkitgtk.org/security/WSA-2021-0007.html CVE-2021-30835 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2021-30834 (A logic issue was addressed with improved state management. This issue ...) @@ -31750,7 +39274,11 @@ CVE-2021-30825 (This issue was addressed with improved checks. This issue is fix CVE-2021-30824 (A memory corruption issue was addressed with improved state management ...) NOT-FOR-US: Apple CVE-2021-30823 (A logic issue was addressed with improved restrictions. This issue is ...) - NOT-FOR-US: Apple + {DSA-4996-1 DSA-4995-1} + - webkit2gtk 2.34.1-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.1-1 + NOTE: https://webkitgtk.org/security/WSA-2021-0007.html CVE-2021-30822 RESERVED CVE-2021-30821 (A memory corruption issue was addressed with improved memory handling. ...) @@ -31760,7 +39288,11 @@ CVE-2021-30820 (A logic issue was addressed with improved state management. This CVE-2021-30819 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2021-30818 (A type confusion issue was addressed with improved state handling. Thi ...) - NOT-FOR-US: Apple + {DSA-4996-1 DSA-4995-1} + - webkit2gtk 2.34.1-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.1-1 + NOTE: https://webkitgtk.org/security/WSA-2021-0007.html CVE-2021-30817 (A permissions issue was addressed with improved validation. This issue ...) NOT-FOR-US: Apple CVE-2021-30816 (The issue was addressed with improved permissions logic. This issue is ...) @@ -31778,7 +39310,11 @@ CVE-2021-30811 (This issue was addressed with improved checks. This issue is fix CVE-2021-30810 (An authorization issue was addressed with improved state management. T ...) NOT-FOR-US: Apple CVE-2021-30809 (A use after free issue was addressed with improved memory management. ...) - NOT-FOR-US: Apple + {DSA-4976-1 DSA-4975-1} + - webkit2gtk 2.32.4-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.32.4-1 + NOTE: https://webkitgtk.org/security/WSA-2021-0007.html CVE-2021-30808 (This issue was addressed with improved checks. This issue is fixed in ...) NOT-FOR-US: Apple CVE-2021-30807 (A memory corruption issue was addressed with improved memory handling. ...) @@ -31873,8 +39409,8 @@ CVE-2021-30769 (A logic issue was addressed with improved state management. This NOT-FOR-US: Apple CVE-2021-30768 (A logic issue was addressed with improved validation. This issue is fi ...) NOT-FOR-US: Apple -CVE-2021-30767 - RESERVED +CVE-2021-30767 (A logic issue was addressed with improved state management. This issue ...) + NOT-FOR-US: Apple CVE-2021-30766 (An out-of-bounds write was addressed with improved input validation. T ...) NOT-FOR-US: Apple CVE-2021-30765 (An out-of-bounds write was addressed with improved input validation. T ...) @@ -32159,8 +39695,8 @@ CVE-2021-30652 (A race condition was addressed with additional validation. This NOT-FOR-US: Apple CVE-2021-30651 RESERVED -CVE-2021-30650 - RESERVED +CVE-2021-30650 (A reflected cross-site scripting (XSS) vulnerability in the Symantec L ...) + NOT-FOR-US: Symantec CVE-2021-30649 RESERVED CVE-2021-30648 (The Symantec Advanced Secure Gateway (ASG) and ProxySG web management ...) @@ -32267,268 +39803,350 @@ CVE-2021-30638 (Information Exposure vulnerability in context asset handling of NOT-FOR-US: Apache Tapestry CVE-2021-30637 (htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Descript ...) NOT-FOR-US: htmly -CVE-2021-30636 - RESERVED +CVE-2021-30636 (In MediaTek LinkIt SDK before 4.6.1, there is a possible memory corrup ...) + NOT-FOR-US: MediaTek LinkIt SDK CVE-2021-30635 (Sonatype Nexus Repository Manager 3.x before 3.30.1 allows a remote at ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2021-30634 RESERVED CVE-2021-30633 (Use after free in Indexed DB API in Google Chrome prior to 93.0.4577.8 ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30632 (Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allow ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30631 REJECTED CVE-2021-30630 (Inappropriate implementation in Blink in Google Chrome prior to 93.0.4 ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30629 (Use after free in Permissions in Google Chrome prior to 93.0.4577.82 a ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30628 (Stack buffer overflow in ANGLE in Google Chrome prior to 93.0.4577.82 ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30627 (Type confusion in Blink layout in Google Chrome prior to 93.0.4577.82 ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30626 (Out of bounds memory access in ANGLE in Google Chrome prior to 93.0.45 ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30625 (Use after free in Selection API in Google Chrome prior to 93.0.4577.82 ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30624 (Chromium: CVE-2021-30624 Use after free in Autofill ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30623 (Chromium: CVE-2021-30623 Use after free in Bookmarks ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30622 (Chromium: CVE-2021-30622 Use after free in WebApp Installs ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30621 (Chromium: CVE-2021-30621 UI Spoofing in Autofill ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30620 (Chromium: CVE-2021-30620 Insufficient policy enforcement in Blink ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30619 (Chromium: CVE-2021-30619 UI Spoofing in Autofill ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30618 (Chromium: CVE-2021-30618 Inappropriate implementation in DevTools ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30617 (Chromium: CVE-2021-30617 Policy bypass in Blink ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30616 (Chromium: CVE-2021-30616 Use after free in Media ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30615 (Chromium: CVE-2021-30615 Cross-origin data leak in Navigation ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30614 (Chromium: CVE-2021-30614 Heap buffer overflow in TabStrip ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30613 (Chromium: CVE-2021-30613 Use after free in Base internals ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30612 (Chromium: CVE-2021-30612 Use after free in WebRTC ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30611 (Chromium: CVE-2021-30611 Use after free in WebRTC ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30610 (Chromium: CVE-2021-30610 Use after free in Extensions API ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30609 (Chromium: CVE-2021-30609 Use after free in Sign-In ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30608 (Chromium: CVE-2021-30608 Use after free in Web Share ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30607 (Chromium: CVE-2021-30607 Use after free in Permissions ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30606 (Chromium: CVE-2021-30606 Use after free in Blink ...) - chromium 93.0.4577.82-1 + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30605 (Inappropriate implementation in the ChromeOS Readiness Tool installer ...) NOT-FOR-US: ChromeOS Readiness Tool installer on Windows CVE-2021-30604 (Use after free in ANGLE in Google Chrome prior to 92.0.4515.159 allowe ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30603 (Data race in WebAudio in Google Chrome prior to 92.0.4515.159 allowed ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30602 (Use after free in WebRTC in Google Chrome prior to 92.0.4515.159 allow ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30601 (Use after free in Extensions API in Google Chrome prior to 92.0.4515.1 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30600 (Use after free in Printing in Google Chrome prior to 92.0.4515.159 all ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30599 (Type confusion in V8 in Google Chrome prior to 92.0.4515.159 allowed a ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30598 (Type confusion in V8 in Google Chrome prior to 92.0.4515.159 allowed a ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30597 (Use after free in Browser UI in Google Chrome on Chrome prior to 92.0. ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30596 (Incorrect security UI in Navigation in Google Chrome on Android prior ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30595 RESERVED CVE-2021-30594 (Use after free in Page Info UI in Google Chrome prior to 92.0.4515.131 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30593 (Out of bounds read in Tab Strip in Google Chrome prior to 92.0.4515.13 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30592 (Out of bounds write in Tab Groups in Google Chrome prior to 92.0.4515. ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30591 (Use after free in File System API in Google Chrome prior to 92.0.4515. ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30590 (Heap buffer overflow in Bookmarks in Google Chrome prior to 92.0.4515. ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30589 (Insufficient validation of untrusted input in Sharing in Google Chrome ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30588 (Type confusion in V8 in Google Chrome prior to 92.0.4515.107 allowed a ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30587 (Inappropriate implementation in Compositing in Google Chrome prior to ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30586 (Use after free in dialog box handling in Windows in Google Chrome prio ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30585 (Use after free in sensor handling in Google Chrome on Windows prior to ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30584 (Incorrect security UI in Downloads in Google Chrome on Android prior t ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30583 (Insufficient policy enforcement in image handling in iOS in Google Chr ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30582 (Inappropriate implementation in Animation in Google Chrome prior to 92 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30581 (Use after free in DevTools in Google Chrome prior to 92.0.4515.107 all ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30580 (Insufficient policy enforcement in Android intents in Google Chrome pr ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30579 (Use after free in UI framework in Google Chrome prior to 92.0.4515.107 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30578 (Uninitialized use in Media in Google Chrome prior to 92.0.4515.107 all ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30577 (Insufficient policy enforcement in Installer in Google Chrome prior to ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30576 (Use after free in DevTools in Google Chrome prior to 92.0.4515.107 all ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30575 (Out of bounds write in Autofill in Google Chrome prior to 92.0.4515.10 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30574 (Use after free in protocol handling in Google Chrome prior to 92.0.451 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30573 (Use after free in GPU in Google Chrome prior to 92.0.4515.107 allowed ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30572 (Use after free in Autofill in Google Chrome prior to 92.0.4515.107 all ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30571 (Insufficient policy enforcement in DevTools in Google Chrome prior to ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30570 RESERVED CVE-2021-30569 (Use after free in sqlite in Google Chrome prior to 92.0.4515.107 allow ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30568 (Heap buffer overflow in WebGL in Google Chrome prior to 92.0.4515.107 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30567 (Use after free in DevTools in Google Chrome prior to 92.0.4515.107 all ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30566 (Stack buffer overflow in Printing in Google Chrome prior to 92.0.4515. ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30565 (Out of bounds write in Tab Groups in Google Chrome on Linux and Chrome ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30564 (Heap buffer overflow in WebXR in Google Chrome prior to 91.0.4472.164 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30563 (Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30562 (Use after free in WebSerial in Google Chrome prior to 91.0.4472.164 al ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30561 (Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30560 (Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 a ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30559 (Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.164 a ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30558 RESERVED CVE-2021-30557 (Use after free in TabGroups in Google Chrome prior to 91.0.4472.114 al ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30556 (Use after free in WebAudio in Google Chrome prior to 91.0.4472.114 all ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30555 (Use after free in Sharing in Google Chrome prior to 91.0.4472.114 allo ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30554 (Use after free in WebGL in Google Chrome prior to 91.0.4472.114 allowe ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30553 (Use after free in Network service in Google Chrome prior to 91.0.4472. ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30552 (Use after free in Extensions in Google Chrome prior to 91.0.4472.101 a ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30551 (Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30550 (Use after free in Accessibility in Google Chrome prior to 91.0.4472.10 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30549 (Use after free in Spell check in Google Chrome prior to 91.0.4472.101 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30548 (Use after free in Loader in Google Chrome prior to 91.0.4472.101 allow ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30547 (Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 a ...) {DSA-4940-1 DSA-4939-1 DLA-2711-1 DLA-2709-1} - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) - firefox 90.0-1 - firefox-esr 78.12.0esr-1 @@ -32538,39 +40156,51 @@ CVE-2021-30547 (Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-30/#CVE-2021-30547 CVE-2021-30546 (Use after free in Autofill in Google Chrome prior to 91.0.4472.101 all ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30545 (Use after free in Extensions in Google Chrome prior to 91.0.4472.101 a ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30544 (Use after free in BFCache in Google Chrome prior to 91.0.4472.101 allo ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30543 (Use after free in Tab Strip in Google Chrome prior to 91.0.4472.77 all ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30542 (Use after free in Tab Strip in Google Chrome prior to 91.0.4472.77 all ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30541 (Use after free in V8 in Google Chrome prior to 91.0.4472.164 allowed a ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30540 (Incorrect security UI in payments in Google Chrome on Android prior to ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30539 (Insufficient policy enforcement in content security policy in Google C ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30538 (Insufficient policy enforcement in content security policy in Google C ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30537 (Insufficient policy enforcement in cookies in Google Chrome prior to 9 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30536 (Out of bounds read in V8 in Google Chrome prior to 91.0.4472.77 allowe ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30535 (Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a re ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) - icu 67.1-7 [buster] - icu <not-affected> (Vulnerable code introduced later) @@ -32582,45 +40212,59 @@ CVE-2021-30535 (Double free in ICU in Google Chrome prior to 91.0.4472.77 allowe NOTE: Fixed by: https://github.com/unicode-org/icu/commit/2dc5bea9061b4fb05cd03e21b775dd944a0eb81d CVE-2021-30534 (Insufficient policy enforcement in iFrameSandbox in Google Chrome prio ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30533 (Insufficient policy enforcement in PopupBlocker in Google Chrome prior ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30532 (Insufficient policy enforcement in Content Security Policy in Google C ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30531 (Insufficient policy enforcement in Content Security Policy in Google C ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30530 (Out of bounds memory access in WebAudio in Google Chrome prior to 91.0 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30529 (Use after free in Bookmarks in Google Chrome prior to 91.0.4472.77 all ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30528 (Use after free in WebAuthentication in Google Chrome on Android prior ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30527 (Use after free in WebUI in Google Chrome prior to 91.0.4472.77 allowed ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30526 (Out of bounds write in TabStrip in Google Chrome prior to 91.0.4472.77 ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30525 (Use after free in TabGroups in Google Chrome prior to 91.0.4472.77 all ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30524 (Use after free in TabStrip in Google Chrome prior to 91.0.4472.77 allo ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30523 (Use after free in WebRTC in Google Chrome prior to 91.0.4472.77 allowe ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30522 (Use after free in WebAudio in Google Chrome prior to 91.0.4472.77 allo ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30521 (Heap buffer overflow in Autofill in Google Chrome on Android prior to ...) - chromium 93.0.4577.82-1 (bug #990079) + [buster] - chromium <end-of-life> (see DSA 5046) [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-30520 (Use after free in Tab Strip in Google Chrome prior to 90.0.4430.212 al ...) {DSA-4917-1} @@ -33072,8 +40716,8 @@ CVE-2021-30362 RESERVED CVE-2021-30361 RESERVED -CVE-2021-30360 - RESERVED +CVE-2021-30360 (Users have access to the directory where the installation repair occur ...) + NOT-FOR-US: Check Point CVE-2021-30359 (The Harmony Browse and the SandBlast Agent for Browsers installers mus ...) NOT-FOR-US: Harmony Browse and the SandBlast Agent for Browsers installers CVE-2021-30358 (Mobile Access Portal Native Applications who's path is defined by the ...) @@ -33086,18 +40730,18 @@ CVE-2021-30355 (Amazon Kindle e-reader prior to and including version 5.13.4 imp NOT-FOR-US: Amazon Kindle e-reader CVE-2021-30354 (Amazon Kindle e-reader prior to and including version 5.13.4 contains ...) NOT-FOR-US: Amazon Kindle e-reader -CVE-2021-30353 - RESERVED +CVE-2021-30353 (Improper validation of function pointer type with actual function sign ...) + NOT-FOR-US: Qualcomm CVE-2021-30352 RESERVED -CVE-2021-30351 - RESERVED +CVE-2021-30351 (An out of bound memory access can occur due to improper validation of ...) + NOT-FOR-US: Qualcomm components for Android CVE-2021-30350 RESERVED CVE-2021-30349 RESERVED -CVE-2021-30348 - RESERVED +CVE-2021-30348 (Improper validation of LLM utility timers availability can lead to den ...) + NOT-FOR-US: Qualcomm CVE-2021-30347 RESERVED CVE-2021-30346 @@ -33118,12 +40762,12 @@ CVE-2021-30339 RESERVED CVE-2021-30338 RESERVED -CVE-2021-30337 - RESERVED -CVE-2021-30336 - RESERVED -CVE-2021-30335 - RESERVED +CVE-2021-30337 (Possible use after free when process shell memory is freed using IOCTL ...) + NOT-FOR-US: Qualcomm components for Android +CVE-2021-30336 (Possible out of bound read due to lack of domain input validation whil ...) + NOT-FOR-US: Qualcomm components for Android +CVE-2021-30335 (Possible assertion in QOS request due to improper validation when mult ...) + NOT-FOR-US: Qualcomm components for Android CVE-2021-30334 RESERVED CVE-2021-30333 @@ -33132,72 +40776,72 @@ CVE-2021-30332 RESERVED CVE-2021-30331 RESERVED -CVE-2021-30330 - RESERVED +CVE-2021-30330 (Possible null pointer dereference due to improper validation of APE cl ...) + NOT-FOR-US: Qualcomm CVE-2021-30329 RESERVED CVE-2021-30328 RESERVED CVE-2021-30327 RESERVED -CVE-2021-30326 - RESERVED -CVE-2021-30325 - RESERVED -CVE-2021-30324 - RESERVED -CVE-2021-30323 - RESERVED -CVE-2021-30322 - RESERVED +CVE-2021-30326 (Possible assertion due to improper size validation while processing th ...) + NOT-FOR-US: Qualcomm +CVE-2021-30325 (Possible out of bound access of DCI resources due to lack of validatio ...) + NOT-FOR-US: Qualcomm +CVE-2021-30324 (Possible out of bound write due to lack of boundary check for the maxi ...) + NOT-FOR-US: Qualcomm +CVE-2021-30323 (Improper validation of maximum size of data write to EFS file can lead ...) + NOT-FOR-US: Qualcomm +CVE-2021-30322 (Possible out of bounds write due to improper validation of number of G ...) + NOT-FOR-US: Qualcomm CVE-2021-30321 (Possible buffer overflow due to lack of parameter length check during ...) NOT-FOR-US: Snapdragon CVE-2021-30320 RESERVED -CVE-2021-30319 - RESERVED -CVE-2021-30318 - RESERVED -CVE-2021-30317 - RESERVED +CVE-2021-30319 (Possible integer overflow due to improper validation of command length ...) + NOT-FOR-US: Qualcomm +CVE-2021-30318 (Improper validation of input when provisioning the HDCP key can lead t ...) + NOT-FOR-US: Qualcomm +CVE-2021-30317 (Improper validation of program headers containing ELF metadata can lea ...) + NOT-FOR-US: Qualcomm CVE-2021-30316 (Possible out of bound memory access due to improper boundary check whi ...) NOT-FOR-US: Snapdragon CVE-2021-30315 (Improper handling of sensor HAL structure in absence of sensor can lea ...) NOT-FOR-US: Snapdragon -CVE-2021-30314 - RESERVED -CVE-2021-30313 - RESERVED +CVE-2021-30314 (Lack of validation for third party application accessing the service c ...) + NOT-FOR-US: Qualcomm +CVE-2021-30313 (Use after free condition can occur in wired connectivity due to a race ...) + NOT-FOR-US: Qualcomm CVE-2021-30312 (Improper authentication of sub-frames of a multicast AMSDU frame can l ...) NOT-FOR-US: Qualcomm components for Android -CVE-2021-30311 - RESERVED +CVE-2021-30311 (Possible heap overflow due to lack of index validation before allocati ...) + NOT-FOR-US: Qualcomm CVE-2021-30310 (Possible buffer overflow due to Improper validation of received CF-ACK ...) NOT-FOR-US: Qualcomm components for Android -CVE-2021-30309 - RESERVED -CVE-2021-30308 - RESERVED -CVE-2021-30307 - RESERVED +CVE-2021-30309 (Improper size validation of QXDM commands can lead to memory corruptio ...) + NOT-FOR-US: Qualcomm +CVE-2021-30308 (Possible buffer overflow while printing the HARQ memory partition deta ...) + NOT-FOR-US: Qualcomm +CVE-2021-30307 (Possible denial of service due to improper validation of DNS response ...) + NOT-FOR-US: Qualcomm CVE-2021-30306 (Possible buffer over read due to improper buffer allocation for file l ...) NOT-FOR-US: Qualcomm components for Android CVE-2021-30305 (Possible out of bound access due to lack of validation of page offset ...) NOT-FOR-US: Qualcomm components for Android CVE-2021-30304 (Possible buffer out of bound read can occur due to improper validation ...) NOT-FOR-US: Snapdragon -CVE-2021-30303 - RESERVED +CVE-2021-30303 (Possible buffer overflow due to lack of buffer length check when segme ...) + NOT-FOR-US: Qualcomm components for Android CVE-2021-30302 (Improper authentication of EAP WAPI EAPOL frames from unauthenticated ...) NOT-FOR-US: Qualcomm components for Android -CVE-2021-30301 - RESERVED -CVE-2021-30300 - RESERVED +CVE-2021-30301 (Possible denial of service due to out of memory while processing RRC a ...) + NOT-FOR-US: Qualcomm +CVE-2021-30300 (Possible denial of service due to incorrectly decoding hex data for th ...) + NOT-FOR-US: Qualcomm CVE-2021-30299 RESERVED -CVE-2021-30298 - RESERVED +CVE-2021-30298 (Possible out of bound access due to improper validation of item size a ...) + NOT-FOR-US: Qualcomm components for Android CVE-2021-30297 (Possible out of bound read due to improper validation of packet length ...) NOT-FOR-US: Qualcomm components for Android CVE-2021-30296 @@ -33206,60 +40850,60 @@ CVE-2021-30295 (Possible heap overflow due to improper validation of local varia NOT-FOR-US: Qualcomm components for Android CVE-2021-30294 (Potential null pointer dereference in KGSL GPU auxiliary command due t ...) NOT-FOR-US: Qualcomm components for Android -CVE-2021-30293 - RESERVED +CVE-2021-30293 (Possible assertion due to lack of input validation in PUSCH configurat ...) + NOT-FOR-US: Qualcomm components for Android CVE-2021-30292 (Possible memory corruption due to lack of validation of client data us ...) NOT-FOR-US: Qualcomm components for Android CVE-2021-30291 (Possible memory corruption due to lack of validation of client data us ...) NOT-FOR-US: Qualcomm components for Android CVE-2021-30290 (Possible null pointer dereference due to race condition between timeli ...) NOT-FOR-US: Snapdragon -CVE-2021-30289 - RESERVED +CVE-2021-30289 (Possible buffer overflow due to lack of range check while processing a ...) + NOT-FOR-US: Qualcomm components for Android CVE-2021-30288 (Possible stack overflow due to improper length check of TLV while copy ...) NOT-FOR-US: Qualcomm components for Android -CVE-2021-30287 - RESERVED +CVE-2021-30287 (Possible assertion due to improper validation of symbols configured fo ...) + NOT-FOR-US: Qualcomm CVE-2021-30286 RESERVED -CVE-2021-30285 - RESERVED +CVE-2021-30285 (Improper validation of memory region in Hypervisor can lead to incorre ...) + NOT-FOR-US: Qualcomm CVE-2021-30284 (Possible information exposure and denial of service due to NAS not dro ...) NOT-FOR-US: Qualcomm components for Android -CVE-2021-30283 - RESERVED -CVE-2021-30282 - RESERVED +CVE-2021-30283 (Possible denial of service due to improper handling of debug register ...) + NOT-FOR-US: Qualcomm components for Android +CVE-2021-30282 (Possible out of bound write in RAM partition table due to improper val ...) + NOT-FOR-US: Qualcomm components for Android CVE-2021-30281 RESERVED CVE-2021-30280 RESERVED -CVE-2021-30279 - RESERVED -CVE-2021-30278 - RESERVED +CVE-2021-30279 (Possible access control violation while setting current permission for ...) + NOT-FOR-US: Qualcomm components for Android +CVE-2021-30278 (Improper input validation in TrustZone memory transfer interface can l ...) + NOT-FOR-US: Qualcomm components for Android CVE-2021-30277 RESERVED -CVE-2021-30276 - RESERVED -CVE-2021-30275 - RESERVED -CVE-2021-30274 - RESERVED -CVE-2021-30273 - RESERVED -CVE-2021-30272 - RESERVED -CVE-2021-30271 - RESERVED -CVE-2021-30270 - RESERVED -CVE-2021-30269 - RESERVED -CVE-2021-30268 - RESERVED -CVE-2021-30267 - RESERVED +CVE-2021-30276 (Improper access control while doing XPU re-configuration dynamically c ...) + NOT-FOR-US: Android +CVE-2021-30275 (Possible integer overflow in page alignment interface due to lack of a ...) + NOT-FOR-US: Qualcomm components for Android +CVE-2021-30274 (Possible integer overflow in access control initialization interface d ...) + NOT-FOR-US: Qualcomm components for Android +CVE-2021-30273 (Possible assertion due to improper handling of IPV6 packet with invali ...) + NOT-FOR-US: Qualcomm components for Android +CVE-2021-30272 (Possible null pointer dereference in thread cache operation handler du ...) + NOT-FOR-US: Qualcomm components for Android +CVE-2021-30271 (Possible null pointer dereference in trap handler due to lack of threa ...) + NOT-FOR-US: Qualcomm components for Android +CVE-2021-30270 (Possible null pointer dereference in thread profile trap handler due t ...) + NOT-FOR-US: Qualcomm components for Android +CVE-2021-30269 (Possible null pointer dereference due to lack of TLB validation for us ...) + NOT-FOR-US: Qualcomm components for Android +CVE-2021-30268 (Possible heap Memory Corruption Issue due to lack of input validation ...) + NOT-FOR-US: Qualcomm components for Android +CVE-2021-30267 (Possible integer overflow to buffer overflow due to improper input val ...) + NOT-FOR-US: Qualcomm components for Android CVE-2021-30266 (Possible use after free due to improper memory validation when initial ...) NOT-FOR-US: Qualcomm components for Android CVE-2021-30265 (Possible memory corruption due to improper validation of memory addres ...) @@ -33268,8 +40912,8 @@ CVE-2021-30264 (Possible use after free due improper validation of reference fro NOT-FOR-US: Qualcomm components for Android CVE-2021-30263 (Possible race condition can occur due to lack of synchronization mecha ...) NOT-FOR-US: Qualcomm components for Android -CVE-2021-30262 - RESERVED +CVE-2021-30262 (Improper validation of a socket state when socket events are being sen ...) + NOT-FOR-US: Qualcomm components for Android CVE-2021-30261 (Possible integer and heap overflow due to lack of input command size v ...) NOT-FOR-US: Qualcomm components for Android CVE-2021-30260 (Possible Integer overflow to buffer overflow issue can occur due to im ...) @@ -33681,7 +41325,7 @@ CVE-2021-30123 (FFmpeg <=4.3 contains a buffer overflow vulnerability in liba NOTE: Introduced in https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=9c0beaf0d3bb72f6e83b3b155a598a9ec28c8468 CVE-2021-30122 RESERVED -CVE-2021-30121 (Local file inclusion exists in Kaseya VSA before 9.5.6. ...) +CVE-2021-30121 (Authenticated local file inclusion in Kaseya VSA < v9.5.6 ...) NOT-FOR-US: Kaseya CVE-2021-30120 (Kaseya VSA through 9.5.7 allows attackers to bypass the 2FA requiremen ...) NOT-FOR-US: Kaseya @@ -34192,19 +41836,18 @@ CVE-2021-30002 (An issue was discovered in the Linux kernel before 5.11.3 when a NOTE: https://git.kernel.org/linus/fb18802a338b36f675a388fc03d2aa504a0d0899 CVE-2021-3482 (A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. ...) {DSA-4958-1 DLA-2750-1} - - exiv2 <unfixed> (bug #986888) + - exiv2 0.27.5-1 (bug #986888) [bullseye] - exiv2 <no-dsa> (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/1522 NOTE: https://github.com/Exiv2/exiv2/commit/22ea582c6b74ada30bec3a6b15de3c3e52f2b4da NOTE: https://github.com/Exiv2/exiv2/commit/cac151ec052d44da3dc779e9e4028e581acb128a CVE-2021-3481 [Out of bounds read in function QRadialFetchSimd from crafted svg file] RESERVED + {DLA-2895-1 DLA-2885-1} - qtsvg-opensource-src 5.15.2-3 (bug #986798) [buster] - qtsvg-opensource-src <no-dsa> (Minor issue) - [stretch] - qtsvg-opensource-src <postponed> (Minor issue; can be fixed in next update) - qt4-x11 <removed> [buster] - qt4-x11 <no-dsa> (Minor issue) - [stretch] - qt4-x11 <postponed> (Minor issue; can be fixed in next update) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1931444 NOTE: https://bugreports.qt.io/browse/QTBUG-91507 NOTE: https://codereview.qt-project.org/gitweb?p=qt%2Fqtsvg.git;a=commit;h=bfd6ee0d8cf34b63d32adf10ed93daa0086b359f (qt/qtsvg/dev) @@ -34258,7 +41901,9 @@ CVE-2021-29923 (Go before 1.17 does not properly consider extraneous zero charac - golang-1.15 <unfixed> - golang-1.11 <removed> - golang-1.8 <removed> + [stretch] - golang-1.8 <ignored> (Minor issue, IP-based access control failure in specific cases, upstream won't fix supported releases for backward compatibility) - golang-1.7 <removed> + [stretch] - golang-1.7 <ignored> (Minor issue, IP-based access control failure in specific cases, upstream won't fix supported releases for backward compatibility) NOTE: https://github.com/golang/go/issues/30999 NOTE: https://github.com/golang/go/issues/43389 NOTE: https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md @@ -34376,8 +42021,8 @@ CVE-2021-29874 RESERVED CVE-2021-29873 (IBM Flash System 900 could allow an authenticated attacker to obtain s ...) NOT-FOR-US: IBM -CVE-2021-29872 - RESERVED +CVE-2021-29872 (IBM Cloud Pak for Automation 21.0.1 and 21.0.2 - Business Automation S ...) + NOT-FOR-US: IBM CVE-2021-29871 RESERVED CVE-2021-29870 @@ -34386,16 +42031,16 @@ CVE-2021-29869 RESERVED CVE-2021-29868 (IBM i2 iBase 8.9.13 and 9.0.0 could allow a local attacker to obtain s ...) NOT-FOR-US: IBM -CVE-2021-29867 - RESERVED +CVE-2021-29867 (IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated to ...) + NOT-FOR-US: IBM CVE-2021-29866 RESERVED CVE-2021-29865 RESERVED CVE-2021-29864 RESERVED -CVE-2021-29863 - RESERVED +CVE-2021-29863 (IBM QRadar SIEM 7.3 and 7.4 is vulnerable to server side request forge ...) + NOT-FOR-US: IBM CVE-2021-29862 (IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local user ...) NOT-FOR-US: IBM CVE-2021-29861 (IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local user ...) @@ -34422,16 +42067,16 @@ CVE-2021-29851 (IBM Planning Analytics 2.0 could allow a remote attacker to obta NOT-FOR-US: IBM CVE-2021-29850 RESERVED -CVE-2021-29849 - RESERVED +CVE-2021-29849 (IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. Thi ...) + NOT-FOR-US: IBM CVE-2021-29848 RESERVED -CVE-2021-29847 - RESERVED -CVE-2021-29846 - RESERVED -CVE-2021-29845 - RESERVED +CVE-2021-29847 (BMC firmware (IBM Power System S821LC Server (8001-12C) OP825.50) conf ...) + NOT-FOR-US: IBM +CVE-2021-29846 (IBM Security Guardium Insights 3.0 could allow an authenticated user t ...) + NOT-FOR-US: IBM +CVE-2021-29845 (IBM Security Guardium Insights 3.0 could allow an authenticated user t ...) + NOT-FOR-US: IBM CVE-2021-29844 (IBM Jazz Team Server products is vulnerable to server-side request for ...) NOT-FOR-US: IBM CVE-2021-29843 (IBM MQ 9.1 LTS, 9.1 CD, 9.2 LTS, and 9.2CD is vulnerable to a denial o ...) @@ -34444,8 +42089,8 @@ CVE-2021-29840 RESERVED CVE-2021-29839 RESERVED -CVE-2021-29838 - RESERVED +CVE-2021-29838 (IBM Security Guardium Insights 3.0 could allow a remote attacker to ob ...) + NOT-FOR-US: IBM CVE-2021-29837 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 i ...) NOT-FOR-US: IBM CVE-2021-29836 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0. through 6.1.1.0 ...) @@ -34550,8 +42195,8 @@ CVE-2021-29787 RESERVED CVE-2021-29786 (IBM Jazz Team Server products stores user credentials in clear text wh ...) NOT-FOR-US: IBM -CVE-2021-29785 - RESERVED +CVE-2021-29785 (IBM Security SOAR V42 and V43could allow a remote attacker to obtain s ...) + NOT-FOR-US: IBM CVE-2021-29784 (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2 could allow a remote attacker t ...) NOT-FOR-US: IBM CVE-2021-29783 @@ -34562,8 +42207,8 @@ CVE-2021-29781 (IBM Partner Engagement Manager 2.0 could allow a remote attacker NOT-FOR-US: IBM CVE-2021-29780 (IBM Resilient OnPrem v41.1 of IBM Security SOAR could allow an authent ...) NOT-FOR-US: IBM -CVE-2021-29779 - RESERVED +CVE-2021-29779 (IBM QRadar SIEM 7.3 and 7.4 could allow an attacker to obtain sensitiv ...) + NOT-FOR-US: IBM CVE-2021-29778 RESERVED CVE-2021-29777 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, ...) @@ -34608,8 +42253,8 @@ CVE-2021-29758 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1 NOT-FOR-US: IBM CVE-2021-29757 (IBM QRadar User Behavior Analytics 4.1.1 is vulnerable to cross-site r ...) NOT-FOR-US: IBM -CVE-2021-29756 - RESERVED +CVE-2021-29756 (IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site req ...) + NOT-FOR-US: IBM CVE-2021-29755 RESERVED CVE-2021-29754 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) @@ -34682,14 +42327,14 @@ CVE-2021-29721 RESERVED CVE-2021-29720 RESERVED -CVE-2021-29719 - RESERVED +CVE-2021-29719 (IBM Cognos Analytics 11.1.7 and 11.2.0 could be vulnerable to client s ...) + NOT-FOR-US: IBM CVE-2021-29718 RESERVED CVE-2021-29717 RESERVED -CVE-2021-29716 - RESERVED +CVE-2021-29716 (IBM Cognos Analytics 11.1.7 and 11.2.0 could allow a low level user to ...) + NOT-FOR-US: IBM CVE-2021-29715 (IBM API Connect 5.0.0.0 through 5.0.8.11 could alllow a remote user to ...) NOT-FOR-US: IBM CVE-2021-29714 (IBM Content Navigator 3.0.CD could allow a malicious user to cause a d ...) @@ -34718,8 +42363,8 @@ CVE-2021-29703 (Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is NOT-FOR-US: IBM CVE-2021-29702 (Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1.4 a ...) NOT-FOR-US: IBM -CVE-2021-29701 - RESERVED +CVE-2021-29701 (IBM Engineering Workflow Management 7.0, 7.0.1, and 7.0.2 as well as I ...) + NOT-FOR-US: IBM CVE-2021-29700 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 c ...) NOT-FOR-US: IBM CVE-2021-29699 (IBM Security Verify Access Docker 10.0.0 could allow a remote priviled ...) @@ -34764,8 +42409,8 @@ CVE-2021-29680 RESERVED CVE-2021-29679 (IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated us ...) NOT-FOR-US: IBM -CVE-2021-29678 - RESERVED +CVE-2021-29678 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, ...) + NOT-FOR-US: IBM CVE-2021-29677 (IBM Security Verify (IBM Security Verify Privilege Vault 10.9.66) is v ...) NOT-FOR-US: IBM CVE-2021-29676 (IBM Security Verify (IBM Security Verify Privilege Vault 10.9.66) is v ...) @@ -34810,10 +42455,10 @@ CVE-2021-29657 (arch/x86/kvm/svm/nested.c in the Linux kernel before 5.11.12 has [stretch] - linux <not-affected> (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/a58d9166a756a0f4a6618e4f593232593d6df134 NOTE: https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html -CVE-2021-29656 - RESERVED -CVE-2021-29655 - RESERVED +CVE-2021-29656 (Pexip Infinity Connect before 1.8.0 mishandles TLS certificate validat ...) + NOT-FOR-US: Pexip Infinity Connect +CVE-2021-29655 (Pexip Infinity Connect before 1.8.0 omits certain provisioning authent ...) + NOT-FOR-US: Pexip Infinity Connect CVE-2021-29654 (AjaxSearchPro before 4.20.8 allows Deserialization of Untrusted Data ( ...) NOT-FOR-US: AjaxSearchPro CVE-2021-29653 (HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain ci ...) @@ -34902,8 +42547,9 @@ CVE-2021-29634 RESERVED CVE-2021-29633 RESERVED -CVE-2021-29632 - RESERVED +CVE-2021-29632 (In FreeBSD 13.0-STABLE before n247428-9352de39c3dc, 12.2-STABLE before ...) + - kfreebsd-10 <unfixed> (unimportant) + NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:01.vt.asc CVE-2021-29631 (In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before ...) NOT-FOR-US: FreeBSD CVE-2021-29630 (In FreeBSD 13.0-STABLE before n246938-0729ba2f49c9, 12.2-STABLE before ...) @@ -34927,7 +42573,7 @@ CVE-2021-29625 (Adminer is open-source database management software. A cross-sit CVE-2021-29624 (fastify-csrf is an open-source plugin helps developers protect their F ...) NOT-FOR-US: fastify-csrf CVE-2021-29623 (Exiv2 is a C++ library and a command-line utility to read, write, dele ...) - - exiv2 <unfixed> (bug #988481) + - exiv2 0.27.5-1 (bug #988481) [bullseye] - exiv2 <no-dsa> (Minor issue) [buster] - exiv2 <no-dsa> (Minor issue) [stretch] - exiv2 <no-dsa> (Minor issue) @@ -34942,7 +42588,9 @@ CVE-2021-29622 (Prometheus is an open-source monitoring system and time series d NOTE: The vulnerability itself is introduced with 2.23.0 upstream. NOTE: See https://bugs.debian.org/988804 for details. CVE-2021-29621 (Flask-AppBuilder is a development framework, built on top of Flask. Us ...) - NOT-FOR-US: Flask-AppBuilder + - flask-appbuilder <itp> (bug #998029) + NOTE: https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-434h-p4gx-jm89 + NOTE: https://github.com/dpgaspar/Flask-AppBuilder/commit/780bd0e8fbf2d36ada52edb769477e0a4edae580 (v3.3.0) CVE-2021-29620 (Report portal is an open source reporting and analysis framework. Star ...) NOT-FOR-US: Report portal CVE-2021-29619 (TensorFlow is an end-to-end open source platform for machine learning. ...) @@ -35199,6 +42847,7 @@ CVE-2021-29501 (Ticketer is a command based ticket system cog (plugin) for the r CVE-2021-29500 (bubble fireworks is an open source java package relating to Spring Fra ...) NOT-FOR-US: bubble fireworks CVE-2021-29499 (SIF is an open source implementation of the Singularity Container Imag ...) + [experimental] - golang-github-sylabs-sif 2.3.1-1 - golang-github-sylabs-sif <unfixed> (bug #991664) [bullseye] - golang-github-sylabs-sif <no-dsa> (Minor issue) NOTE: https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg @@ -35284,7 +42933,7 @@ CVE-2021-29474 (HedgeDoc (formerly known as CodiMD) is an open-source collaborat NOT-FOR-US: HedgeDoc CVE-2021-29473 (Exiv2 is a C++ library and a command-line utility to read, write, dele ...) {DSA-4958-1 DLA-2750-1} - - exiv2 <unfixed> (bug #987736) + - exiv2 0.27.5-1 (bug #987736) [bullseye] - exiv2 <no-dsa> (Minor issue) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-7569-phvm-vwc2 NOTE: https://github.com/Exiv2/exiv2/pull/1587 @@ -35300,7 +42949,7 @@ CVE-2021-29471 (Synapse is a Matrix reference homeserver written in python (pypi NOTE: https://github.com/matrix-org/synapse/security/advisories/GHSA-x345-32rc-8h85 NOTE: https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c (v1.33.2) CVE-2021-29470 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> (bug #987450) + - exiv2 0.27.5-1 (bug #987450) [bullseye] - exiv2 <no-dsa> (Minor issue) [buster] - exiv2 <no-dsa> (Minor issue) [stretch] - exiv2 <not-affected> (Vulnerable code introduced later) @@ -35323,14 +42972,14 @@ CVE-2021-29466 (Discord-Recon is a bot for the Discord chat service. In versions CVE-2021-29465 (Discord-Recon is a bot for the Discord chat service. Versions of Disco ...) NOT-FOR-US: Discord-Recon CVE-2021-29464 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> (bug #988242) + - exiv2 0.27.5-1 (bug #988242) [bullseye] - exiv2 <no-dsa> (Minor issue) [buster] - exiv2 <not-affected> (Vulnerable code introduced later) [stretch] - exiv2 <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-jgm9-5fw5-pw9p NOTE: https://github.com/Exiv2/exiv2/commit/f9308839198aca5e68a65194f151a1de92398f54 CVE-2021-29463 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> (bug #988241) + - exiv2 0.27.5-1 (bug #988241) [bullseye] - exiv2 <no-dsa> (Minor issue) [buster] - exiv2 <not-affected> (webp support introduced in 0.27) [stretch] - exiv2 <not-affected> (webp support introduced in 0.27) @@ -35352,7 +43001,7 @@ CVE-2021-29460 (Kirby is an open source CMS. An editor with write access to the CVE-2021-29459 (XWiki Platform is a generic wiki platform offering runtime services fo ...) NOT-FOR-US: XWiki CVE-2021-29458 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) - - exiv2 <unfixed> (bug #987277) + - exiv2 0.27.5-1 (bug #987277) [bullseye] - exiv2 <no-dsa> (Minor issue) [buster] - exiv2 <no-dsa> (Minor issue) [stretch] - exiv2 <no-dsa> (Minor issue) @@ -35378,8 +43027,10 @@ CVE-2021-29456 (Authelia is an open-source authentication and authorization serv NOT-FOR-US: Authelia CVE-2021-29455 (Grassroot Platform is an application to make it faster, cheaper and ea ...) NOT-FOR-US: Grassroot Platform -CVE-2021-29454 - RESERVED +CVE-2021-29454 (Smarty is a template engine for PHP, facilitating the separation of pr ...) + - smarty3 <unfixed> + NOTE: https://github.com/smarty-php/smarty/security/advisories/GHSA-29gp-2c3m-3j6m + NOTE: https://github.com/smarty-php/smarty/commit/7ad97ad030b4289711e30819c928b8bc33c62b23 (3.1.42) CVE-2021-29453 (matrix-media-repo is an open-source multi-domain media repository for ...) NOT-FOR-US: matrix-media-repo CVE-2021-29452 (a12n-server is an npm package which aims to provide a simple authentic ...) @@ -35551,18 +43202,18 @@ CVE-2021-29400 (A cross-site request forgery (CSRF) vulnerability in the My SMTP NOT-FOR-US: My SMTP Contact plugin for GetSimple CMS CVE-2021-29399 (XMB is vulnerable to cross-site scripting (XSS) due to inadequate filt ...) NOT-FOR-US: XMB -CVE-2021-29398 - RESERVED -CVE-2021-29397 - RESERVED -CVE-2021-29396 - RESERVED -CVE-2021-29395 - RESERVED -CVE-2021-29394 - RESERVED -CVE-2021-29393 - RESERVED +CVE-2021-29398 (Directory traversal in /northstar/Common/NorthFileManager/fileManagerO ...) + NOT-FOR-US: Northstar +CVE-2021-29397 (Cleartext Transmission of Sensitive Information in /northstar/Admin/lo ...) + NOT-FOR-US: Northstar +CVE-2021-29396 (Systemic Insecure Permissions in Northstar Technologies Inc NorthStar ...) + NOT-FOR-US: Northstar +CVE-2021-29395 (Directory travesal in /northstar/filemanager/download.jsp in Northstar ...) + NOT-FOR-US: Northstar +CVE-2021-29394 (Account Hijacking in /northstar/Admin/changePassword.jsp in Northstar ...) + NOT-FOR-US: Northstar +CVE-2021-29393 (Remote Code Execution in cominput.jsp and comoutput.jsp in Northstar T ...) + NOT-FOR-US: Northstar CVE-2021-29392 RESERVED CVE-2021-29391 @@ -35679,7 +43330,7 @@ CVE-2021-29340 CVE-2021-29339 RESERVED CVE-2021-29338 (Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash t ...) - - openjpeg2 <unfixed> (bug #987276) + - openjpeg2 2.4.0-4 (bug #987276) [bullseye] - openjpeg2 <no-dsa> (Minor issue) [buster] - openjpeg2 <no-dsa> (Minor issue) [stretch] - openjpeg2 <no-dsa> (Minor issue) @@ -35913,7 +43564,7 @@ CVE-2021-29243 (Cloudera Manager 5.x, 6.x, 7.1.x, 7.2.x, and 7.3.x allows XSS. . NOT-FOR-US: Cloudera Manager CVE-2021-29242 (CODESYS Control Runtime system before 3.5.17.0 has improper input vali ...) NOT-FOR-US: CODESYS Control Runtime -CVE-2021-29241 (CODESYS Gateway 3 before 3.5.17.0 has a NULL pointer dereference that ...) +CVE-2021-29241 (CODESYS Gateway 3 before 3.5.16.70 has a NULL pointer dereference that ...) NOT-FOR-US: CODESYS Gateway 3 CVE-2021-29240 (The Package Manager of CODESYS Development System 3 before 3.5.17.0 do ...) NOT-FOR-US: Package Manager of CODESYS Development System 3 @@ -35957,18 +43608,18 @@ CVE-2021-29221 (A local privilege escalation vulnerability was discovered in Erl - erlang <not-affected> (Windows-specific) CVE-2021-29220 RESERVED -CVE-2021-29219 - RESERVED -CVE-2021-29218 - RESERVED +CVE-2021-29219 (A potential local buffer overflow vulnerability has been identified in ...) + NOT-FOR-US: HPE +CVE-2021-29218 (A local unquoted search path security vulnerability has been identifie ...) + NOT-FOR-US: HPE CVE-2021-29217 RESERVED CVE-2021-29216 RESERVED -CVE-2021-29215 - RESERVED -CVE-2021-29214 - RESERVED +CVE-2021-29215 (A potential security vulnerability in HPE Ezmeral Data Fabric that may ...) + NOT-FOR-US: HPE +CVE-2021-29214 (A security vulnerability has been identified in HPE StoreServ Manageme ...) + NOT-FOR-US: HPE CVE-2021-29213 (A potential local bypass of security restrictions vulnerability has be ...) NOT-FOR-US: HPE CVE-2021-29212 (A remote unauthenticated directory traversal security vulnerability ha ...) @@ -36106,7 +43757,7 @@ CVE-2021-3467 (A NULL pointer dereference flaw was found in the way Jasper versi - jasper <removed> NOTE: https://github.com/jasper-software/jasper/issues/268 NOTE: https://github.com/jasper-software/jasper/commit/c4144a6fdb2660794136d1daaa80682ee40b138b -CVE-2021-3466 (A flaw was found in libmicrohttpd in versions before 0.9.71. A missing ...) +CVE-2021-3466 (A flaw was found in libmicrohttpd. A missing bounds check in the post_ ...) - libmicrohttpd 0.9.71-1 [buster] - libmicrohttpd <not-affected> (Vulnerable code introduced later) [stretch] - libmicrohttpd <not-affected> (Vulnerable code introduced later) @@ -36197,14 +43848,14 @@ CVE-2021-29118 RESERVED CVE-2021-29117 RESERVED -CVE-2021-29116 - RESERVED -CVE-2021-29115 - RESERVED -CVE-2021-29114 - RESERVED -CVE-2021-29113 - RESERVED +CVE-2021-29116 (A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Serve ...) + NOT-FOR-US: Esri ArcGIS Server +CVE-2021-29115 (An information disclosure vulnerability in the ArcGIS Service Director ...) + NOT-FOR-US: Esri ArcGIS +CVE-2021-29114 (A SQL injection vulnerability in feature services provided by Esri Arc ...) + NOT-FOR-US: Esri ArcGIS +CVE-2021-29113 (A remote file inclusion vulnerability in the ArcGIS Server help docume ...) + NOT-FOR-US: ArcGIS Server CVE-2021-29112 RESERVED CVE-2021-29111 @@ -36523,9 +44174,9 @@ CVE-2021-28966 (In Ruby through 3.0 on Windows, a remote attacker can submit a c - ruby2.7 <not-affected> (Windows-specific) NOTE: https://hackerone.com/reports/1131465 CVE-2021-28965 (The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, a ...) + {DSA-5066-1} - ruby2.7 2.7.3-1 (bug #986807) - ruby2.5 <removed> - [buster] - ruby2.5 <postponed> (Minor issue, can be fixed along with next update) - ruby2.3 <removed> [stretch] - ruby2.3 <postponed> (Minor issue; can be fixed in next update) [experimental] - ruby-rexml 3.2.5-1 @@ -36547,8 +44198,8 @@ CVE-2021-28964 (A race condition was discovered in get_old_root in fs/btrfs/ctre - linux 5.10.26-1 [buster] - linux 4.19.194-1 NOTE: https://git.kernel.org/linus/dbcc7d57bffc0c8cac9dac11bec548597d59a6a5 -CVE-2021-28962 - RESERVED +CVE-2021-28962 (Stormshield Network Security (SNS) before 4.2.2 allows a read-only adm ...) + NOT-FOR-US: Stormshield Network Security (SNS) CVE-2021-28961 (applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua in the DDN ...) NOT-FOR-US: DDNS package for OpenWrt CVE-2021-28960 (Zoho ManageEngine Desktop Central before build 10.0.683 allows unauthe ...) @@ -37129,52 +44780,67 @@ CVE-2021-28717 RESERVED CVE-2021-28716 RESERVED -CVE-2021-28715 - RESERVED -CVE-2021-28714 - RESERVED -CVE-2021-28713 - RESERVED -CVE-2021-28712 - RESERVED -CVE-2021-28711 - RESERVED +CVE-2021-28715 (Guest can force Linux netback driver to hog large amounts of kernel me ...) + {DSA-5050-1} + - linux 5.15.15-1 + NOTE: https://xenbits.xen.org/xsa/advisory-392.html +CVE-2021-28714 (Guest can force Linux netback driver to hog large amounts of kernel me ...) + {DSA-5050-1} + - linux 5.15.15-1 + NOTE: https://xenbits.xen.org/xsa/advisory-392.html +CVE-2021-28713 (Rogue backends can cause DoS of guests via high frequency events T[his ...) + {DSA-5050-1} + - linux 5.15.15-1 + NOTE: https://xenbits.xen.org/xsa/advisory-391.html +CVE-2021-28712 (Rogue backends can cause DoS of guests via high frequency events T[his ...) + {DSA-5050-1} + - linux 5.15.15-1 + NOTE: https://xenbits.xen.org/xsa/advisory-391.html +CVE-2021-28711 (Rogue backends can cause DoS of guests via high frequency events T[his ...) + {DSA-5050-1} + - linux 5.15.15-1 + NOTE: https://xenbits.xen.org/xsa/advisory-391.html CVE-2021-28710 (certain VT-d IOMMUs may not work in shared page table mode For efficie ...) - xen <not-affected> (Only affects 4.15 series) NOTE: https://www.openwall.com/lists/oss-security/2021/11/19/9 NOTE: https://xenbits.xen.org/xsa/advisory-390.html CVE-2021-28709 (issues with partially successful P2M updates on x86 T[his CNA informat ...) - - xen <unfixed> + {DSA-5017-1} + - xen 4.14.3+32-g9de3671772-1 [buster] - xen <end-of-life> (DSA 4677-1) [stretch] - xen <end-of-life> (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-389.html CVE-2021-28708 (PoD operations on misaligned GFNs T[his CNA information record relates ...) - - xen <unfixed> + {DSA-5017-1} + - xen 4.14.3+32-g9de3671772-1 [buster] - xen <end-of-life> (DSA 4677-1) [stretch] - xen <end-of-life> (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-388.html CVE-2021-28707 (PoD operations on misaligned GFNs T[his CNA information record relates ...) - - xen <unfixed> + {DSA-5017-1} + - xen 4.14.3+32-g9de3671772-1 [buster] - xen <end-of-life> (DSA 4677-1) [stretch] - xen <end-of-life> (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-388.html CVE-2021-28706 (guests may exceed their designated memory limit When a guest is permit ...) - - xen <unfixed> + {DSA-5017-1} + - xen 4.14.3+32-g9de3671772-1 [buster] - xen <end-of-life> (DSA 4677-1) [stretch] - xen <end-of-life> (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-385.html CVE-2021-28705 (issues with partially successful P2M updates on x86 T[his CNA informat ...) - - xen <unfixed> + {DSA-5017-1} + - xen 4.14.3+32-g9de3671772-1 [buster] - xen <end-of-life> (DSA 4677-1) [stretch] - xen <end-of-life> (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-389.html CVE-2021-28704 (PoD operations on misaligned GFNs T[his CNA information record relates ...) - - xen <unfixed> + {DSA-5017-1} + - xen 4.14.3+32-g9de3671772-1 [buster] - xen <end-of-life> (DSA 4677-1) [stretch] - xen <end-of-life> (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-388.html -CVE-2021-28703 - RESERVED +CVE-2021-28703 (grant table v2 status pages may remain accessible after de-allocation ...) - xen 4.14.0+80-gd101b417b7-1 [buster] - xen <end-of-life> (DSA 4677-1) [stretch] - xen <end-of-life> (DSA 4602-1) @@ -37184,8 +44850,8 @@ CVE-2021-28703 NOTE: Debian including the fix. NOTE: https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=c65ea16dbcafbe4fe21693b18f8c2a3c5d14600e (4.14.0-rc1) CVE-2021-28702 (PCI devices with RMRRs not deassigned correctly Certain PCI devices in ...) - - xen <unfixed> - [bullseye] - xen <postponed> (Minor issue, fix along with next DSA) + {DSA-5017-1} + - xen 4.14.3+32-g9de3671772-1 [buster] - xen <not-affected> (Vulnerable code introduced later) [stretch] - xen <not-affected> (Vulnerable code introduced later) NOTE: https://xenbits.xen.org/xsa/advisory-386.html @@ -37279,8 +44945,8 @@ CVE-2021-28682 (An issue was discovered in Envoy through 1.71.1. There is a remo - envoyproxy <itp> (bug #987544) CVE-2021-28681 (Pion WebRTC before 3.0.15 didn't properly tear down the DTLS Connectio ...) NOT-FOR-US: Pion WebRTC -CVE-2021-28680 - RESERVED +CVE-2021-28680 (The devise_masquerade gem before 1.3 allows certain attacks when a pas ...) + NOT-FOR-US: devise_masquerade CVE-2021-28679 RESERVED CVE-2021-28678 (An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImage ...) @@ -37419,7 +45085,7 @@ CVE-2021-3446 (A flaw was found in libtpms in versions before 0.8.2. The commonl NOTE: https://github.com/stefanberger/libtpms/commit/32c159ab53db703749a8f90430cdc7b20b00975e CVE-2021-28650 (autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOM ...) [experimental] - gnome-autoar 0.3.1-1 - - gnome-autoar <unfixed> (bug #985391) + - gnome-autoar 0.4.0-1 (bug #985391) [bullseye] - gnome-autoar <no-dsa> (Minor issue) [buster] - gnome-autoar <not-affected> (Incomplete fix for CVE-2020-36241 not applied) [stretch] - gnome-autoar <not-affected> (Incomplete fix for CVE-2020-36241 not applied) @@ -37721,22 +45387,22 @@ CVE-2021-28509 RESERVED CVE-2021-28508 RESERVED -CVE-2021-28507 - RESERVED -CVE-2021-28506 - RESERVED +CVE-2021-28507 (An issue has recently been discovered in Arista EOS where, under certa ...) + NOT-FOR-US: Arista +CVE-2021-28506 (An issue has recently been discovered in Arista EOS where certain gNOI ...) + NOT-FOR-US: Arista CVE-2021-28505 RESERVED CVE-2021-28504 RESERVED -CVE-2021-28503 - RESERVED +CVE-2021-28503 (The impact of this vulnerability is that Arista's EOS eAPI may skip re ...) + NOT-FOR-US: Arista CVE-2021-28502 RESERVED -CVE-2021-28501 - RESERVED -CVE-2021-28500 - RESERVED +CVE-2021-28501 (An issue has recently been discovered in Arista EOS where the incorrec ...) + NOT-FOR-US: Arista +CVE-2021-28500 (An issue has recently been discovered in Arista EOS where the incorrec ...) + NOT-FOR-US: Arista CVE-2021-28499 (In Arista's MOS (Metamako Operating System) software which is supporte ...) NOT-FOR-US: Arista CVE-2021-28498 (In Arista's MOS (Metamako Operating System) software which is supporte ...) @@ -37995,10 +45661,10 @@ CVE-2021-28379 (web/upload/UploadHandler.php in Vesta Control Panel (aka VestaCP NOT-FOR-US: Vesta Control Panel CVE-2021-28378 (Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue dat ...) - gitea <removed> -CVE-2021-28377 - RESERVED -CVE-2021-28376 - RESERVED +CVE-2021-28377 (ChronoForums 2.0.11 allows av Directory Traversal to read arbitrary fi ...) + NOT-FOR-US: ChronoForums +CVE-2021-28376 (ChronoForms 7.0.7 allows fname Directory Traversal to read arbitrary f ...) + NOT-FOR-US: ChronoForums CVE-2021-28373 (The auth_internal plugin in Tiny Tiny RSS (aka tt-rss) before 2021-03- ...) - tt-rss <not-affected> (Vulnerable code introduced later) NOTE: https://community.tt-rss.org/t/check-password-not-called-if-otp-is-enabled-update-asap-if-youre-using-2fa/4502 @@ -38294,10 +45960,10 @@ CVE-2021-28239 RESERVED CVE-2021-28238 RESERVED -CVE-2021-28237 - RESERVED -CVE-2021-28236 - RESERVED +CVE-2021-28237 (LibreDWG v0.12.3 was discovered to contain a heap-buffer overflow via ...) + - libredwg <itp> (bug #595191) +CVE-2021-28236 (LibreDWG v0.12.3 was discovered to contain a NULL pointer dereference ...) + - libredwg <itp> (bug #595191) CVE-2021-28235 RESERVED CVE-2021-28234 @@ -38359,11 +46025,9 @@ CVE-2021-28215 CVE-2021-28214 RESERVED CVE-2021-28213 (Example EDK2 encrypted private key in the IpSecDxe.efi present potenti ...) - - edk2 <unfixed> (bug #989988) - [bullseye] - edk2 <no-dsa> (Minor issue) - [buster] - edk2 <no-dsa> (Minor issue) - [stretch] - edk2 <no-dsa> (Minor issue) + - edk2 0~20190606.20d2e5a1-2 (bug #989988; unimportant) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1866 + NOTE: IpSecDxe code not built. CVE-2021-28212 RESERVED CVE-2021-28211 (A heap overflow in LzmaUefiDecompressGetInfo function in EDK II. ...) @@ -38477,6 +46141,7 @@ CVE-2021-28167 (In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.r NOT-FOR-US: Eclipse OpenJ9 CVE-2021-28166 (In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated clien ...) - mosquitto 2.0.10-1 (bug #986701) + [bullseye] - mosquitto <no-dsa> (Minor issue) [buster] - mosquitto <not-affected> (Vulnerable code introduced in 2.0) [stretch] - mosquitto <not-affected> (Vulnerable code introduced in 2.0) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=572608 @@ -38705,8 +46370,8 @@ CVE-2021-28098 (An issue was discovered in Forescout CounterACT before 8.1.4. A NOT-FOR-US: Forescout CounterACT CVE-2021-28097 RESERVED -CVE-2021-28096 - RESERVED +CVE-2021-28096 (An issue was discovered in Stormshield SNS before 4.2.3 (when the prox ...) + NOT-FOR-US: Stormshield SNS CVE-2021-28095 (OX Documents before 7.10.5-rev5 has Incorrect Access Control for docum ...) NOT-FOR-US: OX Documents CVE-2021-28094 (OX Documents before 7.10.5-rev7 has Incorrect Access Control for conve ...) @@ -38956,10 +46621,10 @@ CVE-2021-27986 RESERVED CVE-2021-27985 RESERVED -CVE-2021-27984 - RESERVED -CVE-2021-27983 - RESERVED +CVE-2021-27984 (In Pluck-4.7.15 admin background a remote command execution vulnerabil ...) + NOT-FOR-US: Pluck CMS +CVE-2021-27983 (Remote Code Execution (RCE) vulnerability exists in MaxSite CMS v107.5 ...) + NOT-FOR-US: MaxSite CMS CVE-2021-27982 RESERVED CVE-2021-27981 @@ -38982,8 +46647,8 @@ CVE-2021-27973 (SQL injection exists in Piwigo before 11.4.0 via the language pa - piwigo <removed> CVE-2021-27972 RESERVED -CVE-2021-27971 - RESERVED +CVE-2021-27971 (Alps Alpine Touchpad Driver 10.3201.101.215 is vulnerable to DLL Injec ...) + NOT-FOR-US: Alps Alpine Touchpad Driver CVE-2021-27970 RESERVED CVE-2021-27969 (Dolphin CMS 7.4.2 is vulnerable to stored XSS via the Page Builder "wi ...) @@ -39147,7 +46812,7 @@ CVE-2021-3420 (A flaw was found in newlib in versions prior to 4.0.0. Improper o [buster] - newlib <no-dsa> (Minor issue) [stretch] - newlib <no-dsa> (Minor issue) - picolibc 1.5-1 - - libnewlib-nano <unfixed> (bug #984424) + - libnewlib-nano <removed> (bug #984424) [buster] - libnewlib-nano <no-dsa> (Minor issue) NOTE: Fix in picolibc: https://keithp.com/cgit/picolibc.git/commit/newlib/libc/stdlib/mallocr.c?id=aa106b29a6a8a1b0df9e334704292cbc32f2d44e NOTE: https://sourceware.org/git/?p=newlib-cygwin.git;a=commit;h=aa106b29a6a8a1b0df9e334704292cbc32f2d44e @@ -39279,18 +46944,18 @@ CVE-2021-27862 RESERVED CVE-2021-27861 RESERVED -CVE-2021-27860 - RESERVED -CVE-2021-27859 - RESERVED -CVE-2021-27858 - RESERVED -CVE-2021-27857 - RESERVED -CVE-2021-27856 - RESERVED -CVE-2021-27855 - RESERVED +CVE-2021-27860 (A vulnerability in the web management interface of FatPipe WARP, IPVPN ...) + NOT-FOR-US: FatPipe +CVE-2021-27859 (A missing authorization vulnerability in the web management interface ...) + NOT-FOR-US: FatPipe +CVE-2021-27858 (A missing authorization vulnerability in the web management interface ...) + NOT-FOR-US: FatPipe +CVE-2021-27857 (A missing authorization vulnerability in the web management interface ...) + NOT-FOR-US: FatPipe +CVE-2021-27856 (FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 ...) + NOT-FOR-US: FatPipe +CVE-2021-27855 (FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 ...) + NOT-FOR-US: FatPipe CVE-2021-27854 RESERVED CVE-2021-27853 @@ -39416,10 +47081,10 @@ CVE-2021-27799 (ean_leading_zeroes in backend/upcean.c in Zint Barcode Generator NOTE: https://sourceforge.net/p/zint/code/ci/7f8c8114f31c09a986597e0ba63a49f96150368a/ CVE-2021-27798 RESERVED -CVE-2021-27797 - RESERVED -CVE-2021-27796 - RESERVED +CVE-2021-27797 (Brocade Fabric OS before Brocade Fabric OS v8.2.1c, v8.1.2h, and all v ...) + NOT-FOR-US: Brocade +CVE-2021-27796 (A vulnerability in Brocade Fabric OS versions before Brocade Fabric OS ...) + NOT-FOR-US: Brocade CVE-2021-27795 RESERVED CVE-2021-27794 (A vulnerability in the authentication mechanism of Brocade Fabric OS v ...) @@ -39500,12 +47165,12 @@ CVE-2021-27757 RESERVED CVE-2021-27756 RESERVED -CVE-2021-27755 - RESERVED +CVE-2021-27755 ("Sametime Android potential path traversal vulnerability when using Fi ...) + NOT-FOR-US: HCL CVE-2021-27754 RESERVED -CVE-2021-27753 - RESERVED +CVE-2021-27753 ("Sametime Android PathTraversal Vulnerability" ...) + NOT-FOR-US: HCL CVE-2021-27752 RESERVED CVE-2021-27751 @@ -39534,8 +47199,8 @@ CVE-2021-27740 RESERVED CVE-2021-27739 RESERVED -CVE-2021-27738 - RESERVED +CVE-2021-27738 (All request mappings in `StreamingCoordinatorController.java` handling ...) + NOT-FOR-US: Apache Kylin (different from Kylin desktop environment) CVE-2021-27737 (Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on th ...) - trafficserver <not-affected> (Only affects 9.x) CVE-2021-27803 (A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant b ...) @@ -39727,8 +47392,8 @@ CVE-2021-27656 (A vulnerability in exacqVision Web Service 20.12.2.0 and prior c NOT-FOR-US: exacqVision Web Service CVE-2021-27655 RESERVED -CVE-2021-27654 - RESERVED +CVE-2021-27654 (Forgotten password reset functionality for local accounts can be used ...) + NOT-FOR-US: Pega CVE-2021-27653 (Misconfiguration of the Pega Chat Access Group portal in Pega platform ...) NOT-FOR-US: Pega CVE-2021-27652 @@ -40150,24 +47815,24 @@ CVE-2021-27455 (Delta Electronics DOPSoft Versions 4.0.10.17 and prior are vulne NOT-FOR-US: Delta Electronics CVE-2021-27454 (The software performs an operation at a privilege level higher than th ...) NOT-FOR-US: GE -CVE-2021-27453 - RESERVED +CVE-2021-27453 (Mesa Labs AmegaView Versions 3.0 uses default cookies that could be se ...) + NOT-FOR-US: Mesa Labs CVE-2021-27452 (The software contains a hard-coded password that could allow an attack ...) NOT-FOR-US: GE -CVE-2021-27451 - RESERVED +CVE-2021-27451 (Mesa Labs AmegaView Versions 3.0 and prior’s passcode is generat ...) + NOT-FOR-US: Mesa Labs CVE-2021-27450 (SSH server configuration file does not implement some best practices. ...) NOT-FOR-US: GE -CVE-2021-27449 - RESERVED +CVE-2021-27449 (Mesa Labs AmegaView Versions 3.0 and prior has a command injection vul ...) + NOT-FOR-US: Mesa Labs CVE-2021-27448 (A miscommunication in the file system allows adversaries with access t ...) NOT-FOR-US: GE -CVE-2021-27447 - RESERVED +CVE-2021-27447 (Mesa Labs AmegaView version 3.0 is vulnerable to a command injection, ...) + NOT-FOR-US: Mesa Labs CVE-2021-27446 RESERVED -CVE-2021-27445 - RESERVED +CVE-2021-27445 (Mesa Labs AmegaView Versions 3.0 and prior has insecure file permissio ...) + NOT-FOR-US: Mesa Labs CVE-2021-27444 RESERVED CVE-2021-27443 @@ -40274,7 +47939,7 @@ CVE-2021-27395 (A vulnerability has been identified in SIMATIC Process Historian NOT-FOR-US: Siemens CVE-2021-27394 (A vulnerability has been identified in Mendix Applications using Mendi ...) NOT-FOR-US: Mendix Applications (Siemens) -CVE-2021-27393 (A vulnerability has been identified in Capital VSTAR (Versions includi ...) +CVE-2021-27393 (A vulnerability has been identified in Nucleus NET (All versions), Nuc ...) NOT-FOR-US: Nucleus (Siemens) CVE-2021-27392 (A vulnerability has been identified in Siveillance Video Open Network ...) NOT-FOR-US: Siveillance @@ -41105,19 +48770,32 @@ CVE-2021-27026 (A flaw was divered in Puppet Enterprise and other Puppet product NOT-FOR-US: Puppet Enterprise CVE-2021-27025 (A flaw was discovered in Puppet Agent where the agent may silently ign ...) - puppet <unfixed> + [bullseye] - puppet <ignored> (Minor issue, too intrusive to backport) + [buster] - puppet <ignored> (Minor issue, too intrusive to backport) + [stretch] - puppet <ignored> (Minor issue, too intrusive to backport) NOTE: https://puppet.com/security/cve/cve-2021-27025 NOTE: https://github.com/puppetlabs/puppet/commit/da8b73edca174309a9bef5f62cd276933fe733e8 (6.25.1) + NOTE: Limited impact, needs a malformed custom type provider CVE-2021-27024 (A flaw was discovered in Continuous Delivery for Puppet Enterprise (CD ...) NOT-FOR-US: Continuous Delivery for Puppet Enterprise CVE-2021-27023 (A flaw was discovered in Puppet Agent and Puppet Server that may resul ...) - puppet <unfixed> + [bullseye] - puppet <ignored> (Minor issue) + [buster] - puppet <ignored> (Minor issue) + [stretch] - puppet <ignored> (Minor issue) NOTE: https://puppet.com/security/cve/cve-2021-27023 NOTE: https://github.com/puppetlabs/puppet/commit/e90023a8b54a58073d71dae655d7636e2c9bcc61 (6.25.1) + NOTE: Marginal/unclear security implications, the redirects are fully under control of + NOTE: the puppet masters and the advisory states this CVE would be similar to CVE-2018-1000007, + NOTE: but CVE is for curl, which obviously has different scope being a library. Plus, all + NOTE: reasonably secure installations use client auth on the agents + NOTE: Previous client code in lib/puppet/network/http/connection.rb also vulnerable CVE-2021-27022 (A flaw was discovered in bolt-server and ace where running a task with ...) - puppet <not-affected> (Only affects Puppet Enterprise) NOTE: https://puppet.com/security/cve/CVE-2021-27022/ CVE-2021-27021 (A flaw was discovered in Puppet DB, this flaw results in an escalation ...) - puppetdb <unfixed> (bug #990419) + [buster] - puppetdb <no-dsa> (Minor issue) NOTE: https://puppet.com/security/cve/cve-2021-27021/ NOTE: https://github.com/puppetlabs/puppetdb/commit/c146e624d230f7410fb648d58ae28c0e3cd457a2 NOTE: https://github.com/puppetlabs/puppetdb/commit/f8dc81678cf347739838e42cc1c426d96406c266 @@ -41153,10 +48831,10 @@ CVE-2021-27009 RESERVED CVE-2021-27008 RESERVED -CVE-2021-27007 - RESERVED -CVE-2021-27006 - RESERVED +CVE-2021-27007 (NetApp Virtual Desktop Service (VDS) when used with an HTML5 gateway i ...) + NOT-FOR-US: NetApp Virtual Desktop Service +CVE-2021-27006 (StorageGRID (formerly StorageGRID Webscale) versions 11.5 prior to 11. ...) + NOT-FOR-US: StorageGRID CVE-2021-27005 (Clustered Data ONTAP versions 9.6 and higher prior to 9.6P16, 9.7P16, ...) NOT-FOR-US: Clustered Data ONTAP CVE-2021-27004 (System Manager 9.x versions 9.7 and higher prior to 9.7P16, 9.8P7 and ...) @@ -41677,8 +49355,8 @@ CVE-2021-26802 RESERVED CVE-2021-26801 RESERVED -CVE-2021-26800 - RESERVED +CVE-2021-26800 (Cross Site Request Forgery (CSRF) vulnerability in Change-password.php ...) + NOT-FOR-US: phpgurukul CVE-2021-26799 (Cross Site Scripting (XSS) vulnerability in admin/files/edit in Omeka ...) NOT-FOR-US: Omeka CVE-2021-26798 @@ -41703,8 +49381,8 @@ CVE-2021-26789 RESERVED CVE-2021-26788 (Oryx Embedded CycloneTCP 1.7.6 to 2.0.0, fixed in 2.0.2, is affected b ...) NOT-FOR-US: Oryx Embedded CycloneTCP -CVE-2021-26787 - RESERVED +CVE-2021-26787 (A cross site scripting (XSS) vulnerability in Genesys Workforce Manage ...) + NOT-FOR-US: Genesys Workforce Management CVE-2021-26786 (An issue was discoverered in in customercentric-selling-poland PlayTub ...) NOT-FOR-US: PlayTube CVE-2021-26785 @@ -41723,8 +49401,8 @@ CVE-2021-26779 RESERVED CVE-2021-26778 RESERVED -CVE-2021-26777 - RESERVED +CVE-2021-26777 (Buffer overflow vulnerability in function SetFirewall in index.cgi in ...) + NOT-FOR-US: CIRCUTOR COMPACT DC-S BASIC smart metering concentrator Firwmare CVE-2021-26776 (CSZ CMS 1.2.9 is affected by a cross-site scripting (XSS) vulnerabilit ...) NOT-FOR-US: CSZ CMS CVE-2021-26775 @@ -41825,8 +49503,8 @@ CVE-2021-26728 RESERVED CVE-2021-26727 RESERVED -CVE-2021-26726 - RESERVED +CVE-2021-26726 (A remote code execution vulnerability affecting a Valmet DNA service l ...) + NOT-FOR-US: Valmet CVE-2021-26725 (Path Traversal vulnerability when changing timezone using web GUI of N ...) NOT-FOR-US: Nozomi Networks Guardian CVE-2021-26724 (OS Command Injection vulnerability when changing date settings or host ...) @@ -41872,8 +49550,8 @@ CVE-2021-26709 (** UNSUPPORTED WHEN ASSIGNED ** D-Link DSL-320B-D1 devices throu NOT-FOR-US: D-Link CVE-2021-26707 (The merge-deep library before 3.0.3 for Node.js can be tricked into ov ...) NOT-FOR-US: Node deep-merge -CVE-2021-26706 - RESERVED +CVE-2021-26706 (An issue was discovered in lib_mem.c in Micrium uC/OS uC/LIB 1.38.x an ...) + NOT-FOR-US: Micrium CVE-2021-26705 (An issue was discovered in SquareBox CatDV Server through 9.2. An atta ...) NOT-FOR-US: SquareBox CatDV Server CVE-2021-26704 (EPrints 3.4.2 allows remote attackers to execute arbitrary commands vi ...) @@ -41958,12 +49636,12 @@ CVE-2021-26677 (A local authenticated escalation of privilege vulnerability was NOT-FOR-US: Aruba CVE-2021-3399 RESERVED -CVE-2021-3398 - RESERVED +CVE-2021-3398 (Stormshield Network Security (SNS) 3.x has an Integer Overflow in the ...) + NOT-FOR-US: Stormshield Network Security (SNS) CVE-2021-3397 RESERVED CVE-2021-3396 (OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1 ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2021-26676 (gdhcp in ConnMan before 1.39 could be used by network-adjacent attacke ...) {DSA-4847-1 DLA-2552-1} - connman 1.36-2.1 @@ -42083,22 +49761,22 @@ CVE-2021-26621 RESERVED CVE-2021-26620 RESERVED -CVE-2021-26619 - RESERVED -CVE-2021-26618 - RESERVED +CVE-2021-26619 (An path traversal vulnerability leading to delete arbitrary files was ...) + NOT-FOR-US: BigFileAgent +CVE-2021-26618 (An improper input validation leading to arbitrary file creation was di ...) + NOT-FOR-US: ToWord of ToOffice CVE-2021-26617 RESERVED -CVE-2021-26616 - RESERVED +CVE-2021-26616 (An OS command injection was found in SecuwaySSL, when special characte ...) + NOT-FOR-US: SecuwaySSL client for MacOS CVE-2021-26615 (ARK library allows attackers to execute remote code via the parameter( ...) NOT-FOR-US: ARK library CVE-2021-26614 (ius_get.cgi in IpTime C200 camera allows remote code execution. A remo ...) NOT-FOR-US: IpTime C200 camera -CVE-2021-26613 - RESERVED -CVE-2021-26612 - RESERVED +CVE-2021-26613 (improper input validation vulnerability in nexacro permits copying fil ...) + NOT-FOR-US: Tobesoft Nexacro +CVE-2021-26612 (An improper input validation leading to arbitrary file creation was di ...) + NOT-FOR-US: Tobesoft Nexacro CVE-2021-26611 (HejHome GKW-IC052 IP Camera contained a hard-coded credentials vulnera ...) NOT-FOR-US: HejHome GKW-IC052 IP Camera CVE-2021-26610 (The move_uploaded_file function in godomall5 does not perform an integ ...) @@ -42142,6 +49820,7 @@ CVE-2021-3392 (A use-after-free flaw was found in the MegaRAID emulator of QEMU. [buster] - qemu <postponed> (Minor issue) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html NOTE: https://bugs.launchpad.net/qemu/+bug/1914236 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d CVE-2021-26597 (An issue was discovered in Nokia NetAct 18A. A remote user, authentica ...) NOT-FOR-US: Nokia NetAct 18A CVE-2021-26596 (An issue was discovered in Nokia NetAct 18A. A malicious user can chan ...) @@ -42281,17 +49960,17 @@ CVE-2021-26542 CVE-2021-26541 (The gitlog function in src/index.ts in gitlog before 4.0.4 has a comma ...) NOT-FOR-US: Node gitlog CVE-2021-26540 (Apostrophe Technologies sanitize-html before 2.3.2 does not properly v ...) - NOT-FOR-US: sanitize-html + - node-sanitize-html <not-affected> (Fixed before initial upload) CVE-2021-26539 (Apostrophe Technologies sanitize-html before 2.3.1 does not properly h ...) - NOT-FOR-US: sanitize-html + - node-sanitize-html <not-affected> (Fixed before initial upload) CVE-2021-3379 RESERVED CVE-2021-3378 (FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a ...) NOT-FOR-US: FortiLogger CVE-2021-3377 (The npm package ansi_up converts ANSI escape codes into HTML. In ansi_ ...) - node-ansi-up 5.0.0+dfsg-1 (bug #984667) -CVE-2021-3376 - RESERVED +CVE-2021-3376 (An issue was discovered in Cuppa CMS Versions Before 31 Jan 2021 allow ...) + NOT-FOR-US: Cuppa CMS CVE-2021-3375 (ActivePresenter 6.1.6 is affected by a memory corruption vulnerability ...) NOT-FOR-US: ActivePresenter CVE-2021-3374 (Directory traversal in RStudio Shiny Server before 1.5.16 allows attac ...) @@ -42302,8 +49981,8 @@ CVE-2021-3372 RESERVED CVE-2021-3371 RESERVED -CVE-2021-3370 - RESERVED +CVE-2021-3370 (DouPHP v1.6 was discovered to contain a cross-site scripting (XSS) vul ...) + NOT-FOR-US: DouPHP CVE-2021-3369 RESERVED CVE-2021-3368 @@ -42483,13 +50162,13 @@ CVE-2021-26476 (EPrints 3.4.2 allows remote attackers to execute OS commands via NOT-FOR-US: EPrints CVE-2021-26475 (EPrints 3.4.2 exposes a reflected XSS opportunity in the via a cgi/cal ...) NOT-FOR-US: EPrints -CVE-2021-26474 (Vembu BDR Suite before 4.2.0 allows Unauthenticated SSRF via a GET req ...) +CVE-2021-26474 (Various Vembu products allow an attacker to execute a (non-blind) http ...) NOT-FOR-US: Vembu BDR Suite -CVE-2021-26473 (Vembu BDR Suite before 4.2.0 allows Unauthenticated file write via a G ...) +CVE-2021-26473 (In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http ...) NOT-FOR-US: Vembu BDR Suite -CVE-2021-26472 (Vembu BDR Suite before 4.2.0 allows Unauthenticated Remote Code Execut ...) +CVE-2021-26472 (In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed ...) NOT-FOR-US: Vembu BDR Suite -CVE-2021-26471 (Vembu BDR Suite before 4.2.0 allows Unauthenticated Remote Code Execut ...) +CVE-2021-26471 (In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1, the http ...) NOT-FOR-US: Vembu BDR Suite CVE-2021-26470 RESERVED @@ -42751,8 +50430,8 @@ CVE-2021-26342 RESERVED CVE-2021-26341 RESERVED -CVE-2021-26340 - RESERVED +CVE-2021-26340 (A malicious hypervisor in conjunction with an unprivileged attacker pr ...) + NOT-FOR-US: AMD CVE-2021-26339 RESERVED CVE-2021-26338 (Improper access controls in System Management Unit (SMU) may allow for ...) @@ -42763,8 +50442,8 @@ CVE-2021-26336 (Insufficient bounds checking in System Management Unit (SMU) may NOT-FOR-US: AMD CVE-2021-26335 (Improper input and range checking in the Platform Security Processor ( ...) NOT-FOR-US: AMD -CVE-2021-26334 - RESERVED +CVE-2021-26334 (The AMDPowerProfiler.sys driver of AMD μProf tool may allow lower ...) + NOT-FOR-US: AMD CVE-2021-26333 (An information disclosure vulnerability exists in AMD Platform Securit ...) NOT-FOR-US: AMD CVE-2021-26332 @@ -43443,12 +51122,12 @@ CVE-2021-26112 RESERVED CVE-2021-26111 (A missing release of memory after effective lifetime vulnerability in ...) NOT-FOR-US: Fortiguard -CVE-2021-26110 - RESERVED -CVE-2021-26109 - RESERVED -CVE-2021-26108 - RESERVED +CVE-2021-26110 (An improper access control vulnerability [CWE-284] in FortiOS autod da ...) + NOT-FOR-US: FortiGuard +CVE-2021-26109 (An integer overflow or wraparound vulnerability in the memory allocato ...) + NOT-FOR-US: FortiGuard +CVE-2021-26108 (A use of hard-coded cryptographic key vulnerability in the SSLVPN of F ...) + NOT-FOR-US: FortiGuard CVE-2021-26107 (An improper access control vulnerability [CWE-284] in FortiManager ver ...) NOT-FOR-US: Fortiguard CVE-2021-26106 (An improper neutralization of special elements used in an OS Command v ...) @@ -43457,8 +51136,8 @@ CVE-2021-26105 RESERVED CVE-2021-26104 RESERVED -CVE-2021-26103 - RESERVED +CVE-2021-26103 (An insufficient verification of data authenticity vulnerability (CWE-3 ...) + NOT-FOR-US: FortiGuard CVE-2021-26102 RESERVED CVE-2021-26101 @@ -43532,57 +51211,57 @@ CVE-2021-26068 (An endpoint in Atlassian Jira Server for Slack plugin from versi CVE-2021-26067 (Affected versions of Atlassian Bamboo allow an unauthenticated remote ...) NOT-FOR-US: Atlassian CVE-2021-26066 - RESERVED + REJECTED CVE-2021-26065 - RESERVED + REJECTED CVE-2021-26064 - RESERVED + REJECTED CVE-2021-26063 - RESERVED + REJECTED CVE-2021-26062 - RESERVED + REJECTED CVE-2021-26061 - RESERVED + REJECTED CVE-2021-26060 - RESERVED + REJECTED CVE-2021-26059 - RESERVED + REJECTED CVE-2021-26058 - RESERVED + REJECTED CVE-2021-26057 - RESERVED + REJECTED CVE-2021-26056 - RESERVED + REJECTED CVE-2021-26055 - RESERVED + REJECTED CVE-2021-26054 - RESERVED + REJECTED CVE-2021-26053 - RESERVED + REJECTED CVE-2021-26052 - RESERVED + REJECTED CVE-2021-26051 - RESERVED + REJECTED CVE-2021-26050 - RESERVED + REJECTED CVE-2021-26049 - RESERVED + REJECTED CVE-2021-26048 - RESERVED + REJECTED CVE-2021-26047 - RESERVED + REJECTED CVE-2021-26046 - RESERVED + REJECTED CVE-2021-26045 - RESERVED + REJECTED CVE-2021-26044 - RESERVED + REJECTED CVE-2021-26043 - RESERVED + REJECTED CVE-2021-26042 - RESERVED + REJECTED CVE-2021-26041 - RESERVED + REJECTED CVE-2021-26040 (An issue was discovered in Joomla! 4.0.0. The media manager does not c ...) NOT-FOR-US: Joomla! CVE-2021-26039 (An issue was discovered in Joomla! 3.0.0 through 3.9.27. Inadequate es ...) @@ -43696,22 +51375,22 @@ CVE-2021-25996 RESERVED CVE-2021-25995 RESERVED -CVE-2021-25994 - RESERVED -CVE-2021-25993 - RESERVED -CVE-2021-25992 - RESERVED -CVE-2021-25991 - RESERVED -CVE-2021-25990 - RESERVED -CVE-2021-25989 - RESERVED -CVE-2021-25988 - RESERVED -CVE-2021-25987 - RESERVED +CVE-2021-25994 (In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Head ...) + NOT-FOR-US: Userfrosting +CVE-2021-25993 (In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected b ...) + NOT-FOR-US: Requarks wiki.js +CVE-2021-25992 (In Ifme, versions 1.0.0 to v.7.33.2 don’t properly invalidate a ...) + NOT-FOR-US: Ifme +CVE-2021-25991 (In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper a ...) + NOT-FOR-US: Ifme +CVE-2021-25990 (In “ifme”, versions v7.22.0 to v7.31.4 are vulnerable agai ...) + NOT-FOR-US: Ifme +CVE-2021-25989 (In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable agains ...) + NOT-FOR-US: Ifme +CVE-2021-25988 (In “ifme”, versions 1.0.0 to v7.31.4 are vulnerable agains ...) + NOT-FOR-US: Ifme +CVE-2021-25987 (Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The po ...) + NOT-FOR-US: hexo blog framework CVE-2021-25986 (In Django-wiki, versions 0.0.20 to 0.7.8 are vulnerable to Stored Cros ...) NOT-FOR-US: Django-wiki CVE-2021-25985 (In Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30, improp ...) @@ -43722,8 +51401,8 @@ CVE-2021-25983 (In Factor (App Framework & Headless CMS) forum plugin, versi NOT-FOR-US: Factor (App Framework & Headless CMS) CVE-2021-25982 (In Factor (App Framework & Headless CMS) forum plugin, versions 1. ...) NOT-FOR-US: Factor (App Framework & Headless CMS) -CVE-2021-25981 - RESERVED +CVE-2021-25981 (In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev ve ...) + NOT-FOR-US: Talkyard CVE-2021-25980 (In Talkyard, versions v0.04.01 through v0.6.74-WIP-63220cb, v0.2020.22 ...) NOT-FOR-US: Talkyard CVE-2021-25979 (Apostrophe CMS versions between 2.63.0 to 3.3.1 affected by an insuffi ...) @@ -43750,8 +51429,8 @@ CVE-2021-25969 (In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnera NOT-FOR-US: Camaleon CMS CVE-2021-25968 (In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a ...) NOT-FOR-US: OpenCMS -CVE-2021-25967 - RESERVED +CVE-2021-25967 (In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerab ...) + NOT-FOR-US: CKAN CVE-2021-25966 (In “Orchard core CMS” application, versions 1.0.0-beta1-33 ...) NOT-FOR-US: Orchard CMS CVE-2021-25965 (In Calibre-web, versions 0.6.0 to 0.6.13 are vulnerable to Cross-Site ...) @@ -43809,8 +51488,8 @@ CVE-2021-25941 (Prototype pollution vulnerability in 'deep-override' versions 1. NOT-FOR-US: Node deep-override CVE-2021-25940 (In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insuffic ...) - arangodb <itp> (bug #761817) -CVE-2021-25939 - RESERVED +CVE-2021-25939 (In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature whi ...) + - arangodb <itp> (bug #761817) CVE-2021-25938 (In ArangoDB, versions v2.2.6.2 through v3.7.10 are vulnerable to Cross ...) - arangodb <itp> (bug #761817) CVE-2021-25937 @@ -43818,19 +51497,19 @@ CVE-2021-25937 CVE-2021-25936 RESERVED CVE-2021-25935 (In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1 ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2021-25934 (In OpenNMS Horizon, versions opennms-18.0.0-1 through opennms-27.1.0-1 ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2021-25933 (In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0 ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2021-25932 (In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0 ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2021-25931 (In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0 ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2021-25930 (In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0 ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2021-25929 (In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0 ...) - NOT-FOR-US: OpenNMS + - opennms <itp> (bug #450615) CVE-2021-25928 (Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through ...) NOT-FOR-US: Node safe-obj CVE-2021-25927 (Prototype pollution vulnerability in 'safe-flat' versions 2.0.0 throug ...) @@ -43967,8 +51646,8 @@ CVE-2021-3244 RESERVED CVE-2021-3243 (Wfilter ICF 5.0.117 contains a cross-site scripting (XSS) vulnerabilit ...) NOT-FOR-US: Wfilter ICF -CVE-2021-3242 - RESERVED +CVE-2021-3242 (DuxCMS v3.1.3 was discovered to contain a SQL injection vulnerability ...) + NOT-FOR-US: DuxCMS CVE-2021-3241 RESERVED CVE-2021-3240 @@ -44052,8 +51731,9 @@ CVE-2021-3202 CVE-2021-3201 RESERVED CVE-2021-3200 (Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * t ...) - - libsolv <unfixed> (unimportant) + - libsolv 0.7.17-1 (unimportant) NOTE: https://github.com/openSUSE/libsolv/issues/416 + NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) NOTE: Crash in CLI tool, no security impact CVE-2021-3199 (Directory traversal with remote code execution can occur in /upload in ...) NOT-FOR-US: ONLYOFFICE Document Server @@ -44295,12 +51975,12 @@ CVE-2021-25787 RESERVED CVE-2021-25786 RESERVED -CVE-2021-25785 - RESERVED -CVE-2021-25784 - RESERVED -CVE-2021-25783 - RESERVED +CVE-2021-25785 (Taocms v2.5Beta5 was discovered to contain a cross-site scripting (XSS ...) + NOT-FOR-US: taocms +CVE-2021-25784 (Taocms v2.5Beta5 was discovered to contain a blind SQL injection vulne ...) + NOT-FOR-US: taocms +CVE-2021-25783 (Taocms v2.5Beta5 was discovered to contain a blind SQL injection vulne ...) + NOT-FOR-US: taocms CVE-2021-25782 RESERVED CVE-2021-25781 @@ -44379,8 +52059,10 @@ CVE-2021-25745 RESERVED CVE-2021-25744 RESERVED -CVE-2021-25743 - RESERVED +CVE-2021-25743 (kubectl does not neutralize escape, meta or control sequences containe ...) + - kubernetes <unfixed> + [bullseye] - kubernetes <no-dsa> (Minor issue) + NOTE: https://github.com/kubernetes/kubernetes/issues/101695 CVE-2021-25742 (A security issue was discovered in ingress-nginx where a user that can ...) NOT-FOR-US: Kubernetes ingress-nginx component CVE-2021-25741 (A security issue was discovered in Kubernetes where a user may be able ...) @@ -44527,6 +52209,12 @@ CVE-2021-3197 (An issue was discovered in SaltStack Salt before 3002.5. The salt - salt 3002.5+dfsg1-1 (bug #983632) [buster] - salt 2018.3.4+dfsg1-6+deb10u3 NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ + NOTE: https://github.com/saltstack/salt/commit/5273722c2180c394bc426f731450b95809ca952e (v3002.3) + NOTE: https://github.com/saltstack/salt/commit/039b7f3f5713170799363d96e6263c2809e4245c (v3002.3) + NOTE: Regression: https://github.com/saltstack/salt/pull/59664 + NOTE: Regression fix: https://github.com/saltstack/salt/commit/51f350fcdf4b14e4f16cedabd743ca23c574a186 + NOTE: Regression follow-up: https://github.com/saltstack/salt/pull/59748 + NOTE: Regression follow-up fix: https://github.com/saltstack/salt/commit/61d74a7e3bc4dfd6f16a7f123e76d0824059217d CVE-2021-3196 (An issue was discovered in Hitachi ID Bravura Security Fabric 11.0.0 t ...) NOT-FOR-US: Hitachi ID Bravura Security Fabric CVE-2021-3195 (** DISPUTED ** bitcoind in Bitcoin Core through 0.21.0 can create a ne ...) @@ -44544,7 +52232,7 @@ CVE-2021-3190 (The async-git package before 1.13.2 for Node.js allows OS Command NOT-FOR-US: Node async-git CVE-2021-25678 (A vulnerability has been identified in Solid Edge SE2020 (All versions ...) NOT-FOR-US: Solid Edge (Siemens) -CVE-2021-25677 (A vulnerability has been identified in Capital VSTAR (Versions includi ...) +CVE-2021-25677 (A vulnerability has been identified in Nucleus NET (All versions), Nuc ...) NOT-FOR-US: Nucleus (Siemens) CVE-2021-25676 (A vulnerability has been identified in RUGGEDCOM RM1224 (V6.3), SCALAN ...) NOT-FOR-US: Siemens @@ -44889,42 +52577,42 @@ CVE-2021-25529 RESERVED CVE-2021-25528 RESERVED -CVE-2021-25527 - RESERVED -CVE-2021-25526 - RESERVED -CVE-2021-25525 - RESERVED -CVE-2021-25524 - RESERVED -CVE-2021-25523 - RESERVED -CVE-2021-25522 - RESERVED -CVE-2021-25521 - RESERVED -CVE-2021-25520 - RESERVED -CVE-2021-25519 - RESERVED -CVE-2021-25518 - RESERVED -CVE-2021-25517 - RESERVED -CVE-2021-25516 - RESERVED -CVE-2021-25515 - RESERVED -CVE-2021-25514 - RESERVED -CVE-2021-25513 - RESERVED -CVE-2021-25512 - RESERVED -CVE-2021-25511 - RESERVED -CVE-2021-25510 - RESERVED +CVE-2021-25527 (Improper export of Android application components vulnerability in Sam ...) + NOT-FOR-US: Samsung +CVE-2021-25526 (Intent redirection vulnerability in Samsung Blockchain Wallet prior to ...) + NOT-FOR-US: Samsung +CVE-2021-25525 (Improper check or handling of exception conditions vulnerability in Sa ...) + NOT-FOR-US: Samsung +CVE-2021-25524 (Insecure storage of device information in Contacts prior to version 12 ...) + NOT-FOR-US: Samsung +CVE-2021-25523 (Insecure storage of device information in Samsung Dialer prior to vers ...) + NOT-FOR-US: Samsung +CVE-2021-25522 (Insecure storage of sensitive information vulnerability in Smart Captu ...) + NOT-FOR-US: Samsung +CVE-2021-25521 (Insecure caller check in sharevia deeplink logic prior to Samsung Inte ...) + NOT-FOR-US: Samsung +CVE-2021-25520 (Insecure caller check and input validation vulnerabilities in SearchKe ...) + NOT-FOR-US: Samsung +CVE-2021-25519 (An improper access control vulnerability in CPLC prior to SMR Dec-2021 ...) + NOT-FOR-US: Samsung +CVE-2021-25518 (An improper boundary check in secure_log of LDFW and BL31 prior to SMR ...) + NOT-FOR-US: Samsung +CVE-2021-25517 (An improper input validation vulnerability in LDFW prior to SMR Dec-20 ...) + NOT-FOR-US: Samsung +CVE-2021-25516 (An improper check or handling of exceptional conditions in Exynos base ...) + NOT-FOR-US: Samsung +CVE-2021-25515 (An improper usage of implicit intent in SemRewardManager prior to SMR ...) + NOT-FOR-US: Samsung +CVE-2021-25514 (An improper intent redirection handling in Tags prior to SMR Dec-2021 ...) + NOT-FOR-US: Samsung +CVE-2021-25513 (An improper privilege management vulnerability in Apps Edge applicatio ...) + NOT-FOR-US: Samsung +CVE-2021-25512 (An improper validation vulnerability in telephony prior to SMR Dec-202 ...) + NOT-FOR-US: Samsung +CVE-2021-25511 (An improper validation vulnerability in FilterProvider prior to SMR De ...) + NOT-FOR-US: Samsung +CVE-2021-25510 (An improper validation vulnerability in FilterProvider prior to SMR De ...) + NOT-FOR-US: Samsung CVE-2021-25509 (A missing input validation in Samsung Flow Windows application prior t ...) NOT-FOR-US: Samsung CVE-2021-25508 (Improper privilege management vulnerability in API Key used in SmartTh ...) @@ -45346,8 +53034,8 @@ CVE-2021-25314 (A Creation of Temporary File With Insecure Permissions vulnerabi NOT-FOR-US: hawk2 as packaged by SuSE CVE-2021-25313 (A Improper Neutralization of Input During Web Page Generation ('Cross- ...) NOT-FOR-US: Rancher -CVE-2021-3179 - RESERVED +CVE-2021-3179 (GGLocker iOS application, contains an insecure data storage of the pas ...) + NOT-FOR-US: GGLocker iOS application CVE-2021-3178 (** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, w ...) {DLA-2586-1} - linux 5.10.12-1 (unimportant) @@ -45355,7 +53043,7 @@ CVE-2021-3178 (** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10 NOTE: https://patchwork.kernel.org/project/linux-nfs/patch/20210111210129.GA11652@fieldses.org/ NOTE: Disputed/mild security relevance/impact CVE-2021-3177 (Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctyp ...) - {DLA-2619-1} + {DLA-2919-1 DLA-2619-1} - python3.9 3.9.1-3 - python3.8 <removed> - python3.7 <removed> @@ -45364,7 +53052,6 @@ CVE-2021-3177 (Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in - python3.5 <removed> - python2.7 2.7.18-2 [buster] - python2.7 <no-dsa> (Minor issue) - [stretch] - python2.7 <no-dsa> (Minor issue) NOTE: https://bugs.python.org/issue42938 NOTE: https://github.com/python/cpython/pull/24239 NOTE: https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html @@ -45501,21 +53188,36 @@ CVE-2021-25284 (An issue was discovered in through SaltStack Salt before 3002.5. - salt 3002.5+dfsg1-1 (bug #983632) [buster] - salt 2018.3.4+dfsg1-6+deb10u3 NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ + NOTE: https://github.com/saltstack/salt/commit/ac2ce3a3a000e428122bc120179e083de95c1de7 (v3002.3) + NOTE: Regression: https://github.com/saltstack/salt/pull/59664 + NOTE: Regression fix: https://github.com/saltstack/salt/commit/24d04343b36ffbd4cf63441db13b43363ea57548 + NOTE: Regression: https://github.com/saltstack/salt/issues/59793 + NOTE: Regression fix: https://github.com/saltstack/salt/commit/e6dd6a482a76e2c82fcc6eeb6df9030e453837c4 CVE-2021-25283 (An issue was discovered in through SaltStack Salt before 3002.5. The j ...) {DLA-2815-1} - salt 3002.5+dfsg1-1 (bug #983632) [buster] - salt 2018.3.4+dfsg1-6+deb10u3 NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ + NOTE: https://github.com/saltstack/salt/commit/3fbf9a35bc4f7a43f628631f89ebb31f907859e3 (v3002.5) CVE-2021-25282 (An issue was discovered in through SaltStack Salt before 3002.5. The s ...) {DLA-2815-1} - salt 3002.5+dfsg1-1 (bug #983632) [buster] - salt 2018.3.4+dfsg1-6+deb10u3 NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ + NOTE: https://github.com/saltstack/salt/commit/aafc5ed6de60403c90201d85963299df351147ec (v3002.3) + NOTE: Regression: https://github.com/saltstack/salt/issues/59935 + NOTE: Regression fix: https://github.com/saltstack/salt/commit/da381954425e1e1d5b807ff1156090847c5d16aa CVE-2021-25281 (An issue was discovered in through SaltStack Salt before 3002.5. salt- ...) {DLA-2815-1} - salt 3002.5+dfsg1-1 (bug #983632) [buster] - salt 2018.3.4+dfsg1-6+deb10u3 NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ + NOTE: https://gitlab.com/saltstack/open/salt-patches/-/tree/master/patches/2021/01/28 + NOTE: https://github.com/saltstack/salt/commit/905efea17d9740a081509780d7c44e742b99ce60 (v3000.7) + NOTE: Regression: https://gitlab.com/saltstack/open/salt-patches/-/tree/master/patches/2021/02/05 + NOTE: Regression: https://github.com/saltstack/salt/commit/8f8994ba42e618a9b07fac417d931bdb7b7005d1 + NOTE: Regression: https://github.com/saltstack/salt/commit/41a24843d8b22c6a340338ac86a628323fbfc181 + NOTE: Regression: https://github.com/saltstack/salt/commit/7b3591d9cd427d46e410bc2d510e2ccfa6a23884 CVE-2021-XXXX [SQL Server LIMIT / OFFSET SQL Injection] - php-laravel-framework 6.20.14+dfsg-2 (bug #987831) - php-illuminate-database <removed> (bug #987848) @@ -45750,8 +53452,11 @@ CVE-2021-3156 (Sudo before 1.9.5p2 contains an off-by-one error that can result NOTE: https://www.sudo.ws/repos/sudo/rev/09f98816fc89 NOTE: https://www.sudo.ws/repos/sudo/rev/c125fbe68783 NOTE: https://www.openwall.com/lists/oss-security/2021/01/26/3 -CVE-2021-3155 - RESERVED +CVE-2021-3155 (snapd 2.54.2 and earlier created ~/snap directories in user home direc ...) + - snapd 2.54-1 + NOTE: https://github.com/snapcore/snapd/pull/9841 + NOTE: https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85 (2.52) + NOTE: https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca (2.54) CVE-2021-3154 (An issue was discovered in SolarWinds Serv-U before 15.2.2. Unauthenti ...) NOT-FOR-US: SolarWinds CVE-2021-3153 (HashiCorp Terraform Enterprise up to v202102-2 failed to enforce an or ...) @@ -45769,6 +53474,8 @@ CVE-2021-3148 (An issue was discovered in SaltStack Salt before 3002.5. Sending - salt 3002.5+dfsg1-1 (bug #983632) [buster] - salt 2018.3.4+dfsg1-6+deb10u3 NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ + NOTE: Introduced by: https://github.com/saltstack/salt/commit/fc9267afa3a7ecaae3ef446575072e0e5d51d8b7 (v2016.3) + NOTE: Fixed by: https://github.com/saltstack/salt/commit/6ae64c6b15cb7f43b57f564a0cb8a0e426cc183a (v3000.7 backport) CVE-2021-3147 RESERVED CVE-2021-25196 @@ -45940,212 +53647,212 @@ CVE-2021-25117 RESERVED CVE-2021-25116 RESERVED -CVE-2021-25115 - RESERVED -CVE-2021-25114 - RESERVED +CVE-2021-25115 (The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25114 (The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape ...) + NOT-FOR-US: WordPress plugin CVE-2021-25113 RESERVED CVE-2021-25112 RESERVED CVE-2021-25111 RESERVED -CVE-2021-25110 - RESERVED -CVE-2021-25109 - RESERVED -CVE-2021-25108 - RESERVED -CVE-2021-25107 - RESERVED -CVE-2021-25106 - RESERVED -CVE-2021-25105 - RESERVED +CVE-2021-25110 (The Futurio Extra WordPress plugin before 1.6.3 allows any logged in u ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25109 (The Futurio Extra WordPress plugin before 1.6.3 is affected by a SQL I ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25108 (The IP2Location Country Blocker WordPress plugin before 2.26.6 does no ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25107 (The Form Store to DB WordPress plugin before 1.1.1 does not sanitise a ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25106 (The Privacy Policy Generator, Terms & Conditions Generator WordPre ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25105 (The Ivory Search WordPress plugin before 5.4.1 does not escape some of ...) + NOT-FOR-US: WordPress plugin CVE-2021-25104 RESERVED -CVE-2021-25103 - RESERVED +CVE-2021-25103 (The Translate WordPress with GTranslate WordPress plugin before 2.9.7 ...) + NOT-FOR-US: WordPress plugin CVE-2021-25102 RESERVED -CVE-2021-25101 - RESERVED -CVE-2021-25100 - RESERVED -CVE-2021-25099 - RESERVED +CVE-2021-25101 (The Anti-Malware Security and Brute-Force Firewall WordPress plugin be ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25100 (The GiveWP WordPress plugin before 2.17.3 does not escape the s parame ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25099 (The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape ...) + NOT-FOR-US: WordPress plugin CVE-2021-25098 RESERVED -CVE-2021-25097 - RESERVED -CVE-2021-25096 - RESERVED -CVE-2021-25095 - RESERVED +CVE-2021-25097 (The LabTools WordPress plugin through 1.0 does not have proper authori ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25096 (The IP2Location Country Blocker WordPress plugin before 2.26.5 bans ca ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25095 (The IP2Location Country Blocker WordPress plugin before 2.26.5 does no ...) + NOT-FOR-US: WordPress plugin CVE-2021-25094 RESERVED -CVE-2021-25093 - RESERVED -CVE-2021-25092 - RESERVED -CVE-2021-25091 - RESERVED +CVE-2021-25093 (The Link Library WordPress plugin before 7.2.8 does not have authorisa ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25092 (The Link Library WordPress plugin before 7.2.8 does not have CSRF chec ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25091 (The Link Library WordPress plugin before 7.2.9 does not sanitise and e ...) + NOT-FOR-US: WordPress plugin CVE-2021-25090 RESERVED -CVE-2021-25089 - RESERVED +CVE-2021-25089 (The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.6 ...) + NOT-FOR-US: WordPress plugin CVE-2021-25088 RESERVED CVE-2021-25087 RESERVED CVE-2021-25086 RESERVED -CVE-2021-25085 - RESERVED -CVE-2021-25084 - RESERVED -CVE-2021-25083 - RESERVED -CVE-2021-25082 - RESERVED +CVE-2021-25085 (The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25084 (The Advanced Cron Manager WordPress plugin before 2.4.2 and Advanced C ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25083 (The Registrations for the Events Calendar WordPress plugin before 2.7. ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25082 (The Popup Builder WordPress plugin before 4.0.7 does not validate and ...) + NOT-FOR-US: WordPress plugin CVE-2021-25081 RESERVED -CVE-2021-25080 - RESERVED -CVE-2021-25079 - RESERVED -CVE-2021-25078 - RESERVED -CVE-2021-25077 - RESERVED -CVE-2021-25076 - RESERVED -CVE-2021-25075 - RESERVED -CVE-2021-25074 - RESERVED -CVE-2021-25073 - RESERVED -CVE-2021-25072 - RESERVED +CVE-2021-25080 (The Contact Form Entries WordPress plugin before 1.1.7 does not valida ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25079 (The Contact Form Entries WordPress plugin before 1.2.4 does not saniti ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25078 (The Affiliates Manager WordPress plugin before 2.9.0 does not validate ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25077 (The Store Toolkit for WooCommerce WordPress plugin before 2.3.2 does n ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25076 (The WP User Frontend WordPress plugin before 3.5.26 does not validate ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25075 (The Duplicate Page or Post WordPress plugin before 1.5.1 does not have ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25074 (The WebP Converter for Media WordPress plugin before 4.0.3 contains a ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25073 (The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in v ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25072 (The NextScripts: Social Networks Auto-Poster WordPress plugin before 4 ...) + NOT-FOR-US: WordPress plugin CVE-2021-25071 RESERVED CVE-2021-25070 RESERVED -CVE-2021-25069 - RESERVED +CVE-2021-25069 (The Download Manager WordPress plugin before 3.2.34 does not sanitise ...) + NOT-FOR-US: WordPress plugin CVE-2021-25068 RESERVED -CVE-2021-25067 - RESERVED +CVE-2021-25067 (The Landing Page Builder WordPress plugin before 1.4.9.6 was affected ...) + NOT-FOR-US: WordPress plugin CVE-2021-25066 RESERVED -CVE-2021-25065 - RESERVED +CVE-2021-25065 (The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was a ...) + NOT-FOR-US: WordPress plugin CVE-2021-25064 RESERVED -CVE-2021-25063 - RESERVED -CVE-2021-25062 - RESERVED -CVE-2021-25061 - RESERVED -CVE-2021-25060 - RESERVED +CVE-2021-25063 (The Contact Form 7 Skins WordPress plugin through 2.5.0 does not sanit ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25062 (The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 doe ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25061 (The WP Booking System WordPress plugin before 2.0.15 was affected by a ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25060 (The Five Star Business Profile and Schema WordPress plugin before 2.1. ...) + NOT-FOR-US: WordPress plugin CVE-2021-25059 RESERVED -CVE-2021-25058 - RESERVED -CVE-2021-25057 - RESERVED +CVE-2021-25058 (The Buffer Button WordPress plugin through 1.0 was vulnerable to Authe ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25057 (The Translation Exchange WordPress plugin through 1.0.14 was vulnerabl ...) + NOT-FOR-US: WordPress plugin CVE-2021-25056 RESERVED -CVE-2021-25055 - RESERVED -CVE-2021-25054 - RESERVED -CVE-2021-25053 - RESERVED -CVE-2021-25052 - RESERVED -CVE-2021-25051 - RESERVED -CVE-2021-25050 - RESERVED -CVE-2021-25049 - RESERVED +CVE-2021-25055 (The FeedWordPress plugin before 2022.0123 is affected by a Reflected C ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25054 (The WPcalc WordPress plugin through 2.1 does not sanitize user input i ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25053 (The WP Coder WordPress plugin before 2.5.2 within the wow-company admi ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25052 (The Button Generator WordPress plugin before 2.3.3 within the wow-comp ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25051 (The Modal Window WordPress plugin before 5.2.2 within the wow-company ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25050 (The Remove Footer Credit WordPress plugin before 1.0.11 does properly ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25049 (The Mobile Events Manager WordPress plugin before 1.4.4 does not sanit ...) + NOT-FOR-US: WordPress plugin CVE-2021-25048 RESERVED -CVE-2021-25047 - RESERVED -CVE-2021-25046 - RESERVED -CVE-2021-25045 - RESERVED +CVE-2021-25047 (The 10Web Social Photo Feed WordPress plugin before 1.4.29 was affecte ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25046 (The Modern Events Calendar Lite WordPress plugin before 6.2.0 alloed a ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25045 (The Asgaros Forum WordPress plugin before 1.15.15 does not validate or ...) + NOT-FOR-US: WordPress plugin CVE-2021-25044 RESERVED -CVE-2021-25043 - RESERVED +CVE-2021-25043 (The WOOCS WordPress plugin before 1.3.7.3 does not sanitise and escape ...) + NOT-FOR-US: WordPress plugin CVE-2021-25042 RESERVED -CVE-2021-25041 - RESERVED -CVE-2021-25040 - RESERVED +CVE-2021-25041 (The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerabl ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25040 (The Booking Calendar WordPress plugin before 8.9.2 does not sanitise a ...) + NOT-FOR-US: WordPress plugin CVE-2021-25039 RESERVED CVE-2021-25038 RESERVED -CVE-2021-25037 - RESERVED -CVE-2021-25036 - RESERVED -CVE-2021-25035 - RESERVED +CVE-2021-25037 (The All in One SEO WordPress plugin before 4.1.5.3 is affected by an a ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25036 (The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Pr ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25035 (The Backup and Staging by WP Time Capsule WordPress plugin before 1.22 ...) + NOT-FOR-US: WordPress plugin CVE-2021-25034 RESERVED -CVE-2021-25033 - RESERVED -CVE-2021-25032 - RESERVED -CVE-2021-25031 - RESERVED -CVE-2021-25030 - RESERVED -CVE-2021-25029 - RESERVED -CVE-2021-25028 - RESERVED -CVE-2021-25027 - RESERVED +CVE-2021-25033 (The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25032 (The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPr ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25031 (The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Co ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25030 (The Events Made Easy WordPress plugin before 2.2.36 does not sanitise ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25029 (The CLUEVO LMS, E-Learning Platform WordPress plugin before 1.8.1 does ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25028 (The Event Tickets WordPress plugin before 5.2.2 does not validate the ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25027 (The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does ...) + NOT-FOR-US: WordPress plugin CVE-2021-25026 RESERVED -CVE-2021-25025 - RESERVED -CVE-2021-25024 - RESERVED -CVE-2021-25023 - RESERVED -CVE-2021-25022 - RESERVED -CVE-2021-25021 - RESERVED -CVE-2021-25020 - RESERVED +CVE-2021-25025 (The EventCalendar WordPress plugin before 1.1.51 does not have proper ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25024 (The EventCalendar WordPress plugin before 1.1.51 does not escape some ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25023 (The Speed Booster Pack ⚡ PageSpeed Optimization Suite WordPress ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25022 (The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.6 ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25021 (The OMGF | Host Google Fonts Locally WordPress plugin before 4.5.12 do ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25020 (The CAOS | Host Google Analytics Locally WordPress plugin before 4.1.9 ...) + NOT-FOR-US: WordPress plugin CVE-2021-25019 RESERVED -CVE-2021-25018 - RESERVED -CVE-2021-25017 - RESERVED -CVE-2021-25016 - RESERVED -CVE-2021-25015 - RESERVED -CVE-2021-25014 - RESERVED -CVE-2021-25013 - RESERVED +CVE-2021-25018 (The PPOM for WooCommerce WordPress plugin before 24.0 does not have au ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25017 (The Tutor LMS WordPress plugin before 1.9.12 does not escape the searc ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25016 (The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25015 (The myCred WordPress plugin before 2.4 does not sanitise and escape th ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25014 (The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25013 (The Qubely WordPress plugin before 1.7.8 does not have authorisation a ...) + NOT-FOR-US: WordPress plugin CVE-2021-25012 RESERVED CVE-2021-25011 @@ -46154,98 +53861,98 @@ CVE-2021-25010 RESERVED CVE-2021-25009 RESERVED -CVE-2021-25008 - RESERVED +CVE-2021-25008 (The Code Snippets WordPress plugin before 2.14.3 does not escape the s ...) + NOT-FOR-US: WordPress plugin CVE-2021-25007 RESERVED CVE-2021-25006 RESERVED -CVE-2021-25005 - RESERVED -CVE-2021-25004 - RESERVED +CVE-2021-25005 (The SEUR Oficial WordPress plugin before 1.7.0 does not sanitize and e ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25004 (The SEUR Oficial WordPress plugin before 1.7.2 creates a PHP file with ...) + NOT-FOR-US: WordPress plugin CVE-2021-25003 RESERVED CVE-2021-25002 RESERVED -CVE-2021-25001 - RESERVED -CVE-2021-25000 - RESERVED -CVE-2021-24999 - RESERVED -CVE-2021-24998 - RESERVED -CVE-2021-24997 - RESERVED +CVE-2021-25001 (The Booster for WooCommerce WordPress plugin before 5.4.9 does not san ...) + NOT-FOR-US: WordPress plugin +CVE-2021-25000 (The Booster for WooCommerce WordPress plugin before 5.4.9 does not san ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24999 (The Booster for WooCommerce WordPress plugin before 5.4.9 does not san ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24998 (The Simple JWT Login WordPress plugin before 3.3.0 can be used to crea ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24997 (The WP Guppy WordPress plugin before 1.3 does not have any authorisati ...) + NOT-FOR-US: WordPress plugin CVE-2021-24996 RESERVED CVE-2021-24995 RESERVED CVE-2021-24994 RESERVED -CVE-2021-24993 - RESERVED -CVE-2021-24992 - RESERVED -CVE-2021-24991 - RESERVED +CVE-2021-24993 (The Ultimate Product Catalog WordPress plugin before 5.0.26 does not h ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24992 (The Smart Floating / Sticky Buttons WordPress plugin before 2.5.5 does ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24991 (The WooCommerce PDF Invoices & Packing Slips WordPress plugin befo ...) + NOT-FOR-US: WordPress plugin CVE-2021-24990 RESERVED -CVE-2021-24989 - RESERVED -CVE-2021-24988 - RESERVED +CVE-2021-24989 (The Accept Donations with PayPal WordPress plugin before 1.3.4 does no ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24988 (The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise ...) + NOT-FOR-US: WordPress plugin CVE-2021-24987 RESERVED CVE-2021-24986 RESERVED -CVE-2021-24985 - RESERVED -CVE-2021-24984 - RESERVED -CVE-2021-24983 - RESERVED +CVE-2021-24985 (The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does not sa ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24984 (The WPFront User Role Editor WordPress plugin before 3.2.1.11184 does ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24983 (The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 ...) + NOT-FOR-US: WordPress plugin CVE-2021-24982 RESERVED -CVE-2021-24981 - RESERVED -CVE-2021-24980 - RESERVED -CVE-2021-24979 - RESERVED +CVE-2021-24981 (The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cros ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24980 (The Gwolle Guestbook WordPress plugin before 4.2.0 does not sanitise a ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24979 (The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape ...) + NOT-FOR-US: WordPress plugin CVE-2021-24978 RESERVED CVE-2021-24977 RESERVED -CVE-2021-24976 - RESERVED -CVE-2021-24975 - RESERVED -CVE-2021-24974 - RESERVED -CVE-2021-24973 - RESERVED -CVE-2021-24972 - RESERVED +CVE-2021-24976 (The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24975 (The NextScripts: Social Networks Auto-Poster WordPress plugin before 4 ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24974 (The Product Feed PRO for WooCommerce WordPress plugin before 11.0.7 do ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24973 (The Site Reviews WordPress plugin before 5.17.3 does not sanitise and ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24972 (The Pixel Cat WordPress plugin before 2.6.3 does not escape some of it ...) + NOT-FOR-US: WordPress plugin CVE-2021-24971 RESERVED -CVE-2021-24970 - RESERVED -CVE-2021-24969 - RESERVED -CVE-2021-24968 - RESERVED -CVE-2021-24967 - RESERVED +CVE-2021-24970 (The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sa ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24969 (The WordPress Download Manager WordPress plugin before 3.2.22 does not ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24968 (The Ultimate FAQ WordPress plugin before 2.1.2 does not have capabilit ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24967 (The Contact Form & Lead Form Elementor Builder WordPress plugin be ...) + NOT-FOR-US: WordPress plugin CVE-2021-24966 RESERVED -CVE-2021-24965 - RESERVED -CVE-2021-24964 - RESERVED -CVE-2021-24963 - RESERVED +CVE-2021-24965 (The Five Star Restaurant Reservations WordPress plugin before 2.4.8 do ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24964 (The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly ve ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24963 (The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the ...) + NOT-FOR-US: WordPress plugin CVE-2021-24962 RESERVED CVE-2021-24961 @@ -46258,92 +53965,92 @@ CVE-2021-24958 RESERVED CVE-2021-24957 RESERVED -CVE-2021-24956 - RESERVED -CVE-2021-24955 - RESERVED -CVE-2021-24954 - RESERVED +CVE-2021-24956 (The Blog2Social: Social Media Auto Post & Scheduler WordPress plug ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24955 (The User Registration, Login Form, User Profile & Membership WordP ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24954 (The User Registration, Login Form, User Profile & Membership WordP ...) + NOT-FOR-US: WordPress plugin CVE-2021-24953 RESERVED CVE-2021-24952 RESERVED -CVE-2021-24951 - RESERVED +CVE-2021-24951 (The LearnPress WordPress plugin before 4.1.4 does not sanitise, valida ...) + NOT-FOR-US: WordPress plugin CVE-2021-24950 RESERVED -CVE-2021-24949 - RESERVED -CVE-2021-24948 - RESERVED -CVE-2021-24947 - RESERVED -CVE-2021-24946 - RESERVED -CVE-2021-24945 - RESERVED -CVE-2021-24944 - RESERVED -CVE-2021-24943 - RESERVED +CVE-2021-24949 (The "WP Search Filters" widget of The Plus Addons for Elementor - Pro ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24948 (The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24947 (The RVM WordPress plugin before 6.4.2 does not have proper authorisati ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24946 (The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24945 (The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24944 (The Custom Dashboard & Login Page WordPress plugin before 7.0 does ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24943 (The Registrations for the Events Calendar WordPress plugin before 2.7. ...) + NOT-FOR-US: WordPress plugin CVE-2021-24942 RESERVED -CVE-2021-24941 - RESERVED +CVE-2021-24941 (The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress p ...) + NOT-FOR-US: WordPress plugin CVE-2021-24940 RESERVED -CVE-2021-24939 - RESERVED -CVE-2021-24938 - RESERVED -CVE-2021-24937 - RESERVED -CVE-2021-24936 - RESERVED -CVE-2021-24935 - RESERVED -CVE-2021-24934 - RESERVED +CVE-2021-24939 (The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24938 (The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24937 (The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24936 (The WP Extra File Types WordPress plugin before 0.5.1 does not have CS ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24935 (The WP Google Fonts WordPress plugin before 3.1.5 does not escape the ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24934 (The Visual CSS Style Editor WordPress plugin before 7.5.4 does not san ...) + NOT-FOR-US: WordPress plugin CVE-2021-24933 RESERVED -CVE-2021-24932 - RESERVED -CVE-2021-24931 - RESERVED -CVE-2021-24930 - RESERVED +CVE-2021-24932 (The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24931 (The Secure Copy Content Protection and Content Locking WordPress plugi ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24930 (The WordPress Online Booking and Scheduling Plugin WordPress plugin be ...) + NOT-FOR-US: WordPress plugin CVE-2021-24929 RESERVED -CVE-2021-24928 - RESERVED -CVE-2021-24927 - RESERVED -CVE-2021-24926 - RESERVED -CVE-2021-24925 - RESERVED -CVE-2021-24924 - RESERVED -CVE-2021-24923 - RESERVED -CVE-2021-24922 - RESERVED -CVE-2021-24921 - RESERVED +CVE-2021-24928 (The Rearrange Woocommerce Products WordPress plugin before 3.0.8 does ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24927 (The My Calendar WordPress plugin before 3.2.18 does not sanitise and e ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24926 (The Domain Check WordPress plugin before 1.0.17 does not sanitise and ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24925 (The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24924 (The Email Log WordPress plugin before 2.4.8 does not escape the d para ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24923 (The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblu ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24922 (The Pixel Cat WordPress plugin before 2.6.2 does not have CSRF check w ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24921 (The Advanced Database Cleaner WordPress plugin before 3.0.4 does not s ...) + NOT-FOR-US: WordPress plugin CVE-2021-24920 RESERVED -CVE-2021-24919 - RESERVED -CVE-2021-24918 - RESERVED -CVE-2021-24917 - RESERVED +CVE-2021-24919 (The Wicked Folders WordPress plugin before 2.8.10 does not sanitise an ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24918 (The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did n ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24917 (The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allow ...) + NOT-FOR-US: WordPress plugin CVE-2021-24916 RESERVED -CVE-2021-24915 - RESERVED -CVE-2021-24914 - RESERVED +CVE-2021-24915 (The Contest Gallery WordPress plugin before 13.1.0.6 does not have cap ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24914 (The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capa ...) + NOT-FOR-US: WordPress plugin CVE-2021-24913 RESERVED CVE-2021-24912 @@ -46352,48 +54059,48 @@ CVE-2021-24911 RESERVED CVE-2021-24910 RESERVED -CVE-2021-24909 - RESERVED -CVE-2021-24908 - RESERVED -CVE-2021-24907 - RESERVED -CVE-2021-24906 - RESERVED +CVE-2021-24909 (The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not san ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24908 (The Check & Log Email WordPress plugin before 1.0.4 does not escap ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24907 (The Contact Form, Drag and Drop Form Builder for WordPress plugin befo ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24906 (The Protect WP Admin WordPress plugin before 3.6.2 does not check for ...) + NOT-FOR-US: WordPress plugin CVE-2021-24905 RESERVED -CVE-2021-24904 - RESERVED +CVE-2021-24904 (The Mortgage Calculators WP WordPress plugin before 1.56 does not impl ...) + NOT-FOR-US: WordPress plugin CVE-2021-24903 RESERVED -CVE-2021-24902 - RESERVED +CVE-2021-24902 (The Typebot | Build beautiful conversational forms WordPress plugin be ...) + NOT-FOR-US: WordPress plugin CVE-2021-24901 RESERVED -CVE-2021-24900 - RESERVED -CVE-2021-24899 - RESERVED +CVE-2021-24900 (The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and e ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24899 (The Media-Tags WordPress plugin through 3.2.0.2 does not sanitise and ...) + NOT-FOR-US: WordPress plugin CVE-2021-24898 RESERVED CVE-2021-24897 RESERVED -CVE-2021-24896 - RESERVED +CVE-2021-24896 (The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and ...) + NOT-FOR-US: WordPress plugin CVE-2021-24895 RESERVED CVE-2021-24894 (The Reviews Plus WordPress plugin before 1.2.14 does not validate the ...) NOT-FOR-US: WordPress plugin -CVE-2021-24893 - RESERVED +CVE-2021-24893 (The Stars Rating WordPress plugin before 3.5.1 does not validate the s ...) + NOT-FOR-US: WordPress plugin CVE-2021-24892 (Insecure Direct Object Reference in edit function of Advanced Forms (F ...) NOT-FOR-US: WordPress plugin -CVE-2021-24891 (The Elementor Website Builder WordPress plugin before 3.1.4 does not s ...) +CVE-2021-24891 (The Elementor Website Builder WordPress plugin before 3.4.8 does not s ...) NOT-FOR-US: WordPress plugin CVE-2021-24890 RESERVED -CVE-2021-24889 - RESERVED +CVE-2021-24889 (The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not es ...) + NOT-FOR-US: WordPress plugin CVE-2021-24888 (The ImageBoss WordPress plugin before 3.0.6 does not sanitise and esca ...) NOT-FOR-US: WordPress plugin CVE-2021-24887 @@ -46404,64 +54111,64 @@ CVE-2021-24885 (The YOP Poll WordPress plugin before 6.1.2 does not escape the p NOT-FOR-US: WordPress plugin CVE-2021-24884 (The Formidable Form Builder WordPress plugin before 4.09.05 allows to ...) NOT-FOR-US: WordPress plugin -CVE-2021-24883 - RESERVED +CVE-2021-24883 (The Popup Anything WordPress plugin before 2.0.4 does not escape the L ...) + NOT-FOR-US: WordPress plugin CVE-2021-24882 (The Slideshow Gallery WordPress plugin before 1.7.4 does not sanitise ...) NOT-FOR-US: WordPress plugin CVE-2021-24881 RESERVED -CVE-2021-24880 - RESERVED -CVE-2021-24879 - RESERVED -CVE-2021-24878 - RESERVED +CVE-2021-24880 (The SupportCandy WordPress plugin before 2.2.7 does not validate and e ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24879 (The SupportCandy WordPress plugin before 2.2.7 does not have CSRF chec ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24878 (The SupportCandy WordPress plugin before 2.2.7 does not sanitise and e ...) + NOT-FOR-US: WordPress plugin CVE-2021-24877 (The MainWP Child WordPress plugin before 4.1.8 does not validate the o ...) NOT-FOR-US: WordPress plugin -CVE-2021-24876 - RESERVED +CVE-2021-24876 (The Registrations for the Events Calendar WordPress plugin before 2.7. ...) + NOT-FOR-US: WordPress plugin CVE-2021-24875 (The eCommerce Product Catalog Plugin for WordPress plugin before 3.0.3 ...) NOT-FOR-US: WordPress plugin -CVE-2021-24874 - RESERVED +CVE-2021-24874 (The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblu ...) + NOT-FOR-US: WordPress plugin CVE-2021-24873 (The Tutor LMS WordPress plugin before 1.9.11 does not sanitise and esc ...) NOT-FOR-US: WordPress plugin -CVE-2021-24872 - RESERVED -CVE-2021-24871 - RESERVED +CVE-2021-24872 (The Get Custom Field Values WordPress plugin before 4.0 allows users w ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24871 (The Get Custom Field Values WordPress plugin before 4.0.1 does not esc ...) + NOT-FOR-US: WordPress plugin CVE-2021-24870 RESERVED CVE-2021-24869 RESERVED -CVE-2021-24868 - RESERVED -CVE-2021-24867 - RESERVED -CVE-2021-24866 - RESERVED -CVE-2021-24865 - RESERVED +CVE-2021-24868 (The Document Embedder WordPress plugin before 1.7.9 contains a AJAX ac ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24867 (Numerous Plugins and Themes from the AccessPress Themes (aka Access Ke ...) + TODO: check +CVE-2021-24866 (The WP Data Access WordPress plugin before 5.0.0 does not properly san ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24865 (The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 d ...) + NOT-FOR-US: WordPress plugin CVE-2021-24864 RESERVED -CVE-2021-24863 - RESERVED -CVE-2021-24862 - RESERVED -CVE-2021-24861 - RESERVED -CVE-2021-24860 - RESERVED -CVE-2021-24859 - RESERVED -CVE-2021-24858 - RESERVED -CVE-2021-24857 - RESERVED +CVE-2021-24863 (The WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Prot ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24862 (The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24861 (The Quotes Collection WordPress plugin through 2.5.2 does not validate ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24860 (The BSK PDF Manager WordPress plugin before 3.1.2 does not validate an ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24859 (The User Meta Shortcodes WordPress plugin through 0.5 registers a shor ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24858 (The Cookie Notification Plugin for WordPress plugin before 1.0.9 does ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24857 (The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded us ...) + NOT-FOR-US: WordPress plugin CVE-2021-24856 (The Shared Files WordPress plugin before 1.6.61 does not sanitise and ...) NOT-FOR-US: WordPress plugin -CVE-2021-24855 - RESERVED +CVE-2021-24855 (The Display Post Metadata WordPress plugin before 1.5.0 adds a shortco ...) + NOT-FOR-US: WordPress plugin CVE-2021-24854 (The QR Redirector WordPress plugin before 1.6.1 does not sanitise and ...) NOT-FOR-US: WordPress plugin CVE-2021-24853 (The QR Redirector WordPress plugin before 1.6 does not have capability ...) @@ -46472,34 +54179,34 @@ CVE-2021-24851 (The Insert Pages WordPress plugin before 3.7.0 allows users with NOT-FOR-US: WordPress plugin CVE-2021-24850 (The Insert Pages WordPress plugin before 3.7.0 adds a shortcode that p ...) NOT-FOR-US: WordPress plugin -CVE-2021-24849 - RESERVED -CVE-2021-24848 - RESERVED +CVE-2021-24849 (The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24848 (The mediamaticAjaxRenameCategory AJAX action of the Mediamatic WordPre ...) + NOT-FOR-US: WordPress plugin CVE-2021-24847 (The importFromRedirection AJAX action of the SEO Redirection Plugin &# ...) NOT-FOR-US: WordPress plugin -CVE-2021-24846 - RESERVED -CVE-2021-24845 - RESERVED +CVE-2021-24846 (The get_query() function of the Ni WooCommerce Custom Order Status Wor ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24845 (The Improved Include Page WordPress plugin through 1.2 allows passing ...) + NOT-FOR-US: WordPress plugin CVE-2021-24844 (The Affiliates Manager WordPress plugin before 2.8.7 does not validate ...) NOT-FOR-US: WordPress plugin -CVE-2021-24843 - RESERVED -CVE-2021-24842 - RESERVED +CVE-2021-24843 (The SupportCandy WordPress plugin before 2.2.7 does not have CRSF chec ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24842 (The Bulk Datetime Change WordPress plugin before 1.12 does not enforce ...) + NOT-FOR-US: WordPress plugin CVE-2021-24841 (The Helpful WordPress plugin before 4.4.59 does not sanitise and escap ...) NOT-FOR-US: WordPress plugin CVE-2021-24840 (The Squaretype WordPress theme before 3.0.4 allows unauthenticated use ...) NOT-FOR-US: WordPress theme -CVE-2021-24839 - RESERVED -CVE-2021-24838 - RESERVED +CVE-2021-24839 (The SupportCandy WordPress plugin before 2.2.5 does not have authorisa ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24838 (The AnyComment WordPress plugin through 0.2.17 has an API endpoint whi ...) + NOT-FOR-US: WordPress plugin CVE-2021-24837 RESERVED -CVE-2021-24836 - RESERVED +CVE-2021-24836 (The Temporary Login Without Password WordPress plugin before 1.7.1 doe ...) + NOT-FOR-US: WordPress plugin CVE-2021-24835 (The WCFM – Frontend Manager for WooCommerce along with Bookings ...) NOT-FOR-US: WordPress plugin CVE-2021-24834 (The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cro ...) @@ -46508,14 +54215,14 @@ CVE-2021-24833 (The YOP Poll WordPress plugin before 6.3.1 is affected by a stor NOT-FOR-US: WordPress plugin CVE-2021-24832 (The WP SEO Redirect 301 WordPress plugin before 2.3.2 does not have CS ...) NOT-FOR-US: WordPress plugin -CVE-2021-24831 - RESERVED +CVE-2021-24831 (All AJAX actions of the Tab WordPress plugin before 1.3.2 are availabl ...) + NOT-FOR-US: WordPress plugin CVE-2021-24830 (The Advanced Access Manager WordPress plugin before 6.8.0 does not esc ...) NOT-FOR-US: WordPress plugin CVE-2021-24829 (The Visitor Traffic Real Time Statistics WordPress plugin before 3.9 d ...) NOT-FOR-US: WordPress plugin -CVE-2021-24828 - RESERVED +CVE-2021-24828 (The Mortgage Calculator / Loan Calculator WordPress plugin before 1.5. ...) + NOT-FOR-US: WordPress plugin CVE-2021-24827 (The Asgaros Forum WordPress plugin before 1.15.13 does not validate an ...) NOT-FOR-US: WordPress plugin CVE-2021-24826 @@ -46526,30 +54233,30 @@ CVE-2021-24824 RESERVED CVE-2021-24823 RESERVED -CVE-2021-24822 - RESERVED +CVE-2021-24822 (The Stylish Cost Calculator WordPress plugin before 7.0.4 does not hav ...) + NOT-FOR-US: WordPress plugin CVE-2021-24821 RESERVED CVE-2021-24820 RESERVED -CVE-2021-24819 - RESERVED -CVE-2021-24818 - RESERVED -CVE-2021-24817 - RESERVED +CVE-2021-24819 (The Page/Post Content Shortcode WordPress plugin through 1.0 does not ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24818 (The WP Limits WordPress plugin through 1.0 does not have CSRF check wh ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24817 (The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise ...) + NOT-FOR-US: WordPress plugin CVE-2021-24816 (The Phoenix Media Rename WordPress plugin before 3.4.4 does not have c ...) NOT-FOR-US: WordPress plugin CVE-2021-24815 (The Accept Donations with PayPal WordPress plugin before 1.3.2 does no ...) NOT-FOR-US: WordPress plugin -CVE-2021-24814 - RESERVED +CVE-2021-24814 (The check_privacy_settings AJAX action of the WordPress GDPR WordPress ...) + NOT-FOR-US: WordPress plugin CVE-2021-24813 (The Events Made Easy WordPress plugin before 2.2.24 does not sanitise ...) NOT-FOR-US: WordPress plugin CVE-2021-24812 (The BetterLinks WordPress plugin before 1.2.6 does not sanitise and es ...) NOT-FOR-US: WordPress plugin -CVE-2021-24811 - RESERVED +CVE-2021-24811 (The Shop Page WP WordPress plugin before 1.2.8 does not sanitise and e ...) + NOT-FOR-US: WordPress plugin CVE-2021-24810 RESERVED CVE-2021-24809 (The BP Better Messages WordPress plugin before 1.9.9.41 does not check ...) @@ -46576,42 +54283,42 @@ CVE-2021-24799 (The Far Future Expiry Header WordPress plugin before 1.5 does no NOT-FOR-US: WordPress plugin CVE-2021-24798 (The WP Header Images WordPress plugin before 2.0.1 does not sanitise a ...) NOT-FOR-US: WordPress plugin -CVE-2021-24797 - RESERVED +CVE-2021-24797 (The Tickera WordPress plugin before 3.4.8.3 does not properly sanitise ...) + NOT-FOR-US: WordPress plugin CVE-2021-24796 (The My Tickets WordPress plugin before 1.8.31 does not properly saniti ...) NOT-FOR-US: WordPress plugin -CVE-2021-24795 - RESERVED +CVE-2021-24795 (The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking C ...) + NOT-FOR-US: WordPress plugin CVE-2021-24794 (The Connections Business Directory WordPress plugin before 10.4.3 does ...) NOT-FOR-US: WordPress plugin CVE-2021-24793 (The WPeMatico RSS Feed Fetcher WordPress plugin before 2.6.12 does not ...) NOT-FOR-US: WordPress plugin -CVE-2021-24792 - RESERVED +CVE-2021-24792 (The Shiny Buttons WordPress plugin through 1.1.0 does not have any aut ...) + NOT-FOR-US: WordPress plugin CVE-2021-24791 (The Header Footer Code Manager WordPress plugin before 1.1.14 does not ...) NOT-FOR-US: WordPress plugin -CVE-2021-24790 - RESERVED +CVE-2021-24790 (The Contact Form Advanced Database WordPress plugin through 1.0.8 does ...) + NOT-FOR-US: WordPress plugin CVE-2021-24789 (The Flat Preloader WordPress plugin before 1.5.5 does not escape some ...) NOT-FOR-US: WordPress plugin CVE-2021-24788 (The Batch Cat WordPress plugin through 0.3 defines 3 custom AJAX actio ...) NOT-FOR-US: WordPress plugin CVE-2021-24787 (The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 ...) NOT-FOR-US: WordPress plugin -CVE-2021-24786 - RESERVED +CVE-2021-24786 (The Download Monitor WordPress plugin before 4.4.5 does not properly v ...) + NOT-FOR-US: WordPress plugin CVE-2021-24785 (The Great Quotes WordPress plugin through 1.0.0 does not sanitise and ...) NOT-FOR-US: WordPress plugin -CVE-2021-24784 - RESERVED +CVE-2021-24784 (The WP Admin Logo Changer WordPress plugin through 1.0 does not have C ...) + NOT-FOR-US: WordPress plugin CVE-2021-24783 (The Post Expirator WordPress plugin before 2.6.0 does not have proper ...) NOT-FOR-US: WordPress plugin -CVE-2021-24782 - RESERVED +CVE-2021-24782 (The Flex Local Fonts WordPress plugin through 1.0.0 does not escape th ...) + NOT-FOR-US: WordPress plugin CVE-2021-24781 (The Image Source Control WordPress plugin before 2.3.1 allows users wi ...) NOT-FOR-US: WordPress plugin -CVE-2021-24780 - RESERVED +CVE-2021-24780 (The Single Post Exporter WordPress plugin through 1.1.1 does not have ...) + NOT-FOR-US: WordPress plugin CVE-2021-24779 (The WP Debugging WordPress plugin before 2.11.0 has its update_setting ...) NOT-FOR-US: WordPress plugin CVE-2021-24778 @@ -46620,68 +54327,68 @@ CVE-2021-24777 RESERVED CVE-2021-24776 (The WP Performance Score Booster WordPress plugin before 2.1 does not ...) NOT-FOR-US: WordPress plugin -CVE-2021-24775 - RESERVED +CVE-2021-24775 (The Document Embedder WordPress plugin before 1.7.5 contains a REST en ...) + NOT-FOR-US: WordPress plugin CVE-2021-24774 (The Check & Log Email WordPress plugin before 1.0.3 does not valid ...) NOT-FOR-US: WordPress plugin CVE-2021-24773 (The WordPress Download Manager WordPress plugin before 3.2.16 does not ...) NOT-FOR-US: WordPress plugin CVE-2021-24772 (The Stream WordPress plugin before 3.8.2 does not sanitise and validat ...) NOT-FOR-US: WordPress plugin -CVE-2021-24771 - RESERVED +CVE-2021-24771 (The Inspirational Quote Rotator WordPress plugin through 1.0.0 does no ...) + NOT-FOR-US: WordPress plugin CVE-2021-24770 (The Stylish Price List WordPress plugin before 6.9.1 does not perform ...) NOT-FOR-US: WordPress plugin CVE-2021-24769 (The Permalink Manager Lite WordPress plugin before 2.2.13.1 does not v ...) NOT-FOR-US: WordPress plugin -CVE-2021-24768 - RESERVED +CVE-2021-24768 (The WP RSS Aggregator WordPress plugin before 4.19.2 does not properly ...) + NOT-FOR-US: WordPress plugin CVE-2021-24767 (The Redirect 404 Error Page to Homepage or Custom Page with Logs WordP ...) NOT-FOR-US: WordPress plugin CVE-2021-24766 (The 404 to 301 – Redirect, Log and Notify 404 Errors WordPress p ...) NOT-FOR-US: WordPress plugin -CVE-2021-24765 - RESERVED -CVE-2021-24764 - RESERVED -CVE-2021-24763 - RESERVED -CVE-2021-24762 - RESERVED -CVE-2021-24761 - RESERVED +CVE-2021-24765 (The Perfect Survey WordPress plugin through 1.5.2 does not validate an ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24764 (The Perfect Survey WordPress plugin before 1.5.2 does not sanitise and ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24763 (The Perfect Survey WordPress plugin before 1.5.2 does not have proper ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24762 (The Perfect Survey WordPress plugin before 1.5.2 does not validate and ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24761 (The Error Log Viewer WordPress plugin through 1.1.1 does not perform n ...) + NOT-FOR-US: WordPress plugin CVE-2021-24760 (The Gutenberg PDF Viewer Block WordPress plugin before 1.0.1 does not ...) NOT-FOR-US: WordPress plugin -CVE-2021-24759 - RESERVED +CVE-2021-24759 (The PDF.js Viewer WordPress plugin before 2.0.2 does not escape some o ...) + NOT-FOR-US: WordPress plugin CVE-2021-24758 (The Email Log WordPress plugin before 2.4.7 does not properly validate ...) NOT-FOR-US: WordPress plugin CVE-2021-24757 (The Stylish Price List WordPress plugin before 6.9.0 does not perform ...) NOT-FOR-US: WordPress plugin -CVE-2021-24756 - RESERVED -CVE-2021-24755 - RESERVED +CVE-2021-24756 (The WP System Log WordPress plugin before 1.0.21 does not sanitise, va ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24755 (The myCred WordPress plugin before 2.3 does not validate or escape the ...) + NOT-FOR-US: WordPress plugin CVE-2021-24754 (The MainWP Child Reports WordPress plugin before 2.0.8 does not valida ...) NOT-FOR-US: WordPress plugin -CVE-2021-24753 - RESERVED +CVE-2021-24753 (The Rich Reviews by Starfish WordPress plugin before 1.9.6 does not pr ...) + NOT-FOR-US: WordPress plugin CVE-2021-24752 (Multiple Plugins from the CatchThemes vendor do not perform capability ...) NOT-FOR-US: WordPress plugins -CVE-2021-24751 - RESERVED -CVE-2021-24750 - RESERVED -CVE-2021-24749 - RESERVED -CVE-2021-24748 - RESERVED -CVE-2021-24747 - RESERVED +CVE-2021-24751 (The GenerateBlocks WordPress plugin before 1.4.0 does not validate the ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24750 (The WP Visitor Statistics (Real Time Traffic) WordPress plugin before ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24749 (The URL Shortify WordPress plugin before 1.5.1 does not have CSRF chec ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24748 (The Email Before Download WordPress plugin before 6.8 does not properl ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24747 (The SEO Booster WordPress plugin before 3.8 allows for authenticated S ...) + NOT-FOR-US: WordPress plugin CVE-2021-24746 RESERVED -CVE-2021-24745 - RESERVED +CVE-2021-24745 (The About Author Box WordPress plugin before 1.0.2 does not sanitise a ...) + NOT-FOR-US: WordPress plugin CVE-2021-24744 (The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 ...) NOT-FOR-US: WordPress plugin CVE-2021-24743 (The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows use ...) @@ -46692,10 +54399,10 @@ CVE-2021-24741 (The Support Board WordPress plugin before 3.3.4 does not escape NOT-FOR-US: WordPress plugin CVE-2021-24740 (The Tutor LMS WordPress plugin before 1.9.9 does not escape some of it ...) NOT-FOR-US: WordPress plugin -CVE-2021-24739 - RESERVED -CVE-2021-24738 - RESERVED +CVE-2021-24739 (The Logo Carousel WordPress plugin before 3.4.2 allows users with a ro ...) + NOT-FOR-US: WordPress plugin +CVE-2021-24738 (The Logo Carousel WordPress plugin before 3.4.2 does not validate and ...) + NOT-FOR-US: WordPress plugin CVE-2021-24737 (The Comments – wpDiscuz WordPress plugin through 7.3.0 does not ...) NOT-FOR-US: WordPress plugin CVE-2021-24736 (The Easy Download Manager and File Sharing Plugin with frontend file u ...) @@ -46704,8 +54411,8 @@ CVE-2021-24735 (The Compact WP Audio Player WordPress plugin before 1.9.7 does n NOT-FOR-US: WordPress plugin CVE-2021-24734 (The Compact WP Audio Player WordPress plugin before 1.9.7 does not esc ...) NOT-FOR-US: WordPress plugin -CVE-2021-24733 - RESERVED +CVE-2021-24733 (The WP Post Page Clone WordPress plugin before 1.2 allows users with a ...) + NOT-FOR-US: WordPress plugin CVE-2021-24732 (The PDF Flipbook, 3D Flipbook WordPress – DearFlip WordPress plu ...) NOT-FOR-US: WordPress plugin CVE-2021-24731 (The Registration Forms – User profile, Content Restriction, Spam ...) @@ -46734,16 +54441,16 @@ CVE-2021-24720 (The GeoDirectory Business Directory WordPress plugin before 2.1. NOT-FOR-US: WordPress plugin CVE-2021-24719 (The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Refle ...) NOT-FOR-US: WordPress theme -CVE-2021-24718 - RESERVED +CVE-2021-24718 (The Contact Form, Survey & Popup Form Plugin for WordPress plugin ...) + NOT-FOR-US: WordPress plugin CVE-2021-24717 (The AutomatorWP WordPress plugin before 1.7.6 does not perform capabil ...) NOT-FOR-US: WordPress plugin CVE-2021-24716 (The Modern Events Calendar Lite WordPress plugin before 5.22.3 does no ...) NOT-FOR-US: WordPress plugin CVE-2021-24715 (The WP Sitemap Page WordPress plugin before 1.7.0 does not properly sa ...) NOT-FOR-US: WordPress plugin -CVE-2021-24714 - RESERVED +CVE-2021-24714 (The Import any XML or CSV File to WordPress plugin before 3.6.3 does n ...) + NOT-FOR-US: WordPress plugin CVE-2021-24713 (The Video Lessons Manager WordPress plugin before 1.7.2 and Video Less ...) NOT-FOR-US: WordPress plugin CVE-2021-24712 (The Appointment Hour Booking WordPress plugin before 1.3.17 does not p ...) @@ -46756,12 +54463,12 @@ CVE-2021-24709 (The Weather Effect WordPress plugin before 1.3.6 does not proper NOT-FOR-US: WordPress plugin CVE-2021-24708 (The Export any WordPress data to XML/CSV WordPress plugin before 1.3.1 ...) NOT-FOR-US: WordPress plugin -CVE-2021-24707 - RESERVED +CVE-2021-24707 (The Learning Courses WordPress plugin before 5.0 does not sanitise and ...) + NOT-FOR-US: WordPress plugin CVE-2021-24706 (The Qwizcards – online quizzes and flashcards WordPress plugin b ...) NOT-FOR-US: WordPress plugin -CVE-2021-24705 - RESERVED +CVE-2021-24705 (The NEX-Forms WordPress plugin through 7.9.4 does not escape some of i ...) + NOT-FOR-US: WordPress plugin CVE-2021-24704 RESERVED CVE-2021-24703 (The Download Plugin WordPress plugin before 1.6.1 does not have capabi ...) @@ -46778,12 +54485,12 @@ CVE-2021-24698 (The Simple Download Monitor WordPress plugin before 3.9.6 allows NOT-FOR-US: WordPress plugin CVE-2021-24697 (The Simple Download Monitor WordPress plugin before 3.9.5 does not esc ...) NOT-FOR-US: WordPress plugin -CVE-2021-24696 - RESERVED +CVE-2021-24696 (The Simple Download Monitor WordPress plugin before 3.9.9 does not enf ...) + NOT-FOR-US: WordPress plugin CVE-2021-24695 (The Simple Download Monitor WordPress plugin before 3.9.6 saves logs i ...) NOT-FOR-US: WordPress plugin -CVE-2021-24694 - RESERVED +CVE-2021-24694 (The Simple Download Monitor WordPress plugin before 3.9.11 could allow ...) + NOT-FOR-US: WordPress plugin CVE-2021-24693 (The Simple Download Monitor WordPress plugin before 3.9.5 does not esc ...) NOT-FOR-US: WordPress plugin CVE-2021-24692 @@ -46798,8 +54505,8 @@ CVE-2021-24688 RESERVED CVE-2021-24687 (The Modern Events Calendar Lite WordPress plugin before 5.22.2 does no ...) NOT-FOR-US: WordPress plugin -CVE-2021-24686 - RESERVED +CVE-2021-24686 (The SVG Support WordPress plugin before 2.3.20 does not escape the "CS ...) + NOT-FOR-US: WordPress plugin CVE-2021-24685 (The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonc ...) NOT-FOR-US: WordPress plugin CVE-2021-24684 (The WordPress PDF Light Viewer Plugin WordPress plugin before 1.4.12 a ...) @@ -46810,8 +54517,8 @@ CVE-2021-24682 (The Cool Tag Cloud WordPress plugin before 2.26 does not escape NOT-FOR-US: WordPress plugin CVE-2021-24681 (The Duplicate Page WordPress plugin through 4.4.2 does not sanitise or ...) NOT-FOR-US: WordPress plugin -CVE-2021-24680 - RESERVED +CVE-2021-24680 (The WP Travel Engine WordPress plugin before 5.3.1 does not escape the ...) + NOT-FOR-US: WordPress plugin CVE-2021-24679 (The Bitcoin / AltCoin Payment Gateway for WooCommerce WordPress plugin ...) NOT-FOR-US: WordPress plugin CVE-2021-24678 (The CM Tooltip Glossary WordPress plugin before 3.9.21 does not escape ...) @@ -46834,7 +54541,7 @@ CVE-2021-24670 (The CoolClock WordPress plugin before 4.3.5 does not escape some NOT-FOR-US: WordPress plugin CVE-2021-24669 (The MAZ Loader – Preloader Builder for WordPress plugin before 1 ...) NOT-FOR-US: WordPress plugin -CVE-2021-24668 (The MAZ Loader WordPress plugin through 1.3.4 does not enforce nonce c ...) +CVE-2021-24668 (The MAZ Loader WordPress plugin before 1.4.1 does not enforce nonce ch ...) NOT-FOR-US: WordPress plugin CVE-2021-24667 (A stored cross-site scripting vulnerability has been discovered in : S ...) NOT-FOR-US: FortiGuard @@ -46874,13 +54581,13 @@ CVE-2021-24650 RESERVED CVE-2021-24649 RESERVED -CVE-2021-24648 - RESERVED +CVE-2021-24648 (The RegistrationMagic WordPress plugin before 5.0.1.9 does not sanitis ...) + NOT-FOR-US: WordPress plugin CVE-2021-24647 (The Registration Forms – User profile, Content Restriction, Spam ...) NOT-FOR-US: WordPress plugin -CVE-2021-24646 (The Booking.com Banner Creator WordPress plugin through 1.4.2 does not ...) +CVE-2021-24646 (The Booking.com Banner Creator WordPress plugin before 1.4.3 does not ...) NOT-FOR-US: WordPress plugin -CVE-2021-24645 (The Booking.com Product Helper WordPress plugin through 1.0.1 does not ...) +CVE-2021-24645 (The Booking.com Product Helper WordPress plugin before 1.0.2 does not ...) NOT-FOR-US: WordPress plugin CVE-2021-24644 (The Images to WebP WordPress plugin before 1.9 does not validate or sa ...) NOT-FOR-US: WordPress plugin @@ -47014,8 +54721,8 @@ CVE-2021-24580 (The Side Menu Lite WordPress plugin before 2.2.6 does not saniti NOT-FOR-US: WordPress plugin CVE-2021-24579 (The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plug ...) NOT-FOR-US: WordPress plugin -CVE-2021-24578 - RESERVED +CVE-2021-24578 (The SportsPress WordPress plugin before 2.7.9 does not sanitise and es ...) + NOT-FOR-US: WordPress plugin CVE-2021-24577 (The Coming soon and Maintenance mode WordPress plugin before 3.5.3 doe ...) NOT-FOR-US: WordPress plugin CVE-2021-24576 (The Easy Accordion WordPress plugin before 2.0.22 does not properly sa ...) @@ -47278,8 +54985,8 @@ CVE-2021-24448 (The User Registration & User Profile – Profile Builder NOT-FOR-US: WordPress plugin CVE-2021-24447 (The WP Image Zoom WordPress plugin before 1.47 did not validate its ta ...) NOT-FOR-US: WordPress plugin -CVE-2021-24446 - RESERVED +CVE-2021-24446 (The Remove Footer Credit WordPress plugin before 1.0.6 does not have C ...) + NOT-FOR-US: WordPress plugin CVE-2021-24445 (The My Site Audit WordPress plugin through 1.2.4 does not sanitise or ...) NOT-FOR-US: WordPress plugin CVE-2021-24444 (The TaxoPress – Create and Manage Taxonomies, Tags, Categories W ...) @@ -47324,8 +55031,8 @@ CVE-2021-24425 (The Floating Notification Bar, Sticky Menu on Scroll, and Sticky NOT-FOR-US: WordPress plugin CVE-2021-24424 (The WP Reset – Most Advanced WordPress Reset Tool WordPress plug ...) NOT-FOR-US: Wordpress plugin -CVE-2021-24423 - RESERVED +CVE-2021-24423 (The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.6.59 ...) + NOT-FOR-US: WordPress plugin CVE-2021-24422 RESERVED CVE-2021-24421 (The WP JobSearch WordPress plugin before 1.7.4 did not sanitise or esc ...) @@ -47484,7 +55191,7 @@ CVE-2021-24345 (The page lists-management feature of the Sendit WP Newsletter Wo NOT-FOR-US: WordPress plugin CVE-2021-24344 (The Easy Preloader WordPress plugin through 1.0.0 does not sanitise it ...) NOT-FOR-US: WordPress plugin -CVE-2021-24343 (The iFlyChat - WordPress Chat plugin through 4.6.4 does not sanitise i ...) +CVE-2021-24343 (The iFlyChat WordPress plugin before 4.7.0 does not sanitise its APP I ...) NOT-FOR-US: WordPress plugin CVE-2021-24342 (The JNews WordPress theme before 8.0.6 did not sanitise the cat_id par ...) NOT-FOR-US: WordPress theme @@ -47959,6 +55666,8 @@ CVE-2021-3144 (In SaltStack Salt before 3002.5, eauth tokens can be used once af - salt 3002.5+dfsg1-1 (bug #983632) [buster] - salt 2018.3.4+dfsg1-6+deb10u3 NOTE: https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ + NOTE: Introduced by: https://github.com/saltstack/salt/commit/b8e34e1f6f785bf00634ee561c89c30c45f4c689 (v2018.2) + NOTE: Fixed by: https://github.com/saltstack/salt/commit/7c1d565465f78a7937f089857f3980045f27fd6e (v3002.3) CVE-2021-3143 RESERVED CVE-2021-3142 @@ -47980,7 +55689,7 @@ CVE-2021-24118 CVE-2021-24117 (In Apache Teaclave Rust SGX SDK 1.1.3, a side-channel vulnerability in ...) NOT-FOR-US: Rust SGX CVE-2021-24116 (In wolfSSL through 4.6.0, a side-channel vulnerability in base64 PEM f ...) - - wolfssl <unfixed> (bug #991663) + - wolfssl 5.0.0-1 (bug #991663) [bullseye] - wolfssl <no-dsa> (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v4.8.0-stable CVE-2021-24115 (In Botan before 2.17.3, constant-time computations are not used for ce ...) @@ -48125,18 +55834,18 @@ CVE-2021-24048 RESERVED CVE-2021-24047 RESERVED -CVE-2021-24046 - RESERVED -CVE-2021-24045 - RESERVED -CVE-2021-24044 - RESERVED -CVE-2021-24043 - RESERVED -CVE-2021-24042 - RESERVED -CVE-2021-24041 - RESERVED +CVE-2021-24046 (A logic flaw in Ray-Ban® Stories device software allowed some par ...) + NOT-FOR-US: Facebook View +CVE-2021-24045 (A type confusion vulnerability could be triggered when resolving the " ...) + NOT-FOR-US: Facebook Hermes +CVE-2021-24044 (By passing invalid javascript code where await and yield were called u ...) + NOT-FOR-US: Facebook Hermes +CVE-2021-24043 (A missing bound check in RTCP flag parsing code prior to WhatsApp for ...) + NOT-FOR-US: Whatsapp +CVE-2021-24042 (The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp ...) + NOT-FOR-US: Whatsapp +CVE-2021-24041 (A missing bounds check in image blurring code prior to WhatsApp for An ...) + NOT-FOR-US: Whatsapp CVE-2021-24040 (Due to use of unsafe YAML deserialization logic, an attacker with the ...) NOT-FOR-US: Facebook ParlAI CVE-2021-24039 @@ -48677,16 +56386,16 @@ CVE-2021-23865 RESERVED CVE-2021-23864 RESERVED -CVE-2021-23863 - RESERVED -CVE-2021-23862 - RESERVED -CVE-2021-23861 - RESERVED -CVE-2021-23860 - RESERVED -CVE-2021-23859 - RESERVED +CVE-2021-23863 (HTML code injection vulnerability in Android Application, Bosch Video ...) + NOT-FOR-US: Bosch +CVE-2021-23862 (A crafted configuration packet sent by an authenticated administrative ...) + NOT-FOR-US: Bosch +CVE-2021-23861 (By executing a special command, an user with administrative rights can ...) + NOT-FOR-US: Bosch +CVE-2021-23860 (An error in a page handler of the VRM may lead to a reflected cross si ...) + NOT-FOR-US: Bosch +CVE-2021-23859 (An unauthenticated attacker is able to send a special HTTP request, th ...) + NOT-FOR-US: Bosch CVE-2021-23858 (Information disclosure: The main configuration, including users and th ...) NOT-FOR-US: Bosch CVE-2021-23857 (Login with hash: The login routine allows the client to log in to the ...) @@ -48717,10 +56426,10 @@ CVE-2021-23845 (This vulnerability could allow an attacker to hijack a session w NOT-FOR-US: Bosch CVE-2021-23844 RESERVED -CVE-2021-23843 - RESERVED -CVE-2021-23842 - RESERVED +CVE-2021-23843 (The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are us ...) + NOT-FOR-US: Bosch +CVE-2021-23842 (Communication to the AMC2 uses a state-of-the-art cryptographic algori ...) + NOT-FOR-US: Bosch CVE-2021-23841 (The OpenSSL public API function X509_issuer_and_serial_hash() attempts ...) {DSA-4855-1 DLA-2565-1 DLA-2563-1} - openssl 1.1.1j-1 @@ -48757,6 +56466,7 @@ CVE-2021-3122 (CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH server NOT-FOR-US: CMCAgent in NCR Command Center Agent CVE-2021-3121 (An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarsha ...) - golang-gogoprotobuf 1.3.2-1 + [buster] - golang-gogoprotobuf <no-dsa> (Minor issue) [stretch] - golang-gogoprotobuf <no-dsa> (Minor issue) NOTE: https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc CVE-2021-3120 (An arbitrary file upload vulnerability in the YITH WooCommerce Gift Ca ...) @@ -48813,8 +56523,8 @@ CVE-2021-23826 RESERVED CVE-2021-23825 RESERVED -CVE-2021-23824 - RESERVED +CVE-2021-23824 (This affects the package Crow before 0.3+4. When using attributes with ...) + NOT-FOR-US: CrowCpp CVE-2021-23823 RESERVED CVE-2021-23822 @@ -48833,8 +56543,8 @@ CVE-2021-23816 RESERVED CVE-2021-23815 RESERVED -CVE-2021-23814 - RESERVED +CVE-2021-23814 (This affects the package unisharp/laravel-filemanager from 0.0.0. The ...) + NOT-FOR-US: Laravel Filemanager CVE-2021-23813 RESERVED CVE-2021-23812 @@ -48855,8 +56565,11 @@ CVE-2021-23805 RESERVED CVE-2021-23804 RESERVED -CVE-2021-23803 - RESERVED +CVE-2021-23803 (This affects the package latte/latte before 2.10.6. There is a way to ...) + - php-nette <removed> + [stretch] - php-nette <not-affected> (Sandbox first appeared in Latte 2.8.0 so older versions are not affected.) + NOTE: https://github.com/nette/latte/commit/227c86eda9a8a6d060ea8501923e768b6d992210 + NOTE: https://github.com/nette/latte/issues/279 CVE-2021-23802 RESERVED CVE-2021-23801 @@ -48867,8 +56580,8 @@ CVE-2021-23799 RESERVED CVE-2021-23798 RESERVED -CVE-2021-23797 - RESERVED +CVE-2021-23797 (All versions of package http-server-node are vulnerable to Directory T ...) + NOT-FOR-US: Node http-server CVE-2021-23796 RESERVED CVE-2021-23795 @@ -48917,8 +56630,8 @@ CVE-2021-23774 RESERVED CVE-2021-23773 RESERVED -CVE-2021-23772 - RESERVED +CVE-2021-23772 (This affects all versions of package github.com/kataras/iris; all vers ...) + NOT-FOR-US: iris Go web framework CVE-2021-23771 RESERVED CVE-2021-23770 @@ -48941,12 +56654,12 @@ CVE-2021-23762 RESERVED CVE-2021-23761 RESERVED -CVE-2021-23760 - RESERVED +CVE-2021-23760 (The package keyget from 0.0.0 are vulnerable to Prototype Pollution vi ...) + NOT-FOR-US: Node keyget CVE-2021-23759 RESERVED -CVE-2021-23758 - RESERVED +CVE-2021-23758 (All versions of package ajaxpro.2 are vulnerable to Deserialization of ...) + NOT-FOR-US: ajaxpro CVE-2021-23757 RESERVED CVE-2021-23756 @@ -48998,7 +56711,7 @@ CVE-2021-23734 CVE-2021-23733 RESERVED CVE-2021-23732 (This affects all versions of package docker-cli-js. If the command par ...) - TODO: check + NOT-FOR-US: Node docker-cli-js CVE-2021-23731 RESERVED CVE-2021-23730 @@ -49007,8 +56720,13 @@ CVE-2021-23729 RESERVED CVE-2021-23728 RESERVED -CVE-2021-23727 - RESERVED +CVE-2021-23727 (This affects the package celery before 5.2.2. It by default trusts the ...) + - celery 5.2.3-1 + [bullseye] - celery <no-dsa> (Minor issue) + [buster] - celery <not-affected> (Vulnerable code not present) + [stretch] - celery <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/celery/celery/commit/5c3f1559df16c32fb8d82918b4497f688d42ad0a (v5.2.3) + NOTE: Introduced by: https://github.com/celery/celery/commit/d20b8a5d469c80f48468e251cbe6451c798d1c29 (4.4.0rc1) CVE-2021-23726 RESERVED CVE-2021-23725 @@ -49057,12 +56775,12 @@ CVE-2021-23704 RESERVED CVE-2021-23703 RESERVED -CVE-2021-23702 - RESERVED +CVE-2021-23702 (The package object-extend from 0.0.0 are vulnerable to Prototype Pollu ...) + TODO: check CVE-2021-23701 RESERVED -CVE-2021-23700 - RESERVED +CVE-2021-23700 (All versions of package merge-deep2 are vulnerable to Prototype Pollut ...) + NOT-FOR-US: merge-deep2 (fork of unaffected merge-deep). CVE-2021-23699 RESERVED CVE-2021-23698 @@ -49097,8 +56815,8 @@ CVE-2021-23684 RESERVED CVE-2021-23683 RESERVED -CVE-2021-23682 - RESERVED +CVE-2021-23682 (This affects the package litespeed.js before 0.3.12; the package appwr ...) + NOT-FOR-US: litespeed.js CVE-2021-23681 RESERVED CVE-2021-23680 @@ -49116,7 +56834,7 @@ CVE-2021-23675 CVE-2021-23674 RESERVED CVE-2021-23673 (This affects all versions of package pekeupload. If an attacker induce ...) - TODO: check + NOT-FOR-US: Node pekeupload CVE-2021-23672 RESERVED CVE-2021-23671 @@ -49133,10 +56851,10 @@ CVE-2021-23666 RESERVED CVE-2021-23665 RESERVED -CVE-2021-23664 - RESERVED -CVE-2021-23663 - RESERVED +CVE-2021-23664 (The package @isomorphic-git/cors-proxy before 2.7.1 are vulnerable to ...) + NOT-FOR-US: cors-proxy +CVE-2021-23663 (All versions of package sey are vulnerable to Prototype Pollution via ...) + NOT-FOR-US: sey - Deprecated Simple JavaScript build tool CVE-2021-23662 RESERVED CVE-2021-23661 @@ -49154,7 +56872,7 @@ CVE-2021-23656 CVE-2021-23655 RESERVED CVE-2021-23654 (This affects all versions of package html-to-csv. When there is a form ...) - TODO: check + NOT-FOR-US: html-to-csv CVE-2021-23653 RESERVED CVE-2021-23652 @@ -49183,8 +56901,8 @@ CVE-2021-23641 RESERVED CVE-2021-23640 RESERVED -CVE-2021-23639 - RESERVED +CVE-2021-23639 (The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execu ...) + NOT-FOR-US: Node md-to-pdf CVE-2021-23638 RESERVED CVE-2021-23637 @@ -49199,8 +56917,8 @@ CVE-2021-23633 RESERVED CVE-2021-23632 RESERVED -CVE-2021-23631 - RESERVED +CVE-2021-23631 (This affects all versions of package convert-svg-core; all versions of ...) + NOT-FOR-US: Node convert-svg CVE-2021-23630 RESERVED CVE-2021-23629 @@ -49267,14 +56985,14 @@ CVE-2021-23599 RESERVED CVE-2021-23598 RESERVED -CVE-2021-23597 - RESERVED +CVE-2021-23597 (This affects the package fastify-multipart before 5.3.1. By providing ...) + NOT-FOR-US: Node fastify CVE-2021-23596 RESERVED CVE-2021-23595 RESERVED -CVE-2021-23594 - RESERVED +CVE-2021-23594 (All versions of package realms-shim are vulnerable to Sandbox Bypass v ...) + NOT-FOR-US: realms-shim CVE-2021-23593 RESERVED CVE-2021-23592 @@ -49313,8 +57031,8 @@ CVE-2021-23576 RESERVED CVE-2021-23575 RESERVED -CVE-2021-23574 - RESERVED +CVE-2021-23574 (All versions of package js-data are vulnerable to Prototype Pollution ...) + NOT-FOR-US: Node js-data CVE-2021-23573 RESERVED CVE-2021-23572 @@ -49325,34 +57043,36 @@ CVE-2021-23570 RESERVED CVE-2021-23569 RESERVED -CVE-2021-23568 - RESERVED -CVE-2021-23567 - RESERVED -CVE-2021-23566 - RESERVED +CVE-2021-23568 (The package extend2 before 1.0.1 are vulnerable to Prototype Pollution ...) + NOT-FOR-US: extend2 (fork of node-extend which is not affected) +CVE-2021-23567 (The package colors after 1.4.0 are vulnerable to Denial of Service (Do ...) + - colors.js <not-affected> (Vulnerable code never in a released Debian version) + NOTE: https://github.com/Marak/colors.js/issues/285 + NOTE: Introduced with: https://github.com/Marak/colors.js/commit/074a0f8ed0c31c35d13d28632bd8a049ff136fb6 +CVE-2021-23566 (The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Info ...) + NOT-FOR-US: Node nanoid (NaN0-1D) CVE-2021-23565 RESERVED CVE-2021-23564 RESERVED CVE-2021-23563 RESERVED -CVE-2021-23562 - RESERVED -CVE-2021-23561 - RESERVED +CVE-2021-23562 (This affects the package plupload before 2.3.9. A file name containing ...) + NOT-FOR-US: Node plupload +CVE-2021-23561 (All versions of package comb are vulnerable to Prototype Pollution via ...) + NOT-FOR-US: Node comb CVE-2021-23560 RESERVED CVE-2021-23559 RESERVED -CVE-2021-23558 - RESERVED +CVE-2021-23558 (The package bmoor before 0.10.1 are vulnerable to Prototype Pollution ...) + NOT-FOR-US: Node bmoor CVE-2021-23557 RESERVED CVE-2021-23556 RESERVED -CVE-2021-23555 - RESERVED +CVE-2021-23555 (The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via dire ...) + NOT-FOR-US: Node vm2 CVE-2021-23554 RESERVED CVE-2021-23553 @@ -49375,8 +57095,8 @@ CVE-2021-23545 RESERVED CVE-2021-23544 RESERVED -CVE-2021-23543 - RESERVED +CVE-2021-23543 (All versions of package realms-shim are vulnerable to Sandbox Bypass v ...) + NOT-FOR-US: realms-shim CVE-2021-23542 RESERVED CVE-2021-23541 @@ -49419,22 +57139,38 @@ CVE-2021-23523 RESERVED CVE-2021-23522 RESERVED -CVE-2021-23521 - RESERVED -CVE-2021-23520 - RESERVED +CVE-2021-23521 (This affects the package juce-framework/JUCE before 6.1.5. This vulner ...) + - juce 6.1.5~ds0-1 + [bullseye] - juce <no-dsa> (Minor issue) + [buster] - juce <no-dsa> (Minor issue) + [stretch] - juce <no-dsa> (Minor issue) + NOTE: https://github.com/juce-framework/JUCE/commit/2e874e80cba0152201aff6a4d0dc407997d10a7f + NOTE: https://security.snyk.io/vuln/SNYK-UNMANAGED-JUCEFRAMEWORKJUCE-2388608 +CVE-2021-23520 (The package juce-framework/juce before 6.1.5 are vulnerable to Arbitra ...) + - juce 6.1.5~ds0-1 + [bullseye] - juce <no-dsa> (Minor issue) + [buster] - juce <no-dsa> (Minor issue) + [stretch] - juce <no-dsa> (Minor issue) + NOTE: https://github.com/juce-framework/JUCE/commit/2e874e80cba0152201aff6a4d0dc407997d10a7f + NOTE: https://snyk.io/vuln/SNYK-UNMANAGED-JUCEFRAMEWORKJUCE-2388607 + NOTE: https://snyk.io/research/zip-slip-vulnerability CVE-2021-23519 RESERVED -CVE-2021-23518 - RESERVED +CVE-2021-23518 (The package cached-path-relative before 1.1.0 are vulnerable to Protot ...) + - node-cached-path-relative 1.1.0+~1.0.0-1 (bug #1004338) + [bullseye] - node-cached-path-relative <no-dsa> (Minor issue) + [buster] - node-cached-path-relative <no-dsa> (Minor issue) + NOTE: https://github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760 + NOTE: results from incomplete fix for https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573 + NOTE: which was CVE-2018-16472. CVE-2021-23517 RESERVED CVE-2021-23516 RESERVED CVE-2021-23515 RESERVED -CVE-2021-23514 - RESERVED +CVE-2021-23514 (This affects the package Crow before 0.3+4. It is possible to traverse ...) + NOT-FOR-US: CrowCpp CVE-2021-23513 RESERVED CVE-2021-23512 @@ -49447,8 +57183,8 @@ CVE-2021-23509 (This affects the package json-ptr before 3.0.0. A type confusion NOT-FOR-US: Node json-ptr CVE-2021-23508 RESERVED -CVE-2021-23507 - RESERVED +CVE-2021-23507 (The package object-path-set before 1.0.2 are vulnerable to Prototype P ...) + NOT-FOR-US: Node object-path-set CVE-2021-23506 RESERVED CVE-2021-23505 @@ -49467,8 +57203,8 @@ CVE-2021-23499 RESERVED CVE-2021-23498 RESERVED -CVE-2021-23497 - RESERVED +CVE-2021-23497 (This affects the package @strikeentco/set before 1.0.2. It allows an a ...) + NOT-FOR-US: Node strikeentco/set CVE-2021-23496 RESERVED CVE-2021-23495 @@ -49481,8 +57217,8 @@ CVE-2021-23492 RESERVED CVE-2021-23491 RESERVED -CVE-2021-23490 - RESERVED +CVE-2021-23490 (The package parse-link-header before 2.0.0 are vulnerable to Regular E ...) + NOT-FOR-US: parse-link-header CVE-2021-23489 RESERVED CVE-2021-23488 @@ -49493,8 +57229,8 @@ CVE-2021-23486 RESERVED CVE-2021-23485 RESERVED -CVE-2021-23484 - RESERVED +CVE-2021-23484 (The package zip-local before 0.3.5 are vulnerable to Arbitrary File Wr ...) + NOT-FOR-US: zip-local CVE-2021-23483 RESERVED CVE-2021-23482 @@ -49522,8 +57258,8 @@ CVE-2021-23472 (This affects versions before 1.19.1 of package bootstrap-table. NOTE: URL in CVE has moved. https://github.com/wenzhixin/bootstrap-table/pull/5941 CVE-2021-23471 RESERVED -CVE-2021-23470 - RESERVED +CVE-2021-23470 (This affects the package putil-merge before 3.8.0. The merge() functio ...) + NOT-FOR-US: Node putil-merge CVE-2021-23469 RESERVED CVE-2021-23468 @@ -49536,14 +57272,18 @@ CVE-2021-23465 RESERVED CVE-2021-23464 RESERVED -CVE-2021-23463 - RESERVED +CVE-2021-23463 (The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vuln ...) + - h2database <not-affected> (vulnerable method is not supported; vulnerable code introduced in 1.4.198) + NOTE: https://github.com/h2database/h2database/issues/3195 + NOTE: https://github.com/h2database/h2database/pull/3199 + NOTE: Introduced in: https://github.com/h2database/h2database/commit/1cfd2ffad975b31de3f20711bab19a121bfad20c (version-1.4.198) + NOTE: Fixed by: https://github.com/h2database/h2database/commit/d83285fd2e48fb075780ee95badee6f5a15ea7f8 (version-2.0.202) CVE-2021-23462 RESERVED CVE-2021-23461 RESERVED -CVE-2021-23460 - RESERVED +CVE-2021-23460 (The package min-dash before 3.8.1 are vulnerable to Prototype Pollutio ...) + NOT-FOR-US: bpmn.io min-dash CVE-2021-23459 RESERVED CVE-2021-23458 @@ -49562,8 +57302,10 @@ CVE-2021-23452 (This affects all versions of package x-assign. The global proto NOT-FOR-US: x-assign JS CVE-2021-23451 RESERVED -CVE-2021-23450 - RESERVED +CVE-2021-23450 (All versions of package dojo are vulnerable to Prototype Pollution via ...) + - dojo <unfixed> + NOTE: https://github.com/advisories/GHSA-m8gw-hjpr-rjv7 + NOTE: Fixed by: https://github.com/dojo/dojo/commit/b7b8b279f3e082e9d4b54144fe831bdc77b2e0c9 CVE-2021-23449 (This affects the package vm2 before 3.9.4 via a Prototype Pollution at ...) NOT-FOR-US: vm2 JS NOTE: https://github.com/patriksimek/vm2 @@ -49575,6 +57317,8 @@ CVE-2021-23446 (The package handsontable before 10.0.0; the package handsontable NOT-FOR-US: Node handsontable CVE-2021-23445 (This affects the package datatables.net before 1.11.3. If an array is ...) - datatables.js 1.10.21+dfsg-3 (bug #995229) + [bullseye] - datatables.js 1.10.21+dfsg-2+deb11u1 + [buster] - datatables.js <no-dsa> (Minor issue) [stretch] - datatables.js <no-dsa> (Minor issue) NOTE: https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8a3c1138ab08704e783bc52bfe88d7c9b (v1.11.3) CVE-2021-23444 (This affects the package jointjs before 3.4.2. A type confusion vulner ...) @@ -50026,20 +57770,20 @@ CVE-2021-23266 RESERVED CVE-2021-23265 RESERVED -CVE-2021-23264 - RESERVED -CVE-2021-23263 - RESERVED -CVE-2021-23262 - RESERVED -CVE-2021-23261 - RESERVED -CVE-2021-23260 - RESERVED -CVE-2021-23259 - RESERVED -CVE-2021-23258 - RESERVED +CVE-2021-23264 (Installations, where crafter-search is not protected, allow unauthenti ...) + NOT-FOR-US: Crafter CMS +CVE-2021-23263 (Unauthenticated remote attackers can read textual content via FreeMark ...) + NOT-FOR-US: Crafter CMS +CVE-2021-23262 (Authenticated administrators may modify the main YAML configuration fi ...) + NOT-FOR-US: Crafter CMS +CVE-2021-23261 (Authenticated administrators may override the system configuration fil ...) + NOT-FOR-US: Crafter CMS +CVE-2021-23260 (Authenticated users with Site roles may inject XSS scripts via file na ...) + NOT-FOR-US: Crafter CMS +CVE-2021-23259 (Authenticated users with Administrator or Developer roles may execute ...) + NOT-FOR-US: Crafter CMS +CVE-2021-23258 (Authenticated users with Administrator or Developer roles may execute ...) + NOT-FOR-US: Crafter CMS CVE-2021-23257 RESERVED CVE-2021-23256 @@ -50066,8 +57810,8 @@ CVE-2021-23246 RESERVED CVE-2021-23245 RESERVED -CVE-2021-23244 - RESERVED +CVE-2021-23244 (ColorOS pregrant dangerous permissions to apps which are listed in a w ...) + NOT-FOR-US: OPPO Android Phone CVE-2021-23243 (In Oppo's battery application, the third-party SDK provides the functi ...) NOT-FOR-US: OPPO Android Phone CVE-2021-3112 @@ -50125,7 +57869,7 @@ CVE-2021-3097 CVE-2021-3096 RESERVED CVE-2021-3095 - RESERVED + REJECTED CVE-2021-3094 RESERVED CVE-2021-3093 @@ -50135,7 +57879,7 @@ CVE-2021-3092 CVE-2021-3091 RESERVED CVE-2021-3090 - RESERVED + REJECTED CVE-2021-3089 RESERVED CVE-2021-3088 @@ -50632,12 +58376,12 @@ CVE-2021-22958 (A Server-Side Request Forgery vulnerability was found in concret NOT-FOR-US: Concrete CMS CVE-2021-22957 (A Cross-Origin Resource Sharing (CORS) vulnerability found in UniFi Pr ...) NOT-FOR-US: UniFi Protect -CVE-2021-22956 - RESERVED -CVE-2021-22955 - RESERVED -CVE-2021-22954 - RESERVED +CVE-2021-22956 (An uncontrolled resource consumption vulnerability exists in Citrix AD ...) + NOT-FOR-US: Citrix +CVE-2021-22955 (A unauthenticated denial of service vulnerability exists in Citrix ADC ...) + NOT-FOR-US: Citrix +CVE-2021-22954 (A cross-site request forgery vulnerability exists in Concrete CMS < ...) + NOT-FOR-US: Concrete CMS CVE-2021-22953 (A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to c ...) NOT-FOR-US: Concrete CMS CVE-2021-22952 (A vulnerability found in UniFi Talk application V1.12.3 and earlier pe ...) @@ -50678,6 +58422,7 @@ CVE-2021-22943 (A vulnerability found in UniFi Protect application V1.18.1 and e CVE-2021-22942 (A possible open redirect vulnerability in the Host Authorization middl ...) [experimental] - rails 2:6.1.4.1+dfsg-1 - rails <unfixed> (bug #992586) + [bullseye] - rails <no-dsa> (Minor issue) [buster] - rails <not-affected> (Vulnerable code not present) [stretch] - rails <not-affected> (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2021/08/20/1 @@ -51012,70 +58757,70 @@ CVE-2021-22829 RESERVED CVE-2021-22828 RESERVED -CVE-2021-22827 - RESERVED -CVE-2021-22826 - RESERVED -CVE-2021-22825 - RESERVED -CVE-2021-22824 - RESERVED -CVE-2021-22823 - RESERVED -CVE-2021-22822 - RESERVED -CVE-2021-22821 - RESERVED -CVE-2021-22820 - RESERVED -CVE-2021-22819 - RESERVED -CVE-2021-22818 - RESERVED -CVE-2021-22817 - RESERVED -CVE-2021-22816 - RESERVED -CVE-2021-22815 - RESERVED -CVE-2021-22814 - RESERVED -CVE-2021-22813 - RESERVED -CVE-2021-22812 - RESERVED -CVE-2021-22811 - RESERVED -CVE-2021-22810 - RESERVED -CVE-2021-22809 - RESERVED -CVE-2021-22808 - RESERVED -CVE-2021-22807 - RESERVED -CVE-2021-22806 - RESERVED -CVE-2021-22805 - RESERVED -CVE-2021-22804 - RESERVED -CVE-2021-22803 - RESERVED -CVE-2021-22802 - RESERVED -CVE-2021-22801 - RESERVED -CVE-2021-22800 - RESERVED -CVE-2021-22799 - RESERVED -CVE-2021-22798 - RESERVED +CVE-2021-22827 (A CWE-20: Improper Input Validation vulnerability exists that could ca ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22826 (A CWE-20: Improper Input Validation vulnerability exists that could ca ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22825 (A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22824 (A CWE-120: Buffer Copy without Checking Size of Input vulnerability ex ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22823 (A CWE-306: Missing Authentication for Critical Function vulnerability ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22822 (A CWE-79 Improper Neutralization of Input During Web Page Generation ( ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22821 (A CWE-918 Server-Side Request Forgery (SSRF) vulnerability exists that ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22820 (A CWE-614 Insufficient Session Expiration vulnerability exists that co ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22819 (A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulner ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22818 (A CWE-307 Improper Restriction of Excessive Authentication Attempts vu ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22817 (A CWE-276: Incorrect Default Permissions vulnerability exists that cou ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22816 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22815 (A CWE-200: Information Exposure vulnerability exists which could cause ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22814 (A CWE-79: Improper Neutralization of Input During Web Page Generation ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22813 (A CWE-79: Improper Neutralization of Input During Web Page Generation ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22812 (A CWE-79: Improper Neutralization of Input During Web Page Generation ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22811 (A CWE-79: Improper Neutralization of Input During Web Page Generation ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22810 (A CWE-79: Improper Neutralization of Input During Web Page Generation ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22809 (A CWE-125:Out-of-Bounds Read vulnerability exists that could cause uni ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22808 (A CWE-416: Use After Free vulnerability exists that could cause arbitr ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22807 (A CWE-787: Out-of-bounds Write vulnerability exists that could cause a ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22806 (A CWE-669: Incorrect Resource Transfer Between Spheres vulnerability e ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22805 (A CWE-306: Missing Authentication for Critical Function vulnerability ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22804 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22803 (A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerabili ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22802 (A CWE-120: Buffer Copy without Checking Size of Input vulnerability ex ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22801 (A CWE-269: Improper Privilege Management vulnerability exists that cou ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22800 (A CWE-20: Improper Input Validation vulnerability exists that could ca ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22799 (A CWE-331: Insufficient Entropy vulnerability exists that could cause ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22798 (A CWE-522: Insufficiently Protected Credentials vulnerability exists t ...) + NOT-FOR-US: Schneider Electric CVE-2021-22797 RESERVED -CVE-2021-22796 - RESERVED +CVE-2021-22796 (A CWE-287: Improper Authentication vulnerability exists that could all ...) + NOT-FOR-US: Schneider Electric CVE-2021-22795 RESERVED CVE-2021-22794 @@ -51090,14 +58835,14 @@ CVE-2021-22790 (A CWE-125: Out-of-bounds Read vulnerability that could cause a D NOT-FOR-US: Schneider Electric CVE-2021-22789 (A CWE-119: Improper Restriction of Operations within the Bounds of a M ...) NOT-FOR-US: Schneider Electric -CVE-2021-22788 - RESERVED -CVE-2021-22787 - RESERVED +CVE-2021-22788 (A CWE-787: Out-of-bounds Write vulnerability exists that could cause d ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22787 (A CWE-20: Improper Input Validation vulnerability exists that could ca ...) + NOT-FOR-US: Schneider Electric CVE-2021-22786 RESERVED -CVE-2021-22785 - RESERVED +CVE-2021-22785 (A CWE-200: Information Exposure vulnerability exists that could cause ...) + NOT-FOR-US: Schneider Electric CVE-2021-22784 (A CWE-306: Missing Authentication for Critical Function vulnerability ...) NOT-FOR-US: Schneider Electric CVE-2021-22783 @@ -51170,8 +58915,8 @@ CVE-2021-22750 (A CWE-787: Out-of-bounds write vulnerability exists inIGSS Defin NOT-FOR-US: Schneider CVE-2021-22749 (A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor ...) NOT-FOR-US: Schneider -CVE-2021-22748 - RESERVED +CVE-2021-22748 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) + NOT-FOR-US: Schneider CVE-2021-22747 (Improper Check for Unusual or Exceptional Conditions vulnerability exi ...) NOT-FOR-US: Tricon CVE-2021-22746 (Improper Check for Unusual or Exceptional Conditions vulnerability exi ...) @@ -51216,10 +58961,10 @@ CVE-2021-22727 (A CWE-331: Insufficient Entropy vulnerability exists in EVlink C NOT-FOR-US: Schneider Electric CVE-2021-22726 (A CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists in ...) NOT-FOR-US: Schneider Electric -CVE-2021-22725 - RESERVED -CVE-2021-22724 - RESERVED +CVE-2021-22725 (A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that ...) + NOT-FOR-US: Schneider Electric +CVE-2021-22724 (A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that ...) + NOT-FOR-US: Schneider Electric CVE-2021-22723 (A CWE-79: Improper Neutralization of Input During Web Page Generation ...) NOT-FOR-US: Schneider Electric CVE-2021-22722 (A CWE-79: Improper Neutralization of Input During Web Page Generation ...) @@ -51375,8 +59120,8 @@ CVE-2021-22659 (Rockwell Automation MicroLogix 1400 Version 21.6 and below may a NOT-FOR-US: Rockwell Automation CVE-2021-22658 (Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL ...) NOT-FOR-US: Advantech iView -CVE-2021-22657 - RESERVED +CVE-2021-22657 (mySCADA myPRO: Versions 8.20.0 and prior has a feature where the API p ...) + NOT-FOR-US: mySCADA myPRO CVE-2021-22656 (Advantech iView versions prior to v5.7.03.6112 are vulnerable to direc ...) NOT-FOR-US: Advantech iView CVE-2021-22655 (Multiple out-of-bounds read issues have been identified in the way the ...) @@ -51489,8 +59234,11 @@ CVE-2021-22602 RESERVED CVE-2021-22601 RESERVED -CVE-2021-22600 - RESERVED +CVE-2021-22600 (A double free bug in packet_set_ring() in net/packet/af_packet.c can b ...) + - linux 5.15.15-1 + [bullseye] - linux 5.10.92-1 + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 (5.16-rc6) CVE-2021-22599 RESERVED CVE-2021-22598 @@ -51509,8 +59257,6 @@ CVE-2021-22592 RESERVED CVE-2021-22591 RESERVED -CVE-2021-22590 - RESERVED CVE-2021-22589 RESERVED CVE-2021-22588 @@ -51549,22 +59295,43 @@ CVE-2021-22572 RESERVED CVE-2021-22571 RESERVED -CVE-2021-22570 - RESERVED -CVE-2021-22569 - RESERVED -CVE-2021-22568 - RESERVED -CVE-2021-22567 - RESERVED -CVE-2021-22566 - RESERVED -CVE-2021-22565 - RESERVED +CVE-2021-22570 (Nullptr dereference when a null char is present in a proto symbol. The ...) + [experimental] - protobuf 3.17.1-1 + - protobuf <unfixed> + [bullseye] - protobuf <no-dsa> (Minor issue) + [buster] - protobuf <no-dsa> (Minor issue) + [stretch] - protobuf <postponed> (Minor issue; clean crash / Dos; patch needs to be isolated) + NOTE: Fixed upstream in v3.15.0: https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0 +CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of com.google.proto ...) + [experimental] - protobuf 3.19.3-1 + - protobuf <unfixed> + [bullseye] - protobuf <no-dsa> (Minor issue) + [buster] - protobuf <no-dsa> (Minor issue) + [stretch] - protobuf <no-dsa> (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/12/4 + NOTE: https://cloud.google.com/support/bulletins#gcp-2022-001 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330 (unclear, might be bogus) + NOTE: https://github.com/protocolbuffers/protobuf/pull/9371/commits/5ea2bdf6d7483d64a6b02fcf00ee51fbfb80e847 +CVE-2021-22568 (When using the dart pub publish command to publish a package to a thir ...) + NOT-FOR-US: Dart language +CVE-2021-22567 (Bidirectional Unicode text can be interpreted and compiled differently ...) + NOT-FOR-US: Dart language (different from src:dart) + NOTE: https://github.com/dart-lang/sdk/commit/52519ea8eb4780c468c4c2ed00e7c8046ccfed41 +CVE-2021-22566 (An incorrect setting of UXN bits within mmu_flags_to_s1_pte_attr lead ...) + NOT-FOR-US: Google fuchsia +CVE-2021-22565 (An attacker could prematurely expire a verification code, making it un ...) + NOT-FOR-US: Google reference COVID19 exposure verification component + NOTE: https://github.com/google/exposure-notifications-verification-server CVE-2021-22564 (For certain valid JPEG XL images with a size slightly larger than an i ...) - NOT-FOR-US: libjxl + - jpeg-xl <not-affected> (Fixed with initial upload to Debian) + NOTE: https://github.com/libjxl/libjxl/issues/708 + NOTE: https://github.com/libjxl/libjxl/pull/775 + NOTE: https://github.com/libjxl/libjxl/commit/9d4a2de2f7a853f072c2a1bd6719e815a09075e9 (v0.6.1) CVE-2021-22563 (Invalid JPEG XL images using libjxl can cause an out of bounds access ...) - NOT-FOR-US: libjxl + - jpeg-xl <not-affected> (Fixed with initial upload to Debian) + NOTE: https://github.com/libjxl/libjxl/issues/735 + NOTE: https://github.com/libjxl/libjxl/pull/757 + NOTE: https://github.com/libjxl/libjxl/commit/b0b39694d8ba6eb031eae217fcae488ce7403ae7 (v0.6.1) CVE-2021-22562 RESERVED CVE-2021-22561 @@ -51608,7 +59375,7 @@ CVE-2021-22545 (An attacker can craft a specific IdaPro *.i64 file that will cau CVE-2021-22544 RESERVED CVE-2021-22543 (An issue was discovered in Linux: KVM through Improper handling of VM_ ...) - {DLA-2785-1} + {DLA-2843-1 DLA-2785-1} - linux 5.10.46-2 [buster] - linux 4.19.208-1 NOTE: https://www.openwall.com/lists/oss-security/2021/05/26/3 @@ -52122,16 +59889,16 @@ CVE-2021-22290 RESERVED CVE-2021-22289 RESERVED -CVE-2021-22288 - RESERVED +CVE-2021-22288 (Improper Input Validation vulnerability in the ABB SPIET800 and PNI800 ...) + NOT-FOR-US: ABB CVE-2021-22287 RESERVED -CVE-2021-22286 - RESERVED -CVE-2021-22285 - RESERVED -CVE-2021-22284 - RESERVED +CVE-2021-22286 (Improper Input Validation vulnerability in the ABB SPIET800 and PNI800 ...) + NOT-FOR-US: ABB +CVE-2021-22285 (Improper Handling of Exceptional Conditions, Improper Check for Unusua ...) + NOT-FOR-US: ABB +CVE-2021-22284 (Incorrect Permission Assignment for Critical Resource vulnerability in ...) + NOT-FOR-US: ABB CVE-2021-22283 RESERVED CVE-2021-22282 @@ -52140,8 +59907,8 @@ CVE-2021-22281 RESERVED CVE-2021-22280 RESERVED -CVE-2021-22279 - RESERVED +CVE-2021-22279 (A Missing Authentication vulnerability in RobotWare for the OmniCore r ...) + NOT-FOR-US: ABB / OmniCore robot controller CVE-2021-22278 (A certificate validation vulnerability in PCM600 Update Manager allows ...) NOT-FOR-US: PCM600 Update Manager CVE-2021-22277 @@ -52232,11 +59999,10 @@ CVE-2021-22236 (Due to improper handling of OAuth client IDs, new subscriptions - gitlab <unfixed> NOTE: https://about.gitlab.com/releases/2021/08/03/security-release-gitlab-14-1-2-released/ CVE-2021-22235 (Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6 and 3.2.0 to 3.2.14 ...) + {DSA-5019-1 DLA-2849-1} [experimental] - wireshark 3.4.7-1~exp1 - wireshark 3.4.7-1 - [bullseye] - wireshark <postponed> (Minor issue, can be fixed along in future update) - [buster] - wireshark <postponed> (Minor issue, can be fixed along in future update) - [stretch] - wireshark <postponed> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-06.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17462 NOTE: Regression fix: https://gitlab.com/wireshark/wireshark/-/merge_requests/3616 @@ -52265,9 +60031,9 @@ CVE-2021-22224 (A cross-site request forgery vulnerability in the GraphQL API in CVE-2021-22223 (Client-Side code injection through Feature Flag name in GitLab CE/EE s ...) - gitlab <unfixed> CVE-2021-22222 (Infinite loop in DVB-S2-BB dissector in Wireshark 3.4.0 to 3.4.5 allow ...) + {DSA-5019-1} [experimental] - wireshark 3.4.6-1~exp1 - wireshark 3.4.7-1 - [bullseye] - wireshark <postponed> (Minor issue, can be fixed along in future update) [buster] - wireshark <not-affected> (Vulnerability introduced in 3.4) [stretch] - wireshark <not-affected> (Vulnerability introduced in 3.4) NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/3130 @@ -52305,11 +60071,10 @@ CVE-2021-22209 (An issue has been discovered in GitLab CE/EE affecting all versi CVE-2021-22208 (An issue has been discovered in GitLab affecting versions starting wit ...) - gitlab <unfixed> CVE-2021-22207 (Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to ...) + {DSA-5019-1 DLA-2849-1} [experimental] - wireshark 3.4.6-1~exp1 - wireshark 3.4.7-1 (bug #987853) - [bullseye] - wireshark <postponed> (Minor issue, can be fixed along in future update) - [buster] - wireshark <postponed> (Minor issue, can be fixed along in future update) - [stretch] - wireshark <postponed> (Minor issue, can be fixed along in future update) + [buster] - wireshark <no-dsa> (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17331 NOTE: https://gitlab.com/wireshark/wireshark/-/commit/b7a0650e061b5418ab4a8f72c6e4b00317aff623 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-04.html @@ -52349,7 +60114,7 @@ CVE-2021-22192 (An issue has been discovered in GitLab CE/EE affecting all versi - gitlab <unfixed> CVE-2021-22191 (Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 ...) - wireshark 3.4.4-1 - [buster] - wireshark <postponed> (Minor issue, can be fixed along in future update) + [buster] - wireshark <no-dsa> (Minor issue) [stretch] - wireshark <postponed> (Minor issue, can be fixed along in future update) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-03.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17232 @@ -52411,8 +60176,8 @@ CVE-2021-22172 (Improper authorization in GitLab 12.8+ allows a guest user in a CVE-2021-22171 (Insufficient validation of authentication parameters in GitLab Pages f ...) [experimental] - gitlab 13.6.6-1 - gitlab <unfixed> -CVE-2021-22170 - RESERVED +CVE-2021-22170 (Assuming a database breach, nonce reuse issues in GitLab 11.6+ allows ...) + - gitlab <unfixed> CVE-2021-22169 (An issue was identified in GitLab EE 13.4 or later which leaked intern ...) - gitlab <not-affected> (Specific to EE) NOTE: https://about.gitlab.com/releases/2021/02/01/security-release-gitlab-13-8-2-released/ @@ -52540,11 +60305,13 @@ CVE-2021-22117 (RabbitMQ installers on Windows prior to version 3.8.16 do not ha - rabbitmq-server <not-affected> (Windows-specific) CVE-2021-22116 (RabbitMQ all versions prior to 3.8.16 are prone to a denial of service ...) {DLA-2710-1} - - rabbitmq-server <unfixed> (bug #989056) + - rabbitmq-server 3.9.4-1 (bug #989056) [bullseye] - rabbitmq-server <no-dsa> (Minor issue) [buster] - rabbitmq-server <no-dsa> (Minor issue) NOTE: https://tanzu.vmware.com/security/cve-2021-22116 NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/2953 + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/f37a31de55229e6c763215500e376fa16803390b (v3.9.0-beta.1) + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/626d5219115d087a2695c0eb243c7ddb7e154563 (v3.8.15-rc.2) CVE-2021-22115 (Cloud Controller API versions prior to 1.106.0 logs service broker cre ...) NOT-FOR-US: Cloud Controller API CVE-2021-22114 (Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versio ...) @@ -52589,8 +60356,8 @@ CVE-2021-22096 (In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and [buster] - libspring-java <no-dsa> (Minor issue) [stretch] - libspring-java <ignored> (Minor issue, no known patch) NOTE: https://github.com/spring-projects/spring-framework/issues/27647 (patch unidentifiable) -CVE-2021-22095 - RESERVED +CVE-2021-22095 (In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring ...) + NOT-FOR-US: Spring AMQP CVE-2021-22094 RESERVED CVE-2021-22093 @@ -52659,28 +60426,31 @@ CVE-2021-22062 RESERVED CVE-2021-22061 RESERVED -CVE-2021-22060 - RESERVED +CVE-2021-22060 (In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older ...) + - libspring-java <unfixed> + [stretch] - libspring-java <end-of-life> (EOL'd for stretch) + NOTE: follow-up to CVE-2021-22096 + NOTE: https://tanzu.vmware.com/security/cve-2021-22060 CVE-2021-22059 RESERVED CVE-2021-22058 RESERVED -CVE-2021-22057 - RESERVED -CVE-2021-22056 - RESERVED +CVE-2021-22057 (VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an aut ...) + NOT-FOR-US: VMware +CVE-2021-22056 (VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 and Identity M ...) + NOT-FOR-US: VMware CVE-2021-22055 RESERVED -CVE-2021-22054 - RESERVED +CVE-2021-22054 (VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 pr ...) + NOT-FOR-US: VMware CVE-2021-22053 (Applications using both `spring-cloud-netflix-hystrix-dashboard` and ` ...) NOT-FOR-US: spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf CVE-2021-22052 RESERVED CVE-2021-22051 (Applications using Spring Cloud Gateway are vulnerable to specifically ...) NOT-FOR-US: Spring Cloud Gateway -CVE-2021-22050 - RESERVED +CVE-2021-22050 (ESXi contains a slow HTTP POST denial-of-service vulnerability in rhtt ...) + NOT-FOR-US: VMware CVE-2021-22049 (The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Requ ...) NOT-FOR-US: VMware CVE-2021-22048 (The vCenter Server contains a privilege escalation vulnerability in th ...) @@ -52689,18 +60459,18 @@ CVE-2021-22047 (In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and NOT-FOR-US: Spring Data REST CVE-2021-22046 RESERVED -CVE-2021-22045 - RESERVED +CVE-2021-22045 (VMware ESXi (7.0, 6.7 before ESXi670-202111101-SG and 6.5 before ESXi6 ...) + NOT-FOR-US: VMware CVE-2021-22044 (In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEA ...) NOT-FOR-US: Spring Cloud OpenFeign -CVE-2021-22043 - RESERVED -CVE-2021-22042 - RESERVED -CVE-2021-22041 - RESERVED -CVE-2021-22040 - RESERVED +CVE-2021-22043 (VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerabilit ...) + NOT-FOR-US: VMware +CVE-2021-22042 (VMware ESXi contains an unauthorized access vulnerability due to VMX h ...) + NOT-FOR-US: VMware +CVE-2021-22041 (VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerabil ...) + NOT-FOR-US: VMware +CVE-2021-22040 (VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerab ...) + NOT-FOR-US: VMware CVE-2021-22039 RESERVED CVE-2021-22038 (On Windows, the uninstaller binary copies itself to a fixed temporary ...) @@ -52774,6 +60544,7 @@ CVE-2021-22005 (The vCenter Server contains an arbitrary file upload vulnerabili CVE-2021-22004 (An issue was discovered in SaltStack Salt before 3003.3. The salt mini ...) - salt 3002.7+dfsg1-1 (unimportant; bug #994016) NOTE: https://saltproject.io/security_announcements/salt-security-advisory-2021-sep-02/ + NOTE: Windows-specific CVE-2021-22003 (VMware Workspace ONE Access and Identity Manager, unintentionally prov ...) NOT-FOR-US: VMware CVE-2021-22002 (VMware Workspace ONE Access and Identity Manager, allow the /cfg web a ...) @@ -52858,50 +60629,50 @@ CVE-2021-3009 RESERVED CVE-2021-3008 RESERVED -CVE-2021-21971 - RESERVED -CVE-2021-21970 - RESERVED -CVE-2021-21969 - RESERVED -CVE-2021-21968 - RESERVED +CVE-2021-21971 (An out-of-bounds write vulnerability exists in the URL_decode function ...) + NOT-FOR-US: Sealevel Systems +CVE-2021-21970 (An out-of-bounds write vulnerability exists in the HandleSeaCloudMessa ...) + NOT-FOR-US: Sealevel Systems +CVE-2021-21969 (An out-of-bounds write vulnerability exists in the HandleSeaCloudMessa ...) + NOT-FOR-US: Sealevel Systems +CVE-2021-21968 (A file write vulnerability exists in the OTA update task functionality ...) + NOT-FOR-US: Sealevel Systems CVE-2021-21967 RESERVED -CVE-2021-21966 - RESERVED -CVE-2021-21965 - RESERVED -CVE-2021-21964 - RESERVED -CVE-2021-21963 - RESERVED -CVE-2021-21962 - RESERVED -CVE-2021-21961 - RESERVED -CVE-2021-21960 - RESERVED -CVE-2021-21959 - RESERVED -CVE-2021-21958 - RESERVED -CVE-2021-21957 - RESERVED +CVE-2021-21966 (An information disclosure vulnerability exists in the HTTP Server /pin ...) + NOT-FOR-US: Texas Instruments +CVE-2021-21965 (A denial of service vulnerability exists in the SeaMax remote configur ...) + NOT-FOR-US: Sealevel Systems +CVE-2021-21964 (A denial of service vulnerability exists in the Modbus configuration f ...) + NOT-FOR-US: Sealevel Systems +CVE-2021-21963 (An information disclosure vulnerability exists in the Web Server funct ...) + NOT-FOR-US: Sealevel Systems +CVE-2021-21962 (A heap-based buffer overflow vulnerability exists in the OTA Update u- ...) + NOT-FOR-US: Sealevel Systems +CVE-2021-21961 (A stack-based buffer overflow vulnerability exists in the NBNS functio ...) + NOT-FOR-US: Sealevel Systems +CVE-2021-21960 (A stack-based buffer overflow vulnerability exists in both the LLMNR f ...) + NOT-FOR-US: Sealevel Systems +CVE-2021-21959 (A misconfiguration exists in the MQTTS functionality of Sealevel Syste ...) + NOT-FOR-US: Sealevel Systems +CVE-2021-21958 (A heap-based buffer overflow vulnerability exists in the Hword HwordAp ...) + NOT-FOR-US: Hancom Office 2020 +CVE-2021-21957 (A privilege escalation vulnerability exists in the Remote Server funct ...) + NOT-FOR-US: Dream Report ODS Remote Connector CVE-2021-21956 RESERVED -CVE-2021-21955 - RESERVED -CVE-2021-21954 - RESERVED -CVE-2021-21953 - RESERVED -CVE-2021-21952 - RESERVED -CVE-2021-21951 - RESERVED -CVE-2021-21950 - RESERVED +CVE-2021-21955 (An authentication bypass vulnerability exists in the get_aes_key_info_ ...) + NOT-FOR-US: Anker Eufy Homebase +CVE-2021-21954 (A command execution vulnerability exists in the wifi_country_code_upda ...) + NOT-FOR-US: Anker Eufy Homebase +CVE-2021-21953 (An authentication bypass vulnerability exists in the process_msg() fun ...) + NOT-FOR-US: Anker Eufy Homebase 2 +CVE-2021-21952 (An authentication bypass vulnerability exists in the CMD_DEVICE_GET_RS ...) + NOT-FOR-US: Anker Eufy Homebase 2 +CVE-2021-21951 (An out-of-bounds write vulnerability exists in the CMD_DEVICE_GET_SERV ...) + NOT-FOR-US: Anker Eufy Homebase +CVE-2021-21950 (An out-of-bounds write vulnerability exists in the CMD_DEVICE_GET_SERV ...) + NOT-FOR-US: Anker Eufy Homebase CVE-2021-21949 RESERVED CVE-2021-21948 @@ -52926,92 +60697,95 @@ CVE-2021-21939 RESERVED CVE-2021-21938 RESERVED -CVE-2021-21937 - RESERVED -CVE-2021-21936 - RESERVED -CVE-2021-21935 - RESERVED -CVE-2021-21934 - RESERVED -CVE-2021-21933 - RESERVED -CVE-2021-21932 - RESERVED -CVE-2021-21931 - RESERVED -CVE-2021-21930 - RESERVED -CVE-2021-21929 - RESERVED -CVE-2021-21928 - RESERVED -CVE-2021-21927 - RESERVED -CVE-2021-21926 - RESERVED -CVE-2021-21925 - RESERVED -CVE-2021-21924 - RESERVED -CVE-2021-21923 - RESERVED -CVE-2021-21922 - RESERVED -CVE-2021-21921 - RESERVED -CVE-2021-21920 - RESERVED -CVE-2021-21919 - RESERVED -CVE-2021-21918 - RESERVED -CVE-2021-21917 - RESERVED -CVE-2021-21916 - RESERVED -CVE-2021-21915 - RESERVED +CVE-2021-21937 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21936 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21935 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21934 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21933 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21932 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21931 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21930 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21929 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21928 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21927 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21926 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21925 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21924 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21923 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21922 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21921 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21920 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21919 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21918 (A specially-crafted HTTP request can lead to SQL injection. An attacke ...) + NOT-FOR-US: Advantech +CVE-2021-21917 (An exploitable SQL injection vulnerability exist in the ‘group_l ...) + NOT-FOR-US: Advantech +CVE-2021-21916 (An exploitable SQL injection vulnerability exist in the ‘group_l ...) + NOT-FOR-US: Advantech +CVE-2021-21915 (An exploitable SQL injection vulnerability exist in the ‘group_l ...) + NOT-FOR-US: Advantech CVE-2021-21914 RESERVED CVE-2021-21913 (An information disclosure vulnerability exists in the WiFi Smart Mesh ...) NOT-FOR-US: D-LINK -CVE-2021-21912 - RESERVED -CVE-2021-21911 - RESERVED -CVE-2021-21910 - RESERVED -CVE-2021-21909 - RESERVED -CVE-2021-21908 - RESERVED -CVE-2021-21907 - RESERVED -CVE-2021-21906 - RESERVED -CVE-2021-21905 - RESERVED -CVE-2021-21904 - RESERVED -CVE-2021-21903 - RESERVED -CVE-2021-21902 - RESERVED -CVE-2021-21901 - RESERVED +CVE-2021-21912 (A privilege escalation vulnerability exists in the Windows version of ...) + NOT-FOR-US: Advantech R-SeeNet Advantech R-SeeNet +CVE-2021-21911 (A privilege escalation vulnerability exists in the Windows version of ...) + NOT-FOR-US: Advantech R-SeeNet Advantech R-SeeNet +CVE-2021-21910 (A privilege escalation vulnerability exists in the Windows version of ...) + NOT-FOR-US: Advantech R-SeeNet Advantech R-SeeNet +CVE-2021-21909 (Specially-crafted command line arguments can lead to arbitrary file de ...) + NOT-FOR-US: Garrett Metal Detectors iC Module CMA +CVE-2021-21908 (Specially-crafted command line arguments can lead to arbitrary file de ...) + NOT-FOR-US: Garrett Metal Detectors iC Module CMA +CVE-2021-21907 (A directory traversal vulnerability exists in the CMA CLI getenv comma ...) + NOT-FOR-US: Garrett Metal Detectors iC Module CMA +CVE-2021-21906 (Stack-based buffer overflow vulnerability exists in how the CMA readfi ...) + NOT-FOR-US: Garrett Metal Detectors iC Module CMA +CVE-2021-21905 (Stack-based buffer overflow vulnerability exists in how the CMA readfi ...) + NOT-FOR-US: Garrett Metal Detectors iC Module CMA +CVE-2021-21904 (A directory traversal vulnerability exists in the CMA CLI setenv comma ...) + NOT-FOR-US: Garrett Metal Detectors iC Module CMA +CVE-2021-21903 (A stack-based buffer overflow vulnerability exists in the CMA check_ud ...) + NOT-FOR-US: Garrett Metal Detectors iC Module CMA +CVE-2021-21902 (An authentication bypass vulnerability exists in the CMA run_server_68 ...) + NOT-FOR-US: Garrett Metal Detectors iC Module CMA +CVE-2021-21901 (A stack-based buffer overflow vulnerability exists in the CMA check_ud ...) + NOT-FOR-US: Garrett Metal Detectors iC Module CMA CVE-2021-21900 (A code execution vulnerability exists in the dxfRW::processLType() fun ...) - - librecad <unfixed> + {DSA-5077-1 DLA-2838-1} + - librecad 2.1.3-2 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1351 NOTE: librecad bundles libdxfrw NOTE: https://github.com/LibreCAD/libdxfrw/commit/fcd977cc7f8f6cc7f012e5b72d33cf7d77b3fa69 CVE-2021-21899 (A code execution vulnerability exists in the dwgCompressor::copyCompBy ...) - - librecad <unfixed> + {DSA-5077-1 DLA-2838-1} + - librecad 2.1.3-2 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1350 NOTE: librecad bundles libdxfrw NOTE: https://github.com/LibreCAD/libdxfrw/commit/6417118874333309aa10c4e59f954c3905a6e8b5 CVE-2021-21898 (A code execution vulnerability exists in the dwgCompressor::decompress ...) - - librecad <unfixed> + {DSA-5077-1 DLA-2838-1} + - librecad 2.1.3-2 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1349 NOTE: librecad bundles libdxfrw NOTE: https://github.com/LibreCAD/libdxfrw/commit/ba3fa95648bef948e008dfbdd31a4d21badd71f0 @@ -53023,56 +60797,56 @@ CVE-2021-21897 (A code execution vulnerability exists in the DL_Dxf::handleLWPol NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1346 NOTE: https://github.com/qcad/qcad/commit/1eeffc5daf5a06cf6213ffc19e95923cdebb2eb8 TODO: check, horizon-eda, cloudcompare, kicad embedds it, but needs to check if actually used and issue affects those -CVE-2021-21896 - RESERVED -CVE-2021-21895 - RESERVED -CVE-2021-21894 - RESERVED +CVE-2021-21896 (A directory traversal vulnerability exists in the Web Manager FsBrowse ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21895 (A directory traversal vulnerability exists in the Web Manager FsTFtp f ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21894 (A directory traversal vulnerability exists in the Web Manager FsTFtp f ...) + NOT-FOR-US: Lantronix PremierWave CVE-2021-21893 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) NOT-FOR-US: Foxit -CVE-2021-21892 - RESERVED -CVE-2021-21891 - RESERVED -CVE-2021-21890 - RESERVED -CVE-2021-21889 - RESERVED -CVE-2021-21888 - RESERVED -CVE-2021-21887 - RESERVED -CVE-2021-21886 - RESERVED -CVE-2021-21885 - RESERVED -CVE-2021-21884 - RESERVED -CVE-2021-21883 - RESERVED -CVE-2021-21882 - RESERVED -CVE-2021-21881 - RESERVED -CVE-2021-21880 - RESERVED -CVE-2021-21879 - RESERVED -CVE-2021-21878 - RESERVED -CVE-2021-21877 - RESERVED -CVE-2021-21876 - RESERVED -CVE-2021-21875 - RESERVED -CVE-2021-21874 - RESERVED -CVE-2021-21873 - RESERVED -CVE-2021-21872 - RESERVED +CVE-2021-21892 (A stack-based buffer overflow vulnerability exists in the Web Manager ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21891 (A stack-based buffer overflow vulnerability exists in the Web Manager ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21890 (A stack-based buffer overflow vulnerability exists in the Web Manager ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21889 (A stack-based buffer overflow vulnerability exists in the Web Manager ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21888 (An OS command injection vulnerability exists in the Web Manager SslGen ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21887 (A stack-based buffer overflow vulnerability exists in the Web Manager ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21886 (A directory traversal vulnerability exists in the Web Manager FSBrowse ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21885 (A directory traversal vulnerability exists in the Web Manager FsMove f ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21884 (An OS command injection vulnerability exists in the Web Manager SslGen ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21883 (An OS command injection vulnerability exists in the Web Manager Diagno ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21882 (An OS command injection vulnerability exists in the Web Manager FsUnmo ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21881 (An OS command injection vulnerability exists in the Web Manager Wirele ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21880 (A directory traversal vulnerability exists in the Web Manager FsCopyFi ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21879 (A directory traversal vulnerability exists in the Web Manager File Upl ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21878 (A local file inclusion vulnerability exists in the Web Manager Applica ...) + NOT-FOR-US: Lantronix PremierWave +CVE-2021-21877 (Specially-crafted HTTP requests can lead to arbitrary command executio ...) + NOT-FOR-US: Lantronix +CVE-2021-21876 (Specially-crafted HTTP requests can lead to arbitrary command executio ...) + NOT-FOR-US: Lantronix +CVE-2021-21875 (A specially-crafted HTTP request can lead to arbitrary command executi ...) + NOT-FOR-US: Lantronix +CVE-2021-21874 (A specially-crafted HTTP request can lead to arbitrary command executi ...) + NOT-FOR-US: Lantronix +CVE-2021-21873 (A specially-crafted HTTP request can lead to arbitrary command executi ...) + NOT-FOR-US: Lantronix +CVE-2021-21872 (An OS command injection vulnerability exists in the Web Manager Diagno ...) + NOT-FOR-US: Lantronix CVE-2021-21871 (A memory corruption vulnerability exists in the DMG File Format Handle ...) NOT-FOR-US: PowerISO CVE-2021-21870 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) @@ -53508,10 +61282,10 @@ CVE-2021-21753 RESERVED CVE-2021-21752 RESERVED -CVE-2021-21751 - RESERVED -CVE-2021-21750 - RESERVED +CVE-2021-21751 (ZTE BigVideo analysis product has an input verification vulnerability. ...) + NOT-FOR-US: ZTE +CVE-2021-21750 (ZTE BigVideo Analysis product has a privilege escalation vulnerability ...) + NOT-FOR-US: ZTE CVE-2021-21749 (ZTE MF971R product has two stack-based buffer overflow vulnerabilities ...) NOT-FOR-US: ZTE CVE-2021-21748 (ZTE MF971R product has two stack-based buffer overflow vulnerabilities ...) @@ -53596,12 +61370,22 @@ CVE-2021-21709 RESERVED CVE-2021-21708 RESERVED + {DSA-5082-1} + - php8.1 <unfixed> + - php7.4 <removed> + - php7.3 <removed> + - php7.0 <removed> + NOTE: Fixed in 8.1.3, 7.4.28 + NOTE: PHP Bug: https://bugs.php.net/81708 CVE-2021-21707 (In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below ...) + {DSA-5082-1} - php8.1 8.1.0-1 - - php8.0 <unfixed> - - php7.4 <removed> + - php8.0 <removed> + - php7.4 7.4.26-1 - php7.3 <removed> + [buster] - php7.3 <no-dsa> (Minor issue, fix along with next DSA) - php7.0 <removed> + [stretch] - php7.0 <no-dsa> (Minor issue, fix along with next DLA) NOTE: Fixed in 8.1.0, 8.0.13, 7.4.26, 7.3.33 NOTE: PHP Bug: https://bugs.php.net/79971 NOTE: https://github.com/php/php-src/commit/f15f8fc573eb38c3c73e23e0930063a6f6409ed4 @@ -53633,8 +61417,8 @@ CVE-2021-21704 (In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x NOTE: PHP Bug: https://bugs.php.net/76452 CVE-2021-21703 (In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 a ...) {DSA-4993-1 DSA-4992-1 DLA-2794-1} - - php8.0 <unfixed> - - php7.4 <unfixed> (bug #997003) + - php8.0 <removed> + - php7.4 7.4.26-1 (bug #997003) - php7.3 <removed> - php7.0 <removed> NOTE: Fixed in 8.0.12, 7.4.25 @@ -54294,8 +62078,10 @@ CVE-2021-21409 (Netty is an open-source, asynchronous event-driven network appli NOTE: Fixed by: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432 NOTE: https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32 NOTE: Is a followup to: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj -CVE-2021-21408 - RESERVED +CVE-2021-21408 (Smarty is a template engine for PHP, facilitating the separation of pr ...) + - smarty3 <unfixed> + NOTE: https://github.com/smarty-php/smarty/security/advisories/GHSA-4h9c-v5vg-5m6m + NOTE: https://github.com/smarty-php/smarty/commit/28519ca00fe6890ef2d464f8400a16188c4b6f36 (3.1.43) CVE-2021-21407 (Combodo iTop is an open source, web based IT Service Management tool. ...) NOT-FOR-US: Combodo iTop CVE-2021-21406 (Combodo iTop is an open source, web based IT Service Management tool. ...) @@ -54592,6 +62378,7 @@ CVE-2021-21306 (Marked is an open-source markdown parser and compiler (npm packa NOTE: https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd CVE-2021-21305 (CarrierWave is an open-source RubyGem which provides a simple and flex ...) - ruby-carrierwave <unfixed> (bug #982551) + [buster] - ruby-carrierwave <no-dsa> (Minor issue) [stretch] - ruby-carrierwave <ignored> (No reverse dependencies) NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4 NOTE: https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7 @@ -54647,6 +62434,7 @@ CVE-2021-21289 (Mechanize is an open-source ruby library that makes automated we NOTE: Test warnings fixup: https://github.com/sparklemotion/mechanize/commit/5b30aed33cbac9825e8978f8e36dd221cbd4c093 (v2.7.7) CVE-2021-21288 (CarrierWave is an open-source RubyGem which provides a simple and flex ...) - ruby-carrierwave 1.3.2-1 (bug #982552) + [buster] - ruby-carrierwave <no-dsa> (Minor issue) [stretch] - ruby-carrierwave <ignored> (No reverse dependencies) NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5 NOTE: https://github.com/carrierwaveuploader/carrierwave/commit/012702eb3ba1663452aa025831caa304d1a665c0 @@ -55765,72 +63553,72 @@ CVE-2021-20879 RESERVED CVE-2021-20878 RESERVED -CVE-2021-20877 - RESERVED -CVE-2021-20876 - RESERVED -CVE-2021-20875 - RESERVED -CVE-2021-20874 - RESERVED -CVE-2021-20873 - RESERVED -CVE-2021-20872 - RESERVED -CVE-2021-20871 - RESERVED -CVE-2021-20870 - RESERVED -CVE-2021-20869 - RESERVED -CVE-2021-20868 - RESERVED -CVE-2021-20867 - RESERVED -CVE-2021-20866 - RESERVED -CVE-2021-20865 - RESERVED -CVE-2021-20864 - RESERVED -CVE-2021-20863 - RESERVED -CVE-2021-20862 - RESERVED -CVE-2021-20861 - RESERVED -CVE-2021-20860 - RESERVED -CVE-2021-20859 - RESERVED -CVE-2021-20858 - RESERVED -CVE-2021-20857 - RESERVED -CVE-2021-20856 - RESERVED -CVE-2021-20855 - RESERVED -CVE-2021-20854 - RESERVED -CVE-2021-20853 - RESERVED -CVE-2021-20852 - RESERVED -CVE-2021-20851 - RESERVED +CVE-2021-20877 (Cross-site scripting vulnerability in Canon laser printers and small o ...) + NOT-FOR-US: Canon printer firmware +CVE-2021-20876 (Path traversal vulnerability in GroupSession Free edition ver5.1.1 and ...) + NOT-FOR-US: GroupSession +CVE-2021-20875 (Open redirect vulnerability in GroupSession Free edition ver5.1.1 and ...) + NOT-FOR-US: GroupSession +CVE-2021-20874 (Incorrect permission assignment for critical resource vulnerability in ...) + NOT-FOR-US: GroupSession +CVE-2021-20873 (Yappli is an application development platform which provides the funct ...) + NOT-FOR-US: Yappli +CVE-2021-20872 (Protection mechanism failure vulnerability in KONICA MINOLTA bizhub se ...) + NOT-FOR-US: KONICA MINOLTA +CVE-2021-20871 (Exposure of sensitive information to an unauthorized actor vulnerabili ...) + NOT-FOR-US: KONICA MINOLTA +CVE-2021-20870 (Improper handling of exceptional conditions vulnerability in KONICA MI ...) + NOT-FOR-US: KONICA MINOLTA +CVE-2021-20869 (Exposure of sensitive information to an unauthorized actor vulnerabili ...) + NOT-FOR-US: KONICA MINOLTA +CVE-2021-20868 (Incorrect authorization vulnerability in KONICA MINOLTA bizhub series ...) + NOT-FOR-US: KONICA MINOLTA +CVE-2021-20867 (Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fiel ...) + NOT-FOR-US: WordPress plugin +CVE-2021-20866 (Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fiel ...) + NOT-FOR-US: WordPress plugin +CVE-2021-20865 (Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fiel ...) + NOT-FOR-US: WordPress plugin +CVE-2021-20864 (Improper access control vulnerability in ELECOM routers (WRC-1167GST2 ...) + NOT-FOR-US: ELECOM +CVE-2021-20863 (OS command injection vulnerability in ELECOM routers (WRC-1167GST2 fir ...) + NOT-FOR-US: ELECOM +CVE-2021-20862 (Improper access control vulnerability in ELECOM routers (WRC-1167GST2 ...) + NOT-FOR-US: ELECOM +CVE-2021-20861 (Improper access control vulnerability in ELECOM LAN routers (WRC-1167G ...) + NOT-FOR-US: ELECOM +CVE-2021-20860 (Cross-site request forgery (CSRF) vulnerability in ELECOM LAN routers ...) + NOT-FOR-US: ELECOM +CVE-2021-20859 (ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST ...) + NOT-FOR-US: ELECOM +CVE-2021-20858 (Cross-site scripting vulnerability in ELECOM LAN router WRC-2533GHBK-I ...) + NOT-FOR-US: ELECOM +CVE-2021-20857 (Cross-site scripting vulnerability in ELECOM LAN router WRC-2533GHBK-I ...) + NOT-FOR-US: ELECOM +CVE-2021-20856 (Cross-site scripting vulnerability in ELECOM LAN routers (WRH-733GBK f ...) + NOT-FOR-US: ELECOM +CVE-2021-20855 (Cross-site scripting vulnerability in ELECOM LAN routers (WRH-733GBK f ...) + NOT-FOR-US: ELECOM +CVE-2021-20854 (ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733G ...) + NOT-FOR-US: ELECOM +CVE-2021-20853 (ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733G ...) + NOT-FOR-US: ELECOM +CVE-2021-20852 (Buffer overflow vulnerability in ELECOM LAN routers (WRH-733GBK firmwa ...) + NOT-FOR-US: ELECOM +CVE-2021-20851 (Cross-site request forgery (CSRF) vulnerability in Browser and Operati ...) + NOT-FOR-US: WordPress plugin CVE-2021-20850 (PowerCMS XMLRPC API of PowerCMS 5.19 and earlier, PowerCMS 4.49 and ea ...) NOT-FOR-US: PowerCMS CVE-2021-20849 RESERVED CVE-2021-20848 (Cross-site scripting vulnerability in rwtxt versions prior to v1.8.6 a ...) - TODO: check -CVE-2021-20847 - RESERVED + NOT-FOR-US: rwtxt +CVE-2021-20847 (Cross-site scripting vulnerability in Wi-Fi STATION SH-52A (38JP_1_11G ...) + NOT-FOR-US: Wi-Fi STATION SH-52A CVE-2021-20846 (Cross-site request forgery (CSRF) vulnerability in Push Notifications ...) NOT-FOR-US: WordPress plugin CVE-2021-20845 (Cross-site request forgery (CSRF) vulnerability in Unlimited Sitemap G ...) - TODO: check + NOT-FOR-US: Unlimited Sitemap Generator CVE-2021-20844 (Improper neutralization of HTTP request headers for scripting syntax v ...) NOT-FOR-US: RTX830 CVE-2021-20843 (Cross-site script inclusion vulnerability in the Web GUI of RTX830 Rev ...) @@ -55865,10 +63653,10 @@ CVE-2021-20829 (Cross-site scripting vulnerability due to the inadequate tag san NOT-FOR-US: GROWI CVE-2021-20828 (Cross-site scripting vulnerability in Order Status Batch Change Plug-i ...) NOT-FOR-US: EC-CUBE plugin -CVE-2021-20827 - RESERVED -CVE-2021-20826 - RESERVED +CVE-2021-20827 (Plaintext storage of a password vulnerability in IDEC PLCs (FC6A Serie ...) + NOT-FOR-US: IDEC +CVE-2021-20826 (Unprotected transport of credentials vulnerability in IDEC PLCs (FC6A ...) + NOT-FOR-US: IDEC CVE-2021-20825 (Cross-site scripting vulnerability in List (order management) item cha ...) NOT-FOR-US: EC-CUBE plugin CVE-2021-20824 @@ -56116,13 +63904,13 @@ CVE-2021-20705 (Improper input validation vulnerability in the WebManager CLUSTE NOT-FOR-US: Nec CVE-2021-20704 (Buffer overflow vulnerability in the compatible API with previous vers ...) NOT-FOR-US: Nec -CVE-2021-20703 (Buffer overflow vulnerability in the Transaction Server CLUSTERPRO X 1 ...) +CVE-2021-20703 (Buffer overflow vulnerability in the Transaction Server CLUSTERPRO X 4 ...) NOT-FOR-US: Nec -CVE-2021-20702 (Buffer overflow vulnerability in the Transaction Server CLUSTERPRO X 1 ...) +CVE-2021-20702 (Buffer overflow vulnerability in the Transaction Server CLUSTERPRO X 4 ...) NOT-FOR-US: Nec -CVE-2021-20701 (Buffer overflow vulnerability in the Disk Agent CLUSTERPRO X 1.0 for W ...) +CVE-2021-20701 (Buffer overflow vulnerability in the Disk Agent CLUSTERPRO X 4.3 for W ...) NOT-FOR-US: Nec -CVE-2021-20700 (Buffer overflow vulnerability in the Disk Agent CLUSTERPRO X 1.0 for W ...) +CVE-2021-20700 (Buffer overflow vulnerability in the Disk Agent CLUSTERPRO X 4.3 for W ...) NOT-FOR-US: Nec CVE-2021-20699 (Sharp NEC Displays ((UN462A R1.300 and prior to it, UN462VA R1.300 and ...) NOT-FOR-US: SHARP @@ -56296,22 +64084,22 @@ CVE-2021-20615 RESERVED CVE-2021-20614 RESERVED -CVE-2021-20613 - RESERVED -CVE-2021-20612 - RESERVED -CVE-2021-20611 - RESERVED -CVE-2021-20610 - RESERVED -CVE-2021-20609 - RESERVED -CVE-2021-20608 - RESERVED -CVE-2021-20607 - RESERVED -CVE-2021-20606 - RESERVED +CVE-2021-20613 (Improper initialization vulnerability in MELSEC-F series FX3U-ENET Fir ...) + NOT-FOR-US: Mitsubishi +CVE-2021-20612 (Lack of administrator control over security vulnerability in MELSEC-F ...) + NOT-FOR-US: Mitsubishi +CVE-2021-20611 (Improper Input Validation vulnerability in MELSEC iQ-R Series R00/01/0 ...) + NOT-FOR-US: Mitsubishi +CVE-2021-20610 (Improper Handling of Length Parameter Inconsistency vulnerability in M ...) + NOT-FOR-US: Mitsubishi +CVE-2021-20609 (Uncontrolled Resource Consumption vulnerability in MELSEC iQ-R Series ...) + NOT-FOR-US: Mitsubishi +CVE-2021-20608 (Improper Handling of Length Parameter Inconsistency vulnerability in M ...) + NOT-FOR-US: Mitsubishi +CVE-2021-20607 (Integer Underflow vulnerability in Mitsubishi Electric GX Works2 versi ...) + NOT-FOR-US: Mitsubishi +CVE-2021-20606 (Out-of-bounds Read vulnerability in Mitsubishi Electric GX Works2 vers ...) + NOT-FOR-US: Mitsubishi CVE-2021-20605 (Improper Input Validation vulnerability in GOT2000 series GT21 model G ...) NOT-FOR-US: Mitsubishi CVE-2021-20604 (Improper Input Validation vulnerability in GOT2000 series GT21 model G ...) @@ -56536,8 +64324,8 @@ CVE-2021-20495 RESERVED CVE-2021-20494 (IBM Security Identity Manager Adapters 6.0 and 7.0 are vulnerable to a ...) NOT-FOR-US: IBM -CVE-2021-20493 - RESERVED +CVE-2021-20493 (IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scr ...) + NOT-FOR-US: IBM CVE-2021-20492 (IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch ...) NOT-FOR-US: IBM CVE-2021-20491 (IBM Spectrum Protect Server 7.1 and 8.1 is subject to a stack-based bu ...) @@ -56582,8 +64370,8 @@ CVE-2021-20472 RESERVED CVE-2021-20471 RESERVED -CVE-2021-20470 - RESERVED +CVE-2021-20470 (IBM Cognos Analytics 11.1.7 and 11.2.0 does not require that users sho ...) + NOT-FOR-US: IBM CVE-2021-20469 RESERVED CVE-2021-20468 @@ -56722,8 +64510,8 @@ CVE-2021-20402 (IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allo NOT-FOR-US: IBM CVE-2021-20401 (IBM QRadar SIEM 7.3 and 7.4 contains hard-coded credentials, such as a ...) NOT-FOR-US: IBM -CVE-2021-20400 - RESERVED +CVE-2021-20400 (IBM QRadar SIEM 7.3 and 7.4 uses weaker than expected cryptographic al ...) + NOT-FOR-US: IBM CVE-2021-20399 (IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulner ...) NOT-FOR-US: IBM CVE-2021-20398 @@ -56776,8 +64564,8 @@ CVE-2021-20375 (IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow an NOT-FOR-US: IBM CVE-2021-20374 (IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to stored cr ...) NOT-FOR-US: IBM -CVE-2021-20373 - RESERVED +CVE-2021-20373 (IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an Inform ...) + NOT-FOR-US: IBM CVE-2021-20372 (IBM Sterling File Gateway 2.2.0.0 through 6.1.1.0 could allow a remote ...) NOT-FOR-US: IBM CVE-2021-20371 (IBM Jazz Foundation and IBM Engineering products could allow a remote ...) @@ -56864,8 +64652,10 @@ CVE-2021-20332 (Specific MongoDB Rust Driver versions can include credentials us NOT-FOR-US: MongoDB rust driver CVE-2021-20331 (Specific versions of the MongoDB C# Driver may erroneously publish eve ...) NOT-FOR-US: MongoDB C# Driver -CVE-2021-20330 - RESERVED +CVE-2021-20330 (An attacker with basic CRUD permissions on a replicated collection can ...) + - mongodb <removed> + [stretch] - mongodb <end-of-life> (https://lists.debian.org/debian-lts/2020/11/msg00058.html) + NOTE: https://jira.mongodb.org/browse/SERVER-36263 CVE-2021-20329 (Specific cstrings input may not be properly validated in the MongoDB G ...) NOT-FOR-US: mongo-driver NOTE: https://jira.mongodb.org/browse/GODRIVER-1923 @@ -56881,8 +64671,7 @@ CVE-2021-20326 (A user authorized to performing a specific type of find query ma - mongodb <removed> [stretch] - mongodb <end-of-life> (https://lists.debian.org/debian-lts/2020/11/msg00058.html) NOTE: https://jira.mongodb.org/browse/SERVER-53929 -CVE-2021-20325 - RESERVED +CVE-2021-20325 (Missing fixes for CVE-2021-40438 and CVE-2021-26691 in the versions of ...) - apache2 <not-affected> (Red Hat RHEL 8 specifc regression of CVE-2021-40438 and CVE-2021-26691) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2017321 CVE-2021-20324 @@ -56890,17 +64679,18 @@ CVE-2021-20324 NOT-FOR-US: WildFly Elytron CVE-2021-20323 RESERVED -CVE-2021-20322 [new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies] - RESERVED + NOT-FOR-US: Keycloak +CVE-2021-20322 (A flaw in the processing of received ICMP errors (ICMP fragment needed ...) + {DLA-2843-1} - linux 5.14.6-1 [bullseye] - linux 5.10.70-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2014230 -CVE-2021-20321 - RESERVED +CVE-2021-20321 (A race condition accessing file object in the Linux kernel OverlayFS s ...) + {DLA-2843-1} - linux 5.14.12-1 + [bullseye] - linux 5.10.84-1 NOTE: https://git.kernel.org/linus/a295aef603e109a47af355477326bd41151765b6 (5.15-rc5) -CVE-2021-20320 - RESERVED +CVE-2021-20320 (A flaw was found in s390 eBPF JIT in bpf_jit_insn in arch/s390/net/bpf ...) - linux 5.14.9-1 [bullseye] - linux 5.10.70-1 [buster] - linux 4.19.208-1 @@ -56909,16 +64699,20 @@ CVE-2021-20320 CVE-2021-20319 RESERVED NOT-FOR-US: coreos-installer -CVE-2021-20318 - RESERVED +CVE-2021-20318 (The HornetQ component of Artemis in EAP 7 was not updated with the fix ...) NOT-FOR-US: Red Hat JBoss Enterprise Application Platform CVE-2021-20317 (A flaw was found in the Linux kernel. A corrupted timer tree caused th ...) + {DLA-2843-1} - linux 5.4.6-1 NOTE: https://git.kernel.org/linus/511885d7061eda3eb1faf3f57dcc936ff75863f1 (5.4-rc1) CVE-2021-20316 RESERVED -CVE-2021-20315 [locking protection bypass allow unauthorized user to kill existing applications or start new ones] - RESERVED + - samba <unfixed> (bug #1004690) + [bullseye] - samba <ignored> (Minor issue; no backport to older versions, mitigations exists) + [buster] - samba <ignored> (Minor issue; no backport to older versions, mitigations exists) + NOTE: https://www.samba.org/samba/security/CVE-2021-20316.html + NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14842 +CVE-2021-20315 (A locking protection bypass flaw was found in some versions of gnome-s ...) - gnome-shell <undetermined> NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2006285 TODO: check, possibly Red Hat specific as issue introduced of backporting features to CentOS 8 Streams @@ -57232,6 +65026,7 @@ CVE-2021-20255 (A stack overflow via an infinite recursion vulnerability was fou [buster] - qemu <postponed> (Minor issue) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1 + NOTE: No upstream patch as of 2022-01-28 CVE-2021-20254 (A flaw was found in samba. The Samba smbd file server must map Windows ...) {DLA-2668-1} - samba 2:4.13.5+dfsg-2 (bug #987811) @@ -57379,7 +65174,7 @@ CVE-2021-20229 (A flaw was found in PostgreSQL in versions before 13.2. This fla CVE-2021-20228 (A flaw was found in the Ansible Engine 2.9.18, where sensitive info is ...) {DSA-4950-1} - ansible 2.10.7+merged+base+2.10.8+dfsg-1 - - ansible-base <unfixed> + - ansible-base <removed> NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1925002 NOTE: https://github.com/ansible/ansible/pull/73487 CVE-2021-20227 (A flaw was found in SQLite's SELECT query functionality (src/select.c) ...) @@ -57410,7 +65205,7 @@ CVE-2021-20221 (An out-of-bounds heap buffer access issue was found in the ARM G - qemu 1:5.2+dfsg-4 [buster] - qemu <postponed> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/02/05/1 - NOTE: https://gitlab.com/qemu-project/qemu/-/commit/edfe2eb4360cde4ed5d95bda7777edcb3510f76a + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/edfe2eb4360cde4ed5d95bda7777edcb3510f76a (v6.0.0-rc0) CVE-2021-20220 (A flaw was found in Undertow. A regression in the fix for CVE-2020-106 ...) - undertow 2.2.0-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1923133 @@ -57505,13 +65300,14 @@ CVE-2021-20204 (A heap memory corruption problem (use after free) can be trigger NOTE: Debian patch applied causes functional regressions: https://bugs.debian.org/992437 CVE-2021-20203 (An integer overflow issue was found in the vmxnet3 NIC emulator of the ...) {DLA-2623-1} - - qemu <unfixed> (bug #984452) + - qemu 1:6.2+dfsg-1 (bug #984452) [bullseye] - qemu <postponed> (Minor issue) [buster] - qemu <postponed> (Minor issue) NOTE: https://bugs.launchpad.net/qemu/+bug/1913873 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/308 NOTE: https://bugs.launchpad.net/qemu/+bug/1890152 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/d05dcd94aee88728facafb993c7280547eb4d645 (v6.2.0-rc3) CVE-2021-20202 (A flaw was found in keycloak. Directories can be created prior to the ...) NOT-FOR-US: Keycloak CVE-2021-20201 (A flaw was found in spice in versions before 0.14.92. A DoS tool might ...) @@ -57544,7 +65340,7 @@ CVE-2021-20197 (There is an open race window when writing output in the followin NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=365f5fb6d0f0da83817431a275e99e6f6babbe04 NOTE: binutils not covered by security support CVE-2021-20196 (A NULL pointer dereference flaw was found in the floppy disk emulator ...) - - qemu <unfixed> (bug #984453) + - qemu 1:6.2+dfsg-1 (bug #984453) [bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream) [buster] - qemu <postponed> (Fix along in future DSA) [stretch] - qemu <postponed> (Fix along in future DLA) @@ -57552,6 +65348,7 @@ CVE-2021-20196 (A NULL pointer dereference flaw was found in the floppy disk emu NOTE: https://bugs.launchpad.net/qemu/+bug/1912780 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/338 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-01/msg05986.html + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233 (v6.2.0-rc4) CVE-2021-20195 (A flaw was found in keycloak in versions before 13.0.0. A Self Stored ...) NOT-FOR-US: Keycloak CVE-2021-20194 (There is a vulnerability in the linux kernel versions higher than 5.2 ...) @@ -57638,94 +65435,94 @@ CVE-2021-20176 (A divide-by-zero flaw was found in ImageMagick 6.9.11-57 and 7.0 NOTE: https://github.com/ImageMagick/ImageMagick/issues/3077 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/fbd9a963db1ae5551c45dc8af57db0abd7695774 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/90255f0834eead08d59f46b0bda7b1580451cc0f -CVE-2021-20175 - RESERVED -CVE-2021-20174 - RESERVED -CVE-2021-20173 - RESERVED -CVE-2021-20172 - RESERVED -CVE-2021-20171 - RESERVED -CVE-2021-20170 - RESERVED -CVE-2021-20169 - RESERVED -CVE-2021-20168 - RESERVED -CVE-2021-20167 - RESERVED -CVE-2021-20166 - RESERVED -CVE-2021-20165 - RESERVED -CVE-2021-20164 - RESERVED -CVE-2021-20163 - RESERVED -CVE-2021-20162 - RESERVED -CVE-2021-20161 - RESERVED -CVE-2021-20160 - RESERVED -CVE-2021-20159 - RESERVED -CVE-2021-20158 - RESERVED -CVE-2021-20157 - RESERVED -CVE-2021-20156 - RESERVED -CVE-2021-20155 - RESERVED -CVE-2021-20154 - RESERVED -CVE-2021-20153 - RESERVED -CVE-2021-20152 - RESERVED -CVE-2021-20151 - RESERVED -CVE-2021-20150 - RESERVED -CVE-2021-20149 - RESERVED -CVE-2021-20148 - RESERVED -CVE-2021-20147 - RESERVED -CVE-2021-20146 - RESERVED -CVE-2021-20145 - RESERVED -CVE-2021-20144 - RESERVED -CVE-2021-20143 - RESERVED -CVE-2021-20142 - RESERVED -CVE-2021-20141 - RESERVED -CVE-2021-20140 - RESERVED -CVE-2021-20139 - RESERVED -CVE-2021-20138 - RESERVED -CVE-2021-20137 - RESERVED +CVE-2021-20175 (Netgear Nighthawk R6700 version 1.0.4.120 does not utilize secure comm ...) + NOT-FOR-US: Netgear +CVE-2021-20174 (Netgear Nighthawk R6700 version 1.0.4.120 does not utilize secure comm ...) + NOT-FOR-US: Netgear +CVE-2021-20173 (Netgear Nighthawk R6700 version 1.0.4.120 contains a command injection ...) + NOT-FOR-US: Netgear +CVE-2021-20172 (All known versions of the Netgear Genie Installer for macOS contain a ...) + NOT-FOR-US: Netgear +CVE-2021-20171 (Netgear RAX43 version 1.0.3.96 stores sensitive information in plainte ...) + NOT-FOR-US: Netgear +CVE-2021-20170 (Netgear RAX43 version 1.0.3.96 makes use of hardcoded credentials. It ...) + NOT-FOR-US: Netgear +CVE-2021-20169 (Netgear RAX43 version 1.0.3.96 does not utilize secure communications ...) + NOT-FOR-US: Netgear +CVE-2021-20168 (Netgear RAX43 version 1.0.3.96 does not have sufficient protections to ...) + NOT-FOR-US: Netgear +CVE-2021-20167 (Netgear RAX43 version 1.0.3.96 contains a command injection vulnerabil ...) + NOT-FOR-US: Netgear +CVE-2021-20166 (Netgear RAX43 version 1.0.3.96 contains a buffer overrun vulnerability ...) + NOT-FOR-US: Netgear +CVE-2021-20165 (Trendnet AC2600 TEW-827DRU version 2.08B01 does not properly implement ...) + NOT-FOR-US: Trendnet +CVE-2021-20164 (Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses creden ...) + NOT-FOR-US: Trendnet +CVE-2021-20163 (Trendnet AC2600 TEW-827DRU version 2.08B01 leaks information via the f ...) + NOT-FOR-US: Trendnet +CVE-2021-20162 (Trendnet AC2600 TEW-827DRU version 2.08B01 stores credentials in plain ...) + NOT-FOR-US: Trendnet +CVE-2021-20161 (Trendnet AC2600 TEW-827DRU version 2.08B01 does not have sufficient pr ...) + NOT-FOR-US: Trendnet +CVE-2021-20160 (Trendnet AC2600 TEW-827DRU version 2.08B01 contains a command injectio ...) + NOT-FOR-US: Trendnet +CVE-2021-20159 (Trendnet AC2600 TEW-827DRU version 2.08B01 is vulnerable to command in ...) + NOT-FOR-US: Trendnet +CVE-2021-20158 (Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication ...) + NOT-FOR-US: Trendnet +CVE-2021-20157 (It is possible for an unauthenticated, malicious user to force the dev ...) + NOT-FOR-US: Trendnet +CVE-2021-20156 (Trendnet AC2600 TEW-827DRU version 2.08B01 contains an improper access ...) + NOT-FOR-US: Trendnet +CVE-2021-20155 (Trendnet AC2600 TEW-827DRU version 2.08B01 makes use of hardcoded cred ...) + NOT-FOR-US: Trendnet +CVE-2021-20154 (Trendnet AC2600 TEW-827DRU version 2.08B01 contains an security flaw i ...) + NOT-FOR-US: Trendnet +CVE-2021-20153 (Trendnet AC2600 TEW-827DRU version 2.08B01 contains a symlink vulnerab ...) + NOT-FOR-US: Trendnet +CVE-2021-20152 (Trendnet AC2600 TEW-827DRU version 2.08B01 lacks proper authentication ...) + NOT-FOR-US: Trendnet +CVE-2021-20151 (Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the sess ...) + NOT-FOR-US: Trendnet +CVE-2021-20150 (Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses inform ...) + NOT-FOR-US: Trendnet +CVE-2021-20149 (Trendnet AC2600 TEW-827DRU version 2.08B01 does not have sufficient ac ...) + NOT-FOR-US: Trendnet +CVE-2021-20148 (ManageEngine ADSelfService Plus below build 6116 stores the password p ...) + NOT-FOR-US: ManageEngine +CVE-2021-20147 (ManageEngine ADSelfService Plus below build 6116 contains an observabl ...) + NOT-FOR-US: ManageEngine +CVE-2021-20146 (An unprotected ssh private key exists on the Gryphon devices which cou ...) + NOT-FOR-US: Gryphon Tower routers +CVE-2021-20145 (Gryphon Tower routers contain an unprotected openvpn configuration fil ...) + NOT-FOR-US: Gryphon Tower routers +CVE-2021-20144 (An unauthenticated command injection vulnerability exists in the param ...) + NOT-FOR-US: Gryphon Tower routers +CVE-2021-20143 (An unauthenticated command injection vulnerability exists in the param ...) + NOT-FOR-US: Gryphon Tower routers +CVE-2021-20142 (An unauthenticated command injection vulnerability exists in the param ...) + NOT-FOR-US: Gryphon Tower routers +CVE-2021-20141 (An unauthenticated command injection vulnerability exists in the param ...) + NOT-FOR-US: Gryphon Tower routers +CVE-2021-20140 (An unauthenticated command injection vulnerability exists in the param ...) + NOT-FOR-US: Gryphon Tower routers +CVE-2021-20139 (An unauthenticated command injection vulnerability exists in the param ...) + NOT-FOR-US: Gryphon Tower routers +CVE-2021-20138 (An unauthenticated command injection vulnerability exists in multiple ...) + NOT-FOR-US: Gryphon Tower routers +CVE-2021-20137 (A reflected cross-site scripting vulnerability exists in the url param ...) + NOT-FOR-US: Gryphon Tower routers CVE-2021-20136 (ManageEngine Log360 Builds < 5235 are affected by an improper acces ...) NOT-FOR-US: ManageEngine CVE-2021-20135 (Nessus versions 8.15.2 and earlier were found to contain a local privi ...) NOT-FOR-US: Nessus -CVE-2021-20134 - RESERVED -CVE-2021-20133 - RESERVED -CVE-2021-20132 - RESERVED +CVE-2021-20134 (Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B ...) + NOT-FOR-US: D-Link +CVE-2021-20133 (Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B ...) + NOT-FOR-US: D-Link +CVE-2021-20132 (Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B ...) + NOT-FOR-US: D-Link CVE-2021-20131 (ManageEngine ADManager Plus Build 7111 contains a post-authentication ...) NOT-FOR-US: ManageEngine ADManager Plus CVE-2021-20130 (ManageEngine ADManager Plus Build 7111 contains a post-authentication ...) @@ -57890,32 +65687,32 @@ CVE-2021-20052 RESERVED CVE-2021-20051 RESERVED -CVE-2021-20050 - RESERVED -CVE-2021-20049 - RESERVED -CVE-2021-20048 - RESERVED -CVE-2021-20047 - RESERVED -CVE-2021-20046 - RESERVED -CVE-2021-20045 - RESERVED -CVE-2021-20044 - RESERVED -CVE-2021-20043 - RESERVED -CVE-2021-20042 - RESERVED -CVE-2021-20041 - RESERVED -CVE-2021-20040 - RESERVED -CVE-2021-20039 - RESERVED -CVE-2021-20038 - RESERVED +CVE-2021-20050 (An Improper Access Control Vulnerability in the SMA100 series leads to ...) + NOT-FOR-US: SonicWall +CVE-2021-20049 (A vulnerability in SonicWall SMA100 password change API allows a remot ...) + NOT-FOR-US: SonicWall +CVE-2021-20048 (A Stack-based buffer overflow in the SonicOS SessionID HTTP response h ...) + NOT-FOR-US: SonicWall +CVE-2021-20047 (SonicWall Global VPN client version 4.10.6 (32-bit and 64-bit) and ear ...) + NOT-FOR-US: SonicWall +CVE-2021-20046 (A Stack-based buffer overflow in the SonicOS HTTP Content-Length respo ...) + NOT-FOR-US: SonicWall +CVE-2021-20045 (A buffer overflow vulnerability in SMA100 sonicfiles RAC_COPY_TO (RacN ...) + NOT-FOR-US: SonicWall +CVE-2021-20044 (A post-authentication remote command injection vulnerability in SonicW ...) + NOT-FOR-US: SonicWall +CVE-2021-20043 (A Heap-based buffer overflow vulnerability in SonicWall SMA100 getBook ...) + NOT-FOR-US: SonicWall +CVE-2021-20042 (An unauthenticated remote attacker can use SMA 100 as an unintended pr ...) + NOT-FOR-US: SonicWall +CVE-2021-20041 (An unauthenticated and remote adversary can consume all of the device' ...) + NOT-FOR-US: SonicWall +CVE-2021-20040 (A relative path traversal vulnerability in the SMA100 upload funtion a ...) + NOT-FOR-US: SonicWall +CVE-2021-20039 (Improper neutralization of special elements in the SMA100 management i ...) + NOT-FOR-US: SonicWall +CVE-2021-20038 (A Stack-based buffer overflow vulnerability in SMA100 Apache httpd ser ...) + NOT-FOR-US: SonicWall CVE-2021-20037 (SonicWall Global VPN Client 4.10.5 installer (32-bit and 64-bit) incor ...) NOT-FOR-US: SonicWall CVE-2021-20036 @@ -57935,7 +65732,7 @@ CVE-2021-20030 CVE-2021-20029 RESERVED CVE-2021-20028 (** UNSUPPORTED WHEN ASSIGNED ** Improper neutralization of a SQL Comma ...) - NOT-FOR-US: Sonicwall + NOT-FOR-US: SonicWall CVE-2021-20027 (A buffer overflow vulnerability in SonicOS allows a remote attacker to ...) NOT-FOR-US: SonicWall CVE-2021-20026 (A vulnerability in the SonicWall NSM On-Prem product allows an authent ...) @@ -57961,35 +65758,37 @@ CVE-2021-20017 (A post-authenticated command injection vulnerability in SonicWal CVE-2021-20016 (A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product a ...) NOT-FOR-US: SonicWall CVE-2021-20015 - RESERVED + REJECTED CVE-2021-20014 - RESERVED + REJECTED CVE-2021-20013 - RESERVED + REJECTED CVE-2021-20012 - RESERVED + REJECTED CVE-2021-20011 - RESERVED + REJECTED CVE-2021-20010 - RESERVED + REJECTED CVE-2021-20009 - RESERVED + REJECTED CVE-2021-20008 - RESERVED + REJECTED CVE-2021-20007 - RESERVED + REJECTED CVE-2021-20006 - RESERVED + REJECTED CVE-2021-20005 - RESERVED + REJECTED CVE-2021-20004 - RESERVED + REJECTED CVE-2021-20003 - RESERVED + REJECTED CVE-2021-20002 - RESERVED -CVE-2021-20001 - RESERVED + REJECTED +CVE-2021-20001 (It was discovered, that debian-edu-config, a set of configuration file ...) + {DSA-5072-1 DLA-2918-1} + - debian-edu-config 2.12.16 + NOTE: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4d39a5888d193567704238f8c035f8d17cfe34e5 CVE-2021-2485 (Vulnerability in the Oracle Trade Management product of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2021-2484 (Vulnerability in the Oracle Operations Intelligence product of Oracle ...) @@ -59196,8 +66995,8 @@ CVE-2021-1920 (Integer underflow can occur due to improper handling of incoming NOT-FOR-US: Qualcomm components for Android CVE-2021-1919 (Integer underflow can occur when the RTCP length is lesser than than t ...) NOT-FOR-US: Qualcomm components for Android -CVE-2021-1918 - RESERVED +CVE-2021-1918 (Improper handling of resource allocation in virtual machines can lead ...) + NOT-FOR-US: Qualcomm components for Android CVE-2021-1917 (Null pointer dereference can occur due to memory allocation failure in ...) NOT-FOR-US: Qualcomm components for Android CVE-2021-1916 (Possible buffer underflow due to lack of check for negative indices va ...) @@ -59244,8 +67043,8 @@ CVE-2021-1896 (Weak configuration in WLAN could cause forwarding of unencrypted NOT-FOR-US: Snapdragon CVE-2021-1895 (Possible integer overflow due to improper length check while flashing ...) NOT-FOR-US: Snapdragon -CVE-2021-1894 - RESERVED +CVE-2021-1894 (Improper access control in TrustZone due to improper error handling wh ...) + NOT-FOR-US: Qualcomm components for Android CVE-2021-1893 RESERVED CVE-2021-1892 (Memory corruption due to improper input validation while processing IO ...) @@ -59934,8 +67733,8 @@ CVE-2021-1575 (A vulnerability in the web-based management interface of Cisco Vi NOT-FOR-US: Cisco CVE-2021-1574 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco -CVE-2021-1573 - RESERVED +CVE-2021-1573 (A vulnerability in the web services interface of Cisco Adaptive Securi ...) + NOT-FOR-US: Cisco CVE-2021-1572 (A vulnerability in ConfD could allow an authenticated, local attacker ...) NOT-FOR-US: Cisco CVE-2021-1571 (Multiple vulnerabilities in the web-based management interface of Cisc ...) @@ -60863,7 +68662,7 @@ CVE-2021-1115 (NVIDIA GPU Display Driver for Windows contains a vulnerability in NOT-FOR-US: NVIDIA GPU Display Driver for Windows CVE-2021-1114 (NVIDIA Linux kernel distributions contain a vulnerability in the kerne ...) NOT-FOR-US: NVIDIA -CVE-2021-1113 (NVIDIA camera firmware contains a vulnerability where an unauthorized ...) +CVE-2021-1113 (NVIDIA camera firmware contains a difficult to exploit vulnerability w ...) NOT-FOR-US: NVIDIA CVE-2021-1112 (NVIDIA Linux kernel distributions contain a vulnerability in nvmap, wh ...) NOT-FOR-US: NVIDIA @@ -60900,6 +68699,7 @@ CVE-2021-1097 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU CVE-2021-1096 (NVIDIA Windows GPU Display Driver for Windows contains a vulnerability ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver for Windows CVE-2021-1095 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...) + {DLA-2888-1} - nvidia-graphics-drivers 460.91.03-1 (bug #991351) [buster] - nvidia-graphics-drivers 418.211.00-1 - nvidia-graphics-drivers-legacy-390xx 390.144-1 (bug #991353) @@ -60913,6 +68713,7 @@ CVE-2021-1095 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner - nvidia-graphics-drivers-tesla-418 418.211.00-1 (bug #991354) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5211 CVE-2021-1094 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...) + {DLA-2888-1} - nvidia-graphics-drivers 460.91.03-1 (bug #991351) [buster] - nvidia-graphics-drivers 418.211.00-1 - nvidia-graphics-drivers-legacy-390xx 390.144-1 (bug #991353) @@ -60926,6 +68727,7 @@ CVE-2021-1094 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner - nvidia-graphics-drivers-tesla-418 418.211.00-1 (bug #991354) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5211 CVE-2021-1093 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...) + {DLA-2888-1} - nvidia-graphics-drivers 460.91.03-1 (bug #991351) [buster] - nvidia-graphics-drivers 418.211.00-1 - nvidia-graphics-drivers-legacy-390xx 390.144-1 (bug #991353) @@ -60976,6 +68778,7 @@ CVE-2021-1077 (NVIDIA GPU Display Driver for Windows and Linux, R450 and R460 dr - nvidia-graphics-drivers-tesla-450 450.119.03-1 (bug #987221) - nvidia-graphics-drivers-tesla-460 460.73.01-1 (bug #987222) CVE-2021-1076 (NVIDIA GPU Display Driver for Windows and Linux, all versions, contain ...) + {DLA-2888-1} - nvidia-graphics-drivers 460.73.01-1 (bug #987216) [buster] - nvidia-graphics-drivers 418.197.02-1 - nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #987217) @@ -61026,9 +68829,9 @@ CVE-2021-1058 (NVIDIA vGPU software contains a vulnerability in the guest kernel CVE-2021-1057 (NVIDIA Virtual GPU Manager NVIDIA vGPU manager contains a vulnerabilit ...) NOT-FOR-US: NVIDIA Virtual GPU Manager NVIDIA vGPU manager CVE-2021-1056 (NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerab ...) + {DLA-2888-1} - nvidia-graphics-drivers 460.32.03-1 (bug #979670) [buster] - nvidia-graphics-drivers 418.181.07-1 - [stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #979671) [buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore) [stretch] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore) @@ -61055,207 +68858,206 @@ CVE-2021-1051 (NVIDIA GPU Display Driver for Windows contains a vulnerability in NOT-FOR-US: NVIDIA Windows drivers CVE-2021-1050 RESERVED -CVE-2021-1049 - RESERVED -CVE-2021-1048 - RESERVED -CVE-2021-1047 - RESERVED -CVE-2021-1046 - RESERVED -CVE-2021-1045 - RESERVED +CVE-2021-1049 (Hacker one bug ID: 1343975Product: AndroidVersions: Android SoCAndroid ...) + NOT-FOR-US: Unisoc +CVE-2021-1048 (In ep_loop_check_proc of eventpoll.c, there is a possible way to corru ...) + - linux 5.8.10-1 + [buster] - linux 4.19.146-1 + [stretch] - linux 4.9.240-1 + NOTE: https://git.kernel.org/linus/77f4689de17c0887775bb77896f4cc11a39bf848 (5.9-rc4) +CVE-2021-1047 (In valid_ipc_dram_addr of cm_access_control.c, there is a possible out ...) NOT-FOR-US: Google Pixel components -CVE-2021-1044 - RESERVED +CVE-2021-1046 (In lwis_dpm_update_clock of lwis_device_dpm.c, there is a possible out ...) NOT-FOR-US: Google Pixel components -CVE-2021-1043 - RESERVED +CVE-2021-1045 (Product: AndroidVersions: Android kernelAndroid ID: A-195580473Referen ...) NOT-FOR-US: Google Pixel components -CVE-2021-1042 - RESERVED +CVE-2021-1044 (In eicOpsDecryptAes128Gcm of acropora/app/identity/identity_support.c, ...) NOT-FOR-US: Google Pixel components -CVE-2021-1041 - RESERVED +CVE-2021-1043 (In TBD of TBD, there is a possible downgrade attack due to under utili ...) NOT-FOR-US: Google Pixel components -CVE-2021-1040 - RESERVED -CVE-2021-1039 - RESERVED -CVE-2021-1038 - RESERVED -CVE-2021-1037 - RESERVED -CVE-2021-1036 - RESERVED -CVE-2021-1035 - RESERVED -CVE-2021-1034 - RESERVED +CVE-2021-1042 (In dsi_panel_debugfs_read_cmdset of dsi_panel.c, there is a possible d ...) + NOT-FOR-US: Google Pixel components +CVE-2021-1041 (In (TBD) of (TBD), there is a possible out of bounds read due to memor ...) + NOT-FOR-US: Google Pixel components +CVE-2021-1040 (In onCreate of BluetoothPairingSelectionFragment.java, there is a poss ...) + NOT-FOR-US: Android +CVE-2021-1039 (In NotificationAccessActivity of AndroidManifest.xml, there is a possi ...) + NOT-FOR-US: Android +CVE-2021-1038 (In UserDetailsActivity of AndroidManifest.xml, there is a possible DoS ...) + NOT-FOR-US: Android +CVE-2021-1037 (The broadcast that DevicePickerFragment sends when a new device is pai ...) + NOT-FOR-US: Android +CVE-2021-1036 (In LocationSettingsActivity of AndroidManifest.xml, there is a possibl ...) + NOT-FOR-US: Android +CVE-2021-1035 (In setLaunchIntent of BluetoothDevicePickerPreferenceController.java, ...) + NOT-FOR-US: Android +CVE-2021-1034 (In getLine1NumberForDisplay of PhoneInterfaceManager.java, there is ap ...) + NOT-FOR-US: Android CVE-2021-1033 RESERVED -CVE-2021-1032 - RESERVED -CVE-2021-1031 - RESERVED -CVE-2021-1030 - RESERVED -CVE-2021-1029 - RESERVED -CVE-2021-1028 - RESERVED -CVE-2021-1027 - RESERVED -CVE-2021-1026 - RESERVED -CVE-2021-1025 - RESERVED -CVE-2021-1024 - RESERVED -CVE-2021-1023 - RESERVED -CVE-2021-1022 - RESERVED -CVE-2021-1021 - RESERVED -CVE-2021-1020 - RESERVED -CVE-2021-1019 - RESERVED -CVE-2021-1018 - RESERVED -CVE-2021-1017 - RESERVED -CVE-2021-1016 - RESERVED -CVE-2021-1015 - RESERVED -CVE-2021-1014 - RESERVED -CVE-2021-1013 - RESERVED -CVE-2021-1012 - RESERVED -CVE-2021-1011 - RESERVED -CVE-2021-1010 - RESERVED -CVE-2021-1009 - RESERVED -CVE-2021-1008 - RESERVED -CVE-2021-1007 - RESERVED -CVE-2021-1006 - RESERVED -CVE-2021-1005 - RESERVED -CVE-2021-1004 - RESERVED -CVE-2021-1003 - RESERVED -CVE-2021-1002 - RESERVED -CVE-2021-1001 - RESERVED +CVE-2021-1032 (In getMimeGroup of PackageManagerService.java, there is a possible way ...) + NOT-FOR-US: Android +CVE-2021-1031 (In cancelNotificationsFromListener of NotificationManagerService.java, ...) + NOT-FOR-US: Android +CVE-2021-1030 (In setNotificationsShownFromListener of NotificationManagerService.jav ...) + NOT-FOR-US: Android +CVE-2021-1029 (In setClientStateLocked of SurfaceFlinger.cpp, there is a possible out ...) + NOT-FOR-US: Android +CVE-2021-1028 (In setClientStateLocked of SurfaceFlinger.cpp, there is a possible out ...) + NOT-FOR-US: Android +CVE-2021-1027 (In setTransactionState of SurfaceFlinger, there is possible arbitrary ...) + NOT-FOR-US: Android +CVE-2021-1026 (In startRanging of RttServiceImpl.java, there is a possible way to det ...) + NOT-FOR-US: Android +CVE-2021-1025 (In hasNamedWallpaper of WallpaperManagerService.java, there is a possi ...) + NOT-FOR-US: Android +CVE-2021-1024 (In onEventReceived of EventResultPersister.java, there is a possible i ...) + NOT-FOR-US: Android +CVE-2021-1023 (In onCreate of RequestIgnoreBatteryOptimizations.java, there is a poss ...) + NOT-FOR-US: Android +CVE-2021-1022 (In btif_in_hf_client_generic_evt of btif_hf_client.cc, there is a poss ...) + NOT-FOR-US: Android +CVE-2021-1021 (In snoozeNotificationInt of NotificationManagerService.java, there is ...) + NOT-FOR-US: Android +CVE-2021-1020 (In snoozeNotification of NotificationListenerService.java, there is a ...) + NOT-FOR-US: Android +CVE-2021-1019 (In snoozeNotification of NotificationListenerService.java, there is a ...) + NOT-FOR-US: Android +CVE-2021-1018 (In adjustStreamVolume of AudioService.java, there is a possible way to ...) + NOT-FOR-US: Android +CVE-2021-1017 (In AdapterService and GattService definition of AndroidManifest.xml, t ...) + NOT-FOR-US: Android +CVE-2021-1016 (In onCreate of UsbPermissionActivity.java, there is a possible way to ...) + NOT-FOR-US: Android +CVE-2021-1015 (In getMeidForSlot of PhoneInterfaceManager.java, there is a possible w ...) + NOT-FOR-US: Android +CVE-2021-1014 (In getNetworkTypeForSubscriber of PhoneInterfaceManager.java, there is ...) + NOT-FOR-US: Android +CVE-2021-1013 (In checkExistsAndEnforceCannotModifyImmutablyRestrictedPermission of P ...) + NOT-FOR-US: Android +CVE-2021-1012 (In onResume of NotificationAccessDetails.java, there is a possible way ...) + NOT-FOR-US: Android +CVE-2021-1011 (In setPackageStoppedState of PackageManagerService.java, there is a mi ...) + NOT-FOR-US: Android +CVE-2021-1010 (In getSigningKeySet of PackageManagerService.java, there is a missing ...) + NOT-FOR-US: Android +CVE-2021-1009 (In setApplicationCategoryHint of PackageManagerService.java, there is ...) + NOT-FOR-US: Android +CVE-2021-1008 (In addSubInfo of SubscriptionController.java, there is a possible way ...) + NOT-FOR-US: Android +CVE-2021-1007 (In btu_hcif_process_event of btu_hcif.cc, there is a possible out of b ...) + NOT-FOR-US: Android +CVE-2021-1006 (In several functions of DatabaseManager.java, there is a possible leak ...) + NOT-FOR-US: Android +CVE-2021-1005 (In getDeviceIdWithFeature of PhoneInterfaceManager.java, there is a po ...) + NOT-FOR-US: Android +CVE-2021-1004 (In getConfiguredNetworks of WifiServiceImpl.java, there is a possible ...) + NOT-FOR-US: Android +CVE-2021-1003 (In adjustStreamVolume of AudioService.java, there is a possible way fo ...) + NOT-FOR-US: Android +CVE-2021-1002 (In WT_Interpolate of eas_wtengine.c, there is a possible out of bounds ...) + NOT-FOR-US: Android +CVE-2021-1001 (In PVInitVideoEncoder of mp4enc_api.cpp, there is a possible out of bo ...) + NOT-FOR-US: Android CVE-2021-1000 RESERVED -CVE-2021-0999 - RESERVED -CVE-2021-0998 - RESERVED -CVE-2021-0997 - RESERVED -CVE-2021-0996 - RESERVED -CVE-2021-0995 - RESERVED -CVE-2021-0994 - RESERVED -CVE-2021-0993 - RESERVED -CVE-2021-0992 - RESERVED -CVE-2021-0991 - RESERVED -CVE-2021-0990 - RESERVED -CVE-2021-0989 - RESERVED -CVE-2021-0988 - RESERVED -CVE-2021-0987 - RESERVED -CVE-2021-0986 - RESERVED -CVE-2021-0985 - RESERVED -CVE-2021-0984 - RESERVED -CVE-2021-0983 - RESERVED -CVE-2021-0982 - RESERVED -CVE-2021-0981 - RESERVED +CVE-2021-0999 (In the broadcast definition in AndroidManifest.xml, there is a possibl ...) + NOT-FOR-US: Android +CVE-2021-0998 (In 'ih264e_find_bskip_params()' of ih264e_me.c, there is a possible ou ...) + NOT-FOR-US: Android +CVE-2021-0997 (In handleUpdateNetworkState of GnssNetworkConnectivityHandler.java , t ...) + NOT-FOR-US: Android +CVE-2021-0996 (In nfaHciCallback of HciEventManager.cpp, there is a possible out of b ...) + NOT-FOR-US: Android +CVE-2021-0995 (In registerSuggestionConnectionStatusListener of WifiServiceImpl.java, ...) + NOT-FOR-US: Android +CVE-2021-0994 (In requestRouteToHostAddress of ConnectivityService.java, there is a p ...) + NOT-FOR-US: Android +CVE-2021-0993 (In getOffsetBeforeAfter of TextLine.java, there is a possible denial o ...) + NOT-FOR-US: Android +CVE-2021-0992 (In onCreate of PaymentDefaultDialog.java, there is a possible way to c ...) + NOT-FOR-US: Android +CVE-2021-0991 (In OnMetadataChangedListener of AdvancedBluetoothDetailsHeaderControll ...) + NOT-FOR-US: Android +CVE-2021-0990 (In getDeviceId of PhoneSubInfoController.java, there is a possible way ...) + NOT-FOR-US: Android +CVE-2021-0989 (In hasManageOngoingCallsPermission of TelecomServiceImpl.java, there i ...) + NOT-FOR-US: Android +CVE-2021-0988 (In getLaunchedFromUid and getLaunchedFromPackage of ActivityClientCont ...) + NOT-FOR-US: Android +CVE-2021-0987 (In getNeighboringCellInfo of PhoneInterfaceManager.java, there is a po ...) + NOT-FOR-US: Android +CVE-2021-0986 (In hasGrantedPolicy of DevicePolicyManagerService.java, there is a pos ...) + NOT-FOR-US: Android +CVE-2021-0985 (In onReceive of AlertReceiver.java, there is a possible way to dismiss ...) + NOT-FOR-US: Android +CVE-2021-0984 (In onNullBinding of ManagedServices.java, there is a possible permissi ...) + NOT-FOR-US: Android +CVE-2021-0983 (In createAdminSupportIntent of DevicePolicyManagerService.java, there ...) + NOT-FOR-US: Android +CVE-2021-0982 (In getOrganizationNameForUser of DevicePolicyManagerService.java, ther ...) + NOT-FOR-US: Android +CVE-2021-0981 (In enqueueNotificationInternal of NotificationManagerService.java, the ...) + NOT-FOR-US: Android CVE-2021-0980 RESERVED -CVE-2021-0979 - RESERVED -CVE-2021-0978 - RESERVED -CVE-2021-0977 - RESERVED -CVE-2021-0976 - RESERVED +CVE-2021-0979 (In isRequestPinItemSupported of ShortcutService.java, there is a possi ...) + NOT-FOR-US: Android +CVE-2021-0978 (In getSerialForPackage of DeviceIdentifiersPolicyService.java, there i ...) + NOT-FOR-US: Android +CVE-2021-0977 (In phNxpNHal_DtaUpdate of phNxpNciHal_dta.cc, there is a possible out ...) + NOT-FOR-US: Android +CVE-2021-0976 (In toBARK of floor0.c, there is a possible out of bounds read due to a ...) + NOT-FOR-US: Android CVE-2021-0975 RESERVED CVE-2021-0974 RESERVED -CVE-2021-0973 - RESERVED +CVE-2021-0973 (In isFileUri of UriUtil.java, there is a possible way to bypass ignori ...) + NOT-FOR-US: Android CVE-2021-0972 RESERVED -CVE-2021-0971 - RESERVED -CVE-2021-0970 - RESERVED -CVE-2021-0969 - RESERVED -CVE-2021-0968 - RESERVED -CVE-2021-0967 - RESERVED -CVE-2021-0966 - RESERVED -CVE-2021-0965 - RESERVED -CVE-2021-0964 - RESERVED -CVE-2021-0963 - RESERVED +CVE-2021-0971 (In MPEG4Source::read of MPEG4Extractor.cpp, there is a possible out of ...) + NOT-FOR-US: Google Play +CVE-2021-0970 (In createFromParcel of GpsNavigationMessage.java, there is a possible ...) + NOT-FOR-US: Android +CVE-2021-0969 (In getTitle of AccessPoint.java, there is a possible unhandled excepti ...) + NOT-FOR-US: Android +CVE-2021-0968 (In osi_malloc and osi_calloc of allocator.cc, there is a possible out ...) + NOT-FOR-US: Android +CVE-2021-0967 (In vorbis_book_decodev_set of codebook.c, there is a possible out of b ...) + NOT-FOR-US: Google Play +CVE-2021-0966 (In code generated by BuildParcelFields of generate_cpp.cpp, there is a ...) + NOT-FOR-US: Android +CVE-2021-0965 (In AndroidManifest.xml of Settings, there is a possible pairing of a B ...) + NOT-FOR-US: Android +CVE-2021-0964 (In C2SoftMP3::process() of C2SoftMp3Dec.cpp, there is a possible out o ...) + NOT-FOR-US: Google Play +CVE-2021-0963 (In onCreate of KeyChainActivity.java, there is a possible way to use a ...) + NOT-FOR-US: Android CVE-2021-0962 RESERVED -CVE-2021-0961 - RESERVED +CVE-2021-0961 (In quota_proc_write of xt_quota2.c, there is a possible way to read ke ...) + - linux <not-affected> (Android-specific xt_quota2 code) + NOTE: https://source.android.com/security/bulletin/2021-12-01 CVE-2021-0960 RESERVED -CVE-2021-0959 - RESERVED -CVE-2021-0958 - RESERVED +CVE-2021-0959 (In jit_memory_region.cc, there is a possible bypass of memory restrict ...) + NOT-FOR-US: Android +CVE-2021-0958 (In update of km_compat.cpp, there is a possible loss of potentially se ...) + NOT-FOR-US: Android CVE-2021-0957 RESERVED -CVE-2021-0956 - RESERVED -CVE-2021-0955 - RESERVED -CVE-2021-0954 - RESERVED -CVE-2021-0953 - RESERVED -CVE-2021-0952 - RESERVED +CVE-2021-0956 (In NfcTag::discoverTechnologies (activation) of NfcTag.cpp, there is a ...) + NOT-FOR-US: Android +CVE-2021-0955 (In pf_write_buf of FuseDaemon.cpp, there is possible memory corruption ...) + NOT-FOR-US: Android +CVE-2021-0954 (In ResolverActivity, there is a possible user interaction bypass due t ...) + NOT-FOR-US: Android +CVE-2021-0953 (In setOnClickActivityIntent of SearchWidgetProvider.java, there is a p ...) + NOT-FOR-US: Android +CVE-2021-0952 (In doCropPhoto of PhotoSelectionHandler.java, there is a possible perm ...) + NOT-FOR-US: Android CVE-2021-0951 RESERVED CVE-2021-0950 @@ -61310,61 +69112,46 @@ CVE-2021-0935 (In ip6_xmit of ip6_output.c, there is a possible out of bounds wr NOTE: https://source.android.com/security/bulletin/pixel/2021-10-01 CVE-2021-0934 RESERVED -CVE-2021-0933 - RESERVED +CVE-2021-0933 (In onCreate of CompanionDeviceActivity.java or DeviceChooserActivity.j ...) NOT-FOR-US: Android -CVE-2021-0932 - RESERVED +CVE-2021-0932 (In showNotification of NavigationModeController.java, there is a possi ...) NOT-FOR-US: Android -CVE-2021-0931 - RESERVED +CVE-2021-0931 (In getAlias of BluetoothDevice.java, there is a possible way to create ...) NOT-FOR-US: Android -CVE-2021-0930 - RESERVED +CVE-2021-0930 (In phNxpNciHal_process_ext_rsp of phNxpNciHal_ext.cc, there is a possi ...) NOT-FOR-US: Android -CVE-2021-0929 - RESERVED +CVE-2021-0929 (In ion_dma_buf_end_cpu_access and related functions of ion.c, there is ...) - linux 5.6.4-1 (unimportant) NOTE: https://source.android.com/security/bulletin/2021-11-01 NOTE: CONFIG_ION not enabled in Debian -CVE-2021-0928 - RESERVED +CVE-2021-0928 (In createFromParcel of OutputConfiguration.java, there is a possible p ...) NOT-FOR-US: Android media framework -CVE-2021-0927 - RESERVED +CVE-2021-0927 (In requestChannelBrowsable of TvInputManagerService.java, there is a p ...) NOT-FOR-US: Android TV -CVE-2021-0926 - RESERVED +CVE-2021-0926 (In onCreate of NfcImportVCardActivity.java, there is a possible way to ...) NOT-FOR-US: Android -CVE-2021-0925 - RESERVED +CVE-2021-0925 (In rw_t4t_sm_detect_ndef of rw_t4t.cc, there is a possible out of boun ...) NOT-FOR-US: Android -CVE-2021-0924 - RESERVED +CVE-2021-0924 (In xhci_vendor_get_ops of xhci.c, there is a possible out of bounds re ...) - linux <not-affected> (Android-specific XHCI patch) NOTE: https://source.android.com/security/bulletin/2021-11-01 NOTE: https://android.googlesource.com/kernel/common/+/df1995aede8e5b13a5ba4d36b48ed88d5bb84497 -CVE-2021-0923 - RESERVED +CVE-2021-0923 (In createOrUpdate of Permission.java, there is a possible way to gain ...) NOT-FOR-US: Android -CVE-2021-0922 - RESERVED +CVE-2021-0922 (In enforceCrossUserOrProfilePermission of PackageManagerService.java, ...) NOT-FOR-US: Android -CVE-2021-0921 - RESERVED +CVE-2021-0921 (In ParsingPackageImpl of ParsingPackageImpl.java, there is a possible ...) NOT-FOR-US: Android -CVE-2021-0920 - RESERVED +CVE-2021-0920 (In unix_scm_to_skb of af_unix.c, there is a possible use after free bu ...) + {DLA-2843-1} - linux 5.14.6-1 [bullseye] - linux 5.10.70-1 [buster] - linux 4.19.208-1 NOTE: https://git.kernel.org/linus/cbcf01128d0a92e131bd09f1688fe032480b65ca NOTE: https://source.android.com/security/bulletin/2021-11-01 -CVE-2021-0919 - RESERVED +CVE-2021-0919 (In getService of IServiceManager.cpp, there is a possible unhandled ex ...) NOT-FOR-US: Android -CVE-2021-0918 - RESERVED +CVE-2021-0918 (In gatt_process_notification of gatt_cl.cc, there is a possible out of ...) NOT-FOR-US: Android CVE-2021-0917 RESERVED @@ -61392,38 +69179,37 @@ CVE-2021-0906 RESERVED CVE-2021-0905 RESERVED -CVE-2021-0904 - RESERVED -CVE-2021-0903 - RESERVED -CVE-2021-0902 - RESERVED -CVE-2021-0901 - RESERVED -CVE-2021-0900 - RESERVED -CVE-2021-0899 - RESERVED -CVE-2021-0898 - RESERVED -CVE-2021-0897 - RESERVED -CVE-2021-0896 - RESERVED -CVE-2021-0895 - RESERVED -CVE-2021-0894 - RESERVED -CVE-2021-0893 - RESERVED +CVE-2021-0904 (In SRAMROM, there is a possible permission bypass due to an insecure p ...) + NOT-FOR-US: MediaTek components for Android +CVE-2021-0903 (In apusys, there is a possible out of bounds write due to a missing bo ...) + NOT-FOR-US: Mediatek +CVE-2021-0902 (In apusys, there is a possible out of bounds read due to an incorrect ...) + NOT-FOR-US: Mediatek +CVE-2021-0901 (In apusys, there is a possible memory corruption due to a missing boun ...) + NOT-FOR-US: Mediatek +CVE-2021-0900 (In apusys, there is a possible out of bounds read due to an incorrect ...) + NOT-FOR-US: Mediatek +CVE-2021-0899 (In apusys, there is a possible memory corruption due to a use after fr ...) + NOT-FOR-US: Mediatek +CVE-2021-0898 (In apusys, there is a possible memory corruption due to a use after fr ...) + NOT-FOR-US: Mediatek +CVE-2021-0897 (In apusys, there is a possible out of bounds write due to a missing bo ...) + NOT-FOR-US: Mediatek +CVE-2021-0896 (In apusys, there is a possible out of bounds write due to a missing bo ...) + NOT-FOR-US: Mediatek +CVE-2021-0895 (In apusys, there is a possible out of bounds write due to a missing bo ...) + NOT-FOR-US: Mediatek +CVE-2021-0894 (In apusys, there is a possible out of bounds write due to a missing bo ...) + NOT-FOR-US: Mediatek +CVE-2021-0893 (In apusys, there is a possible memory corruption due to a use after fr ...) + NOT-FOR-US: Mediatek CVE-2021-0892 RESERVED CVE-2021-0891 RESERVED CVE-2021-0890 RESERVED -CVE-2021-0889 - RESERVED +CVE-2021-0889 (In Android TV , there is a possible silent pairing due to lack of rate ...) NOT-FOR-US: Android TV CVE-2021-0888 RESERVED @@ -61603,8 +69389,7 @@ CVE-2021-0801 RESERVED CVE-2021-0800 RESERVED -CVE-2021-0799 - RESERVED +CVE-2021-0799 (In ActivityThread.java, there is a possible way to collide the content ...) NOT-FOR-US: Android CVE-2021-0798 RESERVED @@ -61664,8 +69449,8 @@ CVE-2021-0771 RESERVED CVE-2021-0770 RESERVED -CVE-2021-0769 - RESERVED +CVE-2021-0769 (In onCreate of AllowBindAppWidgetActivity.java, there is a possible by ...) + NOT-FOR-US: Android CVE-2021-0768 RESERVED CVE-2021-0767 @@ -61794,8 +69579,8 @@ CVE-2021-0706 (In startListening of PluginManagerImpl.java, there is a possible NOT-FOR-US: Android CVE-2021-0705 (In sanitizeSbn of NotificationManagerService.java, there is a possible ...) NOT-FOR-US: Android -CVE-2021-0704 - RESERVED +CVE-2021-0704 (In createNoCredentialsPermissionNotification and related functions of ...) + NOT-FOR-US: Android CVE-2021-0703 (In SecondStageMain of init.cpp, there is a possible use after free due ...) NOT-FOR-US: Android CVE-2021-0702 (In RevertActiveSessions of apexd.cpp, there is a possible way to share ...) @@ -61845,20 +69630,20 @@ CVE-2021-0681 (In system properties, there is a possible information disclosure NOT-FOR-US: MediaTek components for Android CVE-2021-0680 (In system properties, there is a possible information disclosure due t ...) NOT-FOR-US: MediaTek components for Android -CVE-2021-0679 - RESERVED -CVE-2021-0678 - RESERVED -CVE-2021-0677 - RESERVED -CVE-2021-0676 - RESERVED -CVE-2021-0675 - RESERVED -CVE-2021-0674 - RESERVED -CVE-2021-0673 - RESERVED +CVE-2021-0679 (In apusys, there is a possible memory corruption due to a missing boun ...) + NOT-FOR-US: Mediatek +CVE-2021-0678 (In apusys, there is a possible out of bounds write due to a missing bo ...) + NOT-FOR-US: Mediatek +CVE-2021-0677 (In ccu driver, there is a possible out of bounds read due to an intege ...) + NOT-FOR-US: Mediatek +CVE-2021-0676 (In geniezone driver, there is a possible out of bounds read due to an ...) + NOT-FOR-US: Mediatek +CVE-2021-0675 (In alac decoder, there is a possible out of bounds write due to an inc ...) + NOT-FOR-US: MediaTek components for Android +CVE-2021-0674 (In alac decoder, there is a possible out of bounds read due to an inco ...) + NOT-FOR-US: Mediatek +CVE-2021-0673 (In Audio Aurisys HAL, there is a possible permission bypass due to a m ...) + NOT-FOR-US: Mediatek CVE-2021-0672 (In Browser app, there is a possible information disclosure due to a mi ...) NOT-FOR-US: MediaTek components for Android CVE-2021-0671 (In apusys, there is a possible memory corruption due to a missing boun ...) @@ -61897,18 +69682,15 @@ CVE-2021-0655 (In mdlactl driver, there is a possible memory corruption due to a NOT-FOR-US: Mediatek CVE-2021-0654 (In isRealSnapshot of TaskThumbnailView.java, there is possible data ex ...) NOT-FOR-US: Android -CVE-2021-0653 - RESERVED +CVE-2021-0653 (In enqueueNotification of NetworkPolicyManagerService.java, there is a ...) NOT-FOR-US: Android CVE-2021-0652 (In VectorDrawable::VectorDrawable of VectorDrawable.java, there is a p ...) NOT-FOR-US: Android CVE-2021-0651 (In loadLabel of PackageItemInfo.java, there is a possible way to DoS a ...) NOT-FOR-US: Android -CVE-2021-0650 - RESERVED +CVE-2021-0650 (In WT_InterpolateNoLoop of eas_wtengine.c, there is a possible out of ...) NOT-FOR-US: Android media framework -CVE-2021-0649 - RESERVED +CVE-2021-0649 (In stopVpnProfile of Vpn.java, there is a possible VPN profile reset d ...) NOT-FOR-US: Android CVE-2021-0648 RESERVED @@ -62162,8 +69944,8 @@ CVE-2021-0526 (In memory management driver, there is a possible out of bounds wr NOT-FOR-US: MediaTek components for Android CVE-2021-0525 (In memory management driver, there is a possible out of bounds write d ...) NOT-FOR-US: MediaTek components for Android -CVE-2021-0524 - RESERVED +CVE-2021-0524 (In isServiceDistractionOptimized of CarPackageManagerService.java, the ...) + NOT-FOR-US: Android CVE-2021-0523 (In onCreate of WifiScanModeActivity.java, there is a possible way to e ...) NOT-FOR-US: Android CVE-2021-0522 (In ConnectionHandler::SdpCb of connection_handler.cc, there is a possi ...) @@ -62347,8 +70129,7 @@ CVE-2021-0436 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible NOT-FOR-US: Android media framework CVE-2021-0435 (In avrc_proc_vendor_command of avrc_api.cc, there is a possible leak o ...) NOT-FOR-US: Android -CVE-2021-0434 - RESERVED +CVE-2021-0434 (In onReceive of BluetoothPermissionRequest.java, there is a possible p ...) NOT-FOR-US: Android CVE-2021-0433 (In onCreate of DeviceChooserActivity.java, there is a possible way to ...) NOT-FOR-US: Android @@ -62864,52 +70645,92 @@ CVE-2021-0185 RESERVED CVE-2021-0184 RESERVED -CVE-2021-0183 - RESERVED +CVE-2021-0183 (Improper Validation of Specified Index, Position, or Offset in Input i ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree CVE-2021-0182 (Uncontrolled resource consumption in the Intel(R) HAXM software before ...) NOT-FOR-US: Intel Hardware Accelerated Execution Manager CVE-2021-0181 RESERVED CVE-2021-0180 (Uncontrolled resource consumption in the Intel(R) HAXM software before ...) NOT-FOR-US: Intel Hardware Accelerated Execution Manager -CVE-2021-0179 - RESERVED -CVE-2021-0178 - RESERVED -CVE-2021-0177 - RESERVED -CVE-2021-0176 - RESERVED -CVE-2021-0175 - RESERVED -CVE-2021-0174 - RESERVED -CVE-2021-0173 - RESERVED -CVE-2021-0172 - RESERVED -CVE-2021-0171 - RESERVED -CVE-2021-0170 - RESERVED -CVE-2021-0169 - RESERVED -CVE-2021-0168 - RESERVED -CVE-2021-0167 - RESERVED -CVE-2021-0166 - RESERVED -CVE-2021-0165 - RESERVED -CVE-2021-0164 - RESERVED -CVE-2021-0163 - RESERVED -CVE-2021-0162 - RESERVED -CVE-2021-0161 - RESERVED +CVE-2021-0179 (Improper Use of Validation Framework in software for Intel(R) PROSet/W ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0178 (Improper input validation in software for Intel(R) PROSet/Wireless Wi- ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0177 (Improper Validation of Consistency within input in software for Intel( ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0176 (Improper input validation in firmware for some Intel(R) PROSet/Wireles ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0175 (Improper Validation of Specified Index, Position, or Offset in Input i ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0174 (Improper Use of Validation Framework in firmware for some Intel(R) PRO ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0173 (Improper Validation of Consistency within input in firmware for some I ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0172 (Improper input validation in firmware for some Intel(R) PROSet/Wireles ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0171 (Improper access control in software for Intel(R) PROSet/Wireless Wi-Fi ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0170 (Exposure of Sensitive Information to an Unauthorized Actor in firmware ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0169 (Uncontrolled Search Path Element in software for Intel(R) PROSet/Wirel ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0168 (Improper input validation in firmware for some Intel(R) PROSet/Wireles ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0167 (Improper access control in software for Intel(R) PROSet/Wireless Wi-Fi ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0166 (Exposure of Sensitive Information to an Unauthorized Actor in firmware ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0165 (Improper input validation in firmware for Intel(R) PROSet/Wireless Wi- ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0164 (Improper access control in firmware for Intel(R) PROSet/Wireless Wi-Fi ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0163 (Improper Validation of Consistency within input in software for Intel( ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0162 (Improper input validation in software for Intel(R) PROSet/Wireless Wi- ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree +CVE-2021-0161 (Improper input validation in firmware for Intel(R) PROSet/Wireless Wi- ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree CVE-2021-0160 (Uncontrolled search path in some Intel(R) NUC Pro Chassis Element Aver ...) NOT-FOR-US: Intel CVE-2021-0159 @@ -62918,8 +70739,8 @@ CVE-2021-0158 (Improper input validation in the BIOS firmware for some Intel(R) NOT-FOR-US: Intel CVE-2021-0157 (Insufficient control flow management in the BIOS firmware for some Int ...) NOT-FOR-US: Intel -CVE-2021-0156 - RESERVED +CVE-2021-0156 (Improper input validation in the firmware for some Intel(R) Processors ...) + TODO: check CVE-2021-0155 RESERVED CVE-2021-0154 @@ -62936,12 +70757,20 @@ CVE-2021-0149 RESERVED CVE-2021-0148 (Insertion of information into log file in firmware for some Intel(R) S ...) NOT-FOR-US: Intel -CVE-2021-0147 - RESERVED -CVE-2021-0146 (Hardware allows activation of test or debug logic at runtime for some ...) +CVE-2021-0147 (Improper locking in the Power Management Controller (PMC) for some Int ...) NOT-FOR-US: Intel -CVE-2021-0145 - RESERVED +CVE-2021-0146 (Hardware allows activation of test or debug logic at runtime for some ...) + - intel-microcode <unfixed> + [bullseye] - intel-microcode <postponed> (Wait until exposed in unstable; tendency to point release) + [buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release) + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html + NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207 +CVE-2021-0145 (Improper initialization of shared resources in some Intel(R) Processor ...) + - intel-microcode <unfixed> + [bullseye] - intel-microcode <postponed> (Wait until exposed in unstable; tendency to point release) + [buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release) + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00561.html + NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/fast-store-forwarding-predictor.html CVE-2021-0144 (Insecure default variable initialization for the Intel BSSA DFT featur ...) NOT-FOR-US: Intel CVE-2021-0143 (Improper permissions in the installer for the Intel(R) Brand Verificat ...) @@ -62982,14 +70811,18 @@ CVE-2021-0129 (Improper access control in BlueZ may allow an authenticated user NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00517.html CVE-2021-0128 RESERVED -CVE-2021-0127 - RESERVED +CVE-2021-0127 (Insufficient control flow management in some Intel(R) Processors may a ...) + - intel-microcode <unfixed> + [bullseye] - intel-microcode <postponed> (Wait until exposed in unstable; tendency to point release) + [buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release) + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00532.html + NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207 CVE-2021-0126 RESERVED -CVE-2021-0125 - RESERVED -CVE-2021-0124 - RESERVED +CVE-2021-0125 (Improper initialization in the firmware for some Intel(R) Processors m ...) + TODO: check +CVE-2021-0124 (Improper access control in the firmware for some Intel(R) Processors m ...) + TODO: check CVE-2021-0123 RESERVED CVE-2021-0122 @@ -62998,48 +70831,48 @@ CVE-2021-0121 (Improper access control in the installer for some Intel(R) Iris(R NOT-FOR-US: Intel CVE-2021-0120 (Improper initialization in the installer for some Intel(R) Graphics DC ...) NOT-FOR-US: Intel -CVE-2021-0119 - RESERVED -CVE-2021-0118 - RESERVED -CVE-2021-0117 - RESERVED -CVE-2021-0116 - RESERVED -CVE-2021-0115 - RESERVED -CVE-2021-0114 (Insecure default variable initialization for the Intel BSSA DFT featur ...) +CVE-2021-0119 (Improper initialization in the firmware for some Intel(R) Processors m ...) + TODO: check +CVE-2021-0118 (Out-of-bounds read in the firmware for some Intel(R) Processors may al ...) + TODO: check +CVE-2021-0117 (Pointer issues in the firmware for some Intel(R) Processors may allow ...) + TODO: check +CVE-2021-0116 (Out-of-bounds write in the firmware for some Intel(R) Processors may a ...) + TODO: check +CVE-2021-0115 (Buffer overflow in the firmware for some Intel(R) Processors may allow ...) + TODO: check +CVE-2021-0114 (Unchecked return value in the firmware for some Intel(R) Processors ma ...) NOT-FOR-US: Intel CVE-2021-0113 (Out of bounds write in the BMC firmware for Intel(R) Server Board M10J ...) NOT-FOR-US: Intel CVE-2021-0112 (Unquoted service path in the Intel Unite(R) Client for Windows before ...) NOT-FOR-US: Intel -CVE-2021-0111 - RESERVED +CVE-2021-0111 (NULL pointer dereference in the firmware for some Intel(R) Processors ...) + TODO: check CVE-2021-0110 (Improper access control in some Intel(R) Thunderbolt(TM) Windows DCH D ...) NOT-FOR-US: Intel CVE-2021-0109 (Insecure inherited permissions for the Intel(R) SOC driver package for ...) NOT-FOR-US: Intel CVE-2021-0108 (Uncontrolled search path in the Intel Unite(R) Client for Windows befo ...) NOT-FOR-US: Intel -CVE-2021-0107 - RESERVED +CVE-2021-0107 (Unchecked return value in the firmware for some Intel(R) Processors ma ...) + TODO: check CVE-2021-0106 (Incorrect default permissions in the Intel(R) Optane(TM) DC Persistent ...) NOT-FOR-US: Intel CVE-2021-0105 (Insecure inherited permissions in some Intel(R) ProSet/Wireless WiFi d ...) NOT-FOR-US: Intel CVE-2021-0104 (Uncontrolled search path element in the installer for the Intel(R) Rap ...) NOT-FOR-US: Intel -CVE-2021-0103 - RESERVED +CVE-2021-0103 (Insufficient control flow management in the firmware for some Intel(R) ...) + TODO: check CVE-2021-0102 (Insecure inherited permissions in the Intel Unite(R) Client for Window ...) NOT-FOR-US: Intel CVE-2021-0101 (Buffer overflow in the BMC firmware for Intel(R) Server BoardM10JNP2SB ...) NOT-FOR-US: Intel CVE-2021-0100 (Incorrect default permissions in the installer for the Intel(R) SSD Da ...) NOT-FOR-US: Intel -CVE-2021-0099 - RESERVED +CVE-2021-0099 (Insufficient control flow management in the firmware for some Intel(R) ...) + TODO: check CVE-2021-0098 (Improper access control in the Intel Unite(R) Client for Windows befor ...) NOT-FOR-US: Intel CVE-2021-0097 (Path traversal in the BMC firmware for Intel(R) Server Board M10JNP2SB ...) @@ -63050,12 +70883,12 @@ CVE-2021-0095 (Improper initialization in the firmware for some Intel(R) Process NOT-FOR-US: Intel CVE-2021-0094 (Improper link resolution before file access in Intel(R) DSA before ver ...) NOT-FOR-US: Intel -CVE-2021-0093 - RESERVED -CVE-2021-0092 - RESERVED -CVE-2021-0091 - RESERVED +CVE-2021-0093 (Incorrect default permissions in the firmware for some Intel(R) Proces ...) + TODO: check +CVE-2021-0092 (Improper access control in the firmware for some Intel(R) Processors m ...) + TODO: check +CVE-2021-0091 (Improper access control in the firmware for some Intel(R) Processors m ...) + TODO: check CVE-2021-0090 (Uncontrolled search path element in Intel(R) DSA before version 20.11. ...) NOT-FOR-US: Intel CVE-2021-0089 (Observable response discrepancy in some Intel(R) Processors may allow ...) @@ -63091,16 +70924,20 @@ CVE-2021-0078 (Improper input validation in software for some Intel(R) PROSet/Wi NOT-FOR-US: Intel CVE-2021-0077 (Insecure inherited permissions in the installer for the Intel(R) VTune ...) NOT-FOR-US: Intel -CVE-2021-0076 - RESERVED +CVE-2021-0076 (Improper Validation of Specified Index, Position, or Offset in Input i ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree CVE-2021-0075 (Out-of-bounds write in firmware for some Intel(R) PROSet/Wireless WiFi ...) NOT-FOR-US: Intel CVE-2021-0074 (Improper permissions in the installer for the Intel(R) Computing Impro ...) NOT-FOR-US: Intel CVE-2021-0073 (Insufficient control flow management in Intel(R) DSA before version 20 ...) NOT-FOR-US: Intel -CVE-2021-0072 - RESERVED +CVE-2021-0072 (Improper input validation in firmware for some Intel(R) PROSet/Wireles ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree CVE-2021-0071 (Improper input validation in firmware for some Intel(R) PROSet/Wireles ...) NOT-FOR-US: Intel CVE-2021-0070 (Improper input validation in the BMC firmware for Intel(R) Server Boar ...) @@ -63111,8 +70948,10 @@ CVE-2021-0068 RESERVED CVE-2021-0067 (&nbsp;Improper access control in system firmware for some Intel(R) ...) NOT-FOR-US: Intel -CVE-2021-0066 - RESERVED +CVE-2021-0066 (Improper input validation in firmware for Intel(R) PROSet/Wireless Wi- ...) + - firmware-nonfree <unfixed> + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html + TODO: check, research in kernel-team; unclear in which firmware version fixed for firmware-nonfree CVE-2021-0065 (Incorrect default permissions in the Intel(R) PROSet/Wireless WiFi sof ...) NOT-FOR-US: Intel CVE-2021-0064 (Insecure inherited permissions in the Intel(R) PROSet/Wireless WiFi so ...) @@ -63123,8 +70962,8 @@ CVE-2021-0062 (Improper input validation in some Intel(R) Graphics Drivers befor NOT-FOR-US: Intel drivers for Windows CVE-2021-0061 (Improper initialization in some Intel(R) Graphics Driver before versio ...) NOT-FOR-US: Intel drivers for Windows -CVE-2021-0060 - RESERVED +CVE-2021-0060 (Insufficient compartmentalization in HECI subsystem for the Intel(R) S ...) + NOT-FOR-US: Intel CVE-2021-0059 RESERVED CVE-2021-0058 (Incorrect default permissions in the Intel(R) NUC M15 Laptop Kit Drive ...) diff --git a/data/CVE/2022.list b/data/CVE/2022.list index 24adba79a0..d065e0189f 100644 --- a/data/CVE/2022.list +++ b/data/CVE/2022.list @@ -1,313 +1,10806 @@ -CVE-2022-21792 +CVE-2022-25643 RESERVED -CVE-2022-21791 +CVE-2022-25642 RESERVED -CVE-2022-21790 +CVE-2022-25641 RESERVED -CVE-2022-21789 +CVE-2022-25640 RESERVED -CVE-2022-21788 +CVE-2022-25639 RESERVED -CVE-2022-21787 +CVE-2022-25638 RESERVED -CVE-2022-21786 +CVE-2022-25637 RESERVED -CVE-2022-21785 +CVE-2022-25635 RESERVED -CVE-2022-21784 +CVE-2022-25634 RESERVED -CVE-2022-21783 +CVE-2022-25633 RESERVED -CVE-2022-21782 +CVE-2022-25632 RESERVED -CVE-2022-21781 +CVE-2022-25631 RESERVED -CVE-2022-21780 +CVE-2022-25630 RESERVED -CVE-2022-21779 +CVE-2022-25629 RESERVED -CVE-2022-21778 +CVE-2022-25628 RESERVED -CVE-2022-21777 +CVE-2022-25627 RESERVED -CVE-2022-21776 +CVE-2022-25626 RESERVED -CVE-2022-21775 +CVE-2022-25625 RESERVED -CVE-2022-21774 +CVE-2022-25624 RESERVED -CVE-2022-21773 +CVE-2022-25623 RESERVED -CVE-2022-21772 +CVE-2022-25325 RESERVED -CVE-2022-21771 +CVE-2022-25234 RESERVED -CVE-2022-21770 +CVE-2022-25230 RESERVED -CVE-2022-21769 +CVE-2022-21219 RESERVED -CVE-2022-21768 +CVE-2022-21124 RESERVED -CVE-2022-21767 +CVE-2022-0717 RESERVED -CVE-2022-21766 +CVE-2022-0716 RESERVED -CVE-2022-21765 +CVE-2022-0715 RESERVED -CVE-2022-21764 +CVE-2022-0714 RESERVED -CVE-2022-21763 +CVE-2022-0713 RESERVED -CVE-2022-21762 +CVE-2022-25636 (net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 a ...) + - linux <unfixed> + [buster] - linux <not-affected> (Vulnerable code not present) + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: https://www.openwall.com/lists/oss-security/2022/02/21/2 +CVE-2022-25622 RESERVED -CVE-2022-21761 +CVE-2022-25621 RESERVED -CVE-2022-21760 +CVE-2022-25620 RESERVED -CVE-2022-21759 +CVE-2022-25619 RESERVED -CVE-2022-21758 +CVE-2022-25618 RESERVED -CVE-2022-21757 +CVE-2022-25617 RESERVED -CVE-2022-21756 +CVE-2022-25616 RESERVED -CVE-2022-21755 +CVE-2022-25615 RESERVED -CVE-2022-21754 +CVE-2022-25614 RESERVED -CVE-2022-21753 +CVE-2022-25613 RESERVED -CVE-2022-21752 +CVE-2022-25612 RESERVED -CVE-2022-21751 +CVE-2022-25611 RESERVED -CVE-2022-21750 +CVE-2022-25610 RESERVED -CVE-2022-21749 +CVE-2022-25609 RESERVED -CVE-2022-21748 +CVE-2022-25608 RESERVED -CVE-2022-21747 +CVE-2022-25607 RESERVED -CVE-2022-21746 +CVE-2022-25606 RESERVED -CVE-2022-21745 +CVE-2022-25605 RESERVED -CVE-2022-21744 +CVE-2022-25604 RESERVED -CVE-2022-21743 +CVE-2022-25603 RESERVED -CVE-2022-0009 +CVE-2022-25602 RESERVED -CVE-2022-0008 +CVE-2022-25601 RESERVED -CVE-2022-0007 +CVE-2022-25600 RESERVED -CVE-2022-0006 +CVE-2022-25599 (Cross-Site Request Forgery (CSRF) vulnerability leading to event delet ...) + NOT-FOR-US: WordPress plugin +CVE-2022-25598 RESERVED -CVE-2022-21742 +CVE-2022-0712 RESERVED -CVE-2022-21741 +CVE-2022-0711 RESERVED -CVE-2022-21740 +CVE-2022-0710 RESERVED -CVE-2022-21739 +CVE-2022-0709 RESERVED -CVE-2022-21738 +CVE-2022-0708 (Mattermost 6.3.0 and earlier fails to protect email addresses of the c ...) + TODO: check +CVE-2022-0707 RESERVED -CVE-2022-21737 +CVE-2022-0706 RESERVED -CVE-2022-21736 +CVE-2022-0705 RESERVED -CVE-2022-21735 +CVE-2022-0704 RESERVED -CVE-2022-21734 +CVE-2022-0703 RESERVED -CVE-2022-21733 +CVE-2022-0702 RESERVED -CVE-2022-21732 +CVE-2022-0701 RESERVED -CVE-2022-21731 +CVE-2022-0700 RESERVED -CVE-2022-21730 +CVE-2022-0699 RESERVED -CVE-2022-21729 +CVE-2022-25597 RESERVED -CVE-2022-21728 +CVE-2022-25596 RESERVED -CVE-2022-21727 +CVE-2022-25595 RESERVED -CVE-2022-21726 +CVE-2022-25594 RESERVED -CVE-2022-21725 +CVE-2022-25593 RESERVED -CVE-2022-21724 +CVE-2022-25592 RESERVED -CVE-2022-21723 +CVE-2022-25591 RESERVED -CVE-2022-21722 +CVE-2022-25590 RESERVED -CVE-2022-21721 +CVE-2022-25589 RESERVED -CVE-2022-21720 +CVE-2022-25588 RESERVED -CVE-2022-21719 +CVE-2022-25587 RESERVED -CVE-2022-21718 +CVE-2022-25586 RESERVED -CVE-2022-21717 +CVE-2022-25585 RESERVED -CVE-2022-21716 +CVE-2022-25584 RESERVED -CVE-2022-21715 +CVE-2022-25583 RESERVED -CVE-2022-21714 +CVE-2022-25582 RESERVED -CVE-2022-21713 +CVE-2022-25581 RESERVED -CVE-2022-21712 +CVE-2022-25580 RESERVED -CVE-2022-21711 +CVE-2022-25579 RESERVED -CVE-2022-21710 +CVE-2022-25578 RESERVED -CVE-2022-21709 +CVE-2022-25577 RESERVED -CVE-2022-21708 +CVE-2022-25576 RESERVED -CVE-2022-21707 +CVE-2022-25575 RESERVED -CVE-2022-21706 +CVE-2022-25574 RESERVED -CVE-2022-21705 +CVE-2022-25573 RESERVED -CVE-2022-21704 +CVE-2022-25572 RESERVED -CVE-2022-21703 +CVE-2022-25571 RESERVED -CVE-2022-21702 +CVE-2022-25570 RESERVED -CVE-2022-21701 +CVE-2022-25569 RESERVED -CVE-2022-21700 +CVE-2022-25568 RESERVED -CVE-2022-21699 +CVE-2022-25567 RESERVED -CVE-2022-21698 +CVE-2022-25566 RESERVED -CVE-2022-21697 +CVE-2022-25565 RESERVED -CVE-2022-21696 +CVE-2022-25564 RESERVED -CVE-2022-21695 +CVE-2022-25563 RESERVED -CVE-2022-21694 +CVE-2022-25562 RESERVED -CVE-2022-21693 +CVE-2022-25561 RESERVED -CVE-2022-21692 +CVE-2022-25560 RESERVED -CVE-2022-21691 +CVE-2022-25559 RESERVED -CVE-2022-21690 +CVE-2022-25558 RESERVED -CVE-2022-21689 +CVE-2022-25557 RESERVED -CVE-2022-21688 +CVE-2022-25556 RESERVED -CVE-2022-21687 +CVE-2022-25555 RESERVED -CVE-2022-21686 +CVE-2022-25554 RESERVED -CVE-2022-21685 +CVE-2022-25553 RESERVED -CVE-2022-21684 +CVE-2022-25552 RESERVED -CVE-2022-21683 +CVE-2022-25551 RESERVED -CVE-2022-21682 +CVE-2022-25550 RESERVED -CVE-2022-21681 +CVE-2022-25549 RESERVED -CVE-2022-21680 +CVE-2022-25548 RESERVED -CVE-2022-21679 +CVE-2022-25547 RESERVED -CVE-2022-21678 +CVE-2022-25546 RESERVED -CVE-2022-21677 +CVE-2022-25545 RESERVED -CVE-2022-21676 +CVE-2022-25544 RESERVED -CVE-2022-21675 +CVE-2022-25543 RESERVED -CVE-2022-21674 +CVE-2022-25542 RESERVED -CVE-2022-21673 +CVE-2022-25541 RESERVED -CVE-2022-21672 +CVE-2022-25540 RESERVED -CVE-2022-21671 +CVE-2022-25539 RESERVED -CVE-2022-21670 +CVE-2022-25538 RESERVED -CVE-2022-21669 +CVE-2022-25537 RESERVED -CVE-2022-21668 +CVE-2022-25536 RESERVED -CVE-2022-21667 +CVE-2022-25535 RESERVED -CVE-2022-21666 +CVE-2022-25534 RESERVED -CVE-2022-21665 +CVE-2022-25533 RESERVED -CVE-2022-21664 +CVE-2022-25532 RESERVED -CVE-2022-21663 +CVE-2022-25531 RESERVED -CVE-2022-21662 +CVE-2022-25530 RESERVED -CVE-2022-21661 +CVE-2022-25529 RESERVED -CVE-2022-21660 +CVE-2022-25528 RESERVED -CVE-2022-21659 +CVE-2022-25527 RESERVED -CVE-2022-21658 +CVE-2022-25526 RESERVED -CVE-2022-21657 +CVE-2022-25525 RESERVED -CVE-2022-21656 +CVE-2022-25524 RESERVED -CVE-2022-21655 +CVE-2022-25523 RESERVED -CVE-2022-21654 +CVE-2022-25522 RESERVED -CVE-2022-21653 +CVE-2022-25521 RESERVED -CVE-2022-21652 +CVE-2022-25520 RESERVED -CVE-2022-21651 +CVE-2022-25519 RESERVED -CVE-2022-21650 +CVE-2022-25518 RESERVED -CVE-2022-21649 +CVE-2022-25517 RESERVED -CVE-2022-21648 +CVE-2022-25516 RESERVED -CVE-2022-21647 +CVE-2022-25515 RESERVED -CVE-2022-21646 +CVE-2022-25514 RESERVED -CVE-2022-21645 +CVE-2022-25513 + RESERVED +CVE-2022-25512 + RESERVED +CVE-2022-25511 + RESERVED +CVE-2022-25510 + RESERVED +CVE-2022-25509 + RESERVED +CVE-2022-25508 + RESERVED +CVE-2022-25507 + RESERVED +CVE-2022-25506 + RESERVED +CVE-2022-25505 + RESERVED +CVE-2022-25504 + RESERVED +CVE-2022-25503 + RESERVED +CVE-2022-25502 + RESERVED +CVE-2022-25501 + RESERVED +CVE-2022-25500 + RESERVED +CVE-2022-25499 + RESERVED +CVE-2022-25498 + RESERVED +CVE-2022-25497 + RESERVED +CVE-2022-25496 + RESERVED +CVE-2022-25495 + RESERVED +CVE-2022-25494 + RESERVED +CVE-2022-25493 + RESERVED +CVE-2022-25492 + RESERVED +CVE-2022-25491 + RESERVED +CVE-2022-25490 + RESERVED +CVE-2022-25489 + RESERVED +CVE-2022-25488 + RESERVED +CVE-2022-25487 + RESERVED +CVE-2022-25486 + RESERVED +CVE-2022-25485 + RESERVED +CVE-2022-25484 + RESERVED +CVE-2022-25483 + RESERVED +CVE-2022-25482 + RESERVED +CVE-2022-25481 + RESERVED +CVE-2022-25480 + RESERVED +CVE-2022-25479 + RESERVED +CVE-2022-25478 + RESERVED +CVE-2022-25477 + RESERVED +CVE-2022-25476 + RESERVED +CVE-2022-25475 + RESERVED +CVE-2022-25474 + RESERVED +CVE-2022-25473 + RESERVED +CVE-2022-25472 + RESERVED +CVE-2022-25471 + RESERVED +CVE-2022-25470 + RESERVED +CVE-2022-25469 + RESERVED +CVE-2022-25468 + RESERVED +CVE-2022-25467 + RESERVED +CVE-2022-25466 + RESERVED +CVE-2022-25465 + RESERVED +CVE-2022-25464 + RESERVED +CVE-2022-25463 + RESERVED +CVE-2022-25462 + RESERVED +CVE-2022-25461 + RESERVED +CVE-2022-25460 + RESERVED +CVE-2022-25459 + RESERVED +CVE-2022-25458 + RESERVED +CVE-2022-25457 + RESERVED +CVE-2022-25456 + RESERVED +CVE-2022-25455 + RESERVED +CVE-2022-25454 + RESERVED +CVE-2022-25453 + RESERVED +CVE-2022-25452 + RESERVED +CVE-2022-25451 + RESERVED +CVE-2022-25450 + RESERVED +CVE-2022-25449 + RESERVED +CVE-2022-25448 + RESERVED +CVE-2022-25447 + RESERVED +CVE-2022-25446 + RESERVED +CVE-2022-25445 + RESERVED +CVE-2022-25444 + RESERVED +CVE-2022-25443 + RESERVED +CVE-2022-25442 + RESERVED +CVE-2022-25441 + RESERVED +CVE-2022-25440 + RESERVED +CVE-2022-25439 + RESERVED +CVE-2022-25438 + RESERVED +CVE-2022-25437 + RESERVED +CVE-2022-25436 + RESERVED +CVE-2022-25435 + RESERVED +CVE-2022-25434 + RESERVED +CVE-2022-25433 + RESERVED +CVE-2022-25432 + RESERVED +CVE-2022-25431 + RESERVED +CVE-2022-25430 + RESERVED +CVE-2022-25429 + RESERVED +CVE-2022-25428 + RESERVED +CVE-2022-25427 + RESERVED +CVE-2022-25426 + RESERVED +CVE-2022-25425 + RESERVED +CVE-2022-25424 + RESERVED +CVE-2022-25423 + RESERVED +CVE-2022-25422 + RESERVED +CVE-2022-25421 + RESERVED +CVE-2022-25420 + RESERVED +CVE-2022-25419 + RESERVED +CVE-2022-25418 + RESERVED +CVE-2022-25417 + RESERVED +CVE-2022-25416 + RESERVED +CVE-2022-25415 + RESERVED +CVE-2022-25414 + RESERVED +CVE-2022-25413 + RESERVED +CVE-2022-25412 + RESERVED +CVE-2022-25411 + RESERVED +CVE-2022-25410 + RESERVED +CVE-2022-25409 + RESERVED +CVE-2022-25408 + RESERVED +CVE-2022-25407 + RESERVED +CVE-2022-25406 + RESERVED +CVE-2022-25405 + RESERVED +CVE-2022-25404 + RESERVED +CVE-2022-25403 + RESERVED +CVE-2022-25402 + RESERVED +CVE-2022-25401 + RESERVED +CVE-2022-25400 + RESERVED +CVE-2022-25399 + RESERVED +CVE-2022-25398 + RESERVED +CVE-2022-25397 + RESERVED +CVE-2022-25396 + RESERVED +CVE-2022-25395 + RESERVED +CVE-2022-25394 + RESERVED +CVE-2022-25393 + RESERVED +CVE-2022-25392 + RESERVED +CVE-2022-25391 + RESERVED +CVE-2022-25390 + RESERVED +CVE-2022-25389 + RESERVED +CVE-2022-25388 + RESERVED +CVE-2022-25387 + RESERVED +CVE-2022-25386 + RESERVED +CVE-2022-25385 + RESERVED +CVE-2022-25384 + RESERVED +CVE-2022-25383 + RESERVED +CVE-2022-25382 + RESERVED +CVE-2022-25381 + RESERVED +CVE-2022-25380 + RESERVED +CVE-2022-25379 + RESERVED +CVE-2022-25378 + RESERVED +CVE-2022-25377 + RESERVED +CVE-2022-25376 + RESERVED +CVE-2022-25375 (An issue was discovered in drivers/usb/gadget/function/rndis.c in the ...) + - linux 5.16.10-1 + NOTE: https://github.com/szymonh/rndis-co + NOTE: https://www.openwall.com/lists/oss-security/2022/02/21/1 + NOTE: https://git.kernel.org/linus/38ea1eac7d88072bbffb630e2b3db83ca649b826 (5.17-rc4) +CVE-2022-25374 + RESERVED +CVE-2022-25373 + RESERVED +CVE-2022-25372 (Pritunl Client through 1.2.3019.52 on Windows allows local privilege e ...) + NOT-FOR-US: Pritunl Client +CVE-2022-0698 + RESERVED +CVE-2022-0697 + RESERVED +CVE-2022-0696 (NULL Pointer Dereference in Conda vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/7416c2cb-1809-4834-8989-e84ff033f15f/ + NOTE: https://github.com/vim/vim/commit/0f6e28f686dbb59ab3b562408ab9b2234797b9b1 (v8.2.4428) +CVE-2022-0695 + RESERVED +CVE-2022-25371 + RESERVED +CVE-2022-25370 + RESERVED +CVE-2022-25355 + RESERVED +CVE-2022-0694 + RESERVED +CVE-2022-0693 + RESERVED +CVE-2022-0692 (Open Redirect on Rudloff/alltube in Packagist rudloff/alltube prior to ...) + NOT-FOR-US: alltube +CVE-2022-0691 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...) + - node-url-parse 1.5.9+~1.4.8-1 + NOTE: https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4 + NOTE: https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63 (1.5.9) +CVE-2022-25369 + RESERVED +CVE-2022-25368 + RESERVED +CVE-2022-0690 (Cross-site Scripting (XSS) - Reflected in Packagist microweber/microwe ...) + NOT-FOR-US: microweber +CVE-2022-0689 (Use multiple time the one-time coupon in Packagist microweber/microweb ...) + NOT-FOR-US: microweber +CVE-2022-0688 (Business Logic Errors in Packagist microweber/microweber prior to 1.2. ...) + NOT-FOR-US: microweber +CVE-2022-0687 + RESERVED +CVE-2022-0686 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...) + - node-url-parse 1.5.9+~1.4.8-1 + NOTE: https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c + NOTE: https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5 (1.5.8) +CVE-2022-0685 (Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/27230da3-9b1a-4d5d-8cdf-4b1e62fcd782 + NOTE: https://github.com/vim/vim/commit/5921aeb5741fc6e84c870d68c7c35b93ad0c9f87 (v8.2.4418) +CVE-2022-0684 + RESERVED +CVE-2022-25367 + RESERVED +CVE-2022-25366 (Cryptomator through 1.6.5 allows DYLIB injection because, although it ...) + NOT-FOR-US: Cryptomator +CVE-2022-25365 (Docker Desktop before 4.5.1 on Windows allows attackers to move arbitr ...) + NOT-FOR-US: Docker Desktop +CVE-2022-25364 + RESERVED +CVE-2022-25363 + RESERVED +CVE-2022-25362 + RESERVED +CVE-2022-25361 + RESERVED +CVE-2022-25360 + RESERVED +CVE-2022-25359 + RESERVED +CVE-2022-25358 (A ..%2F path traversal vulnerability exists in the path handler of awf ...) + NOT-FOR-US: awful-salmonella-tar +CVE-2022-25357 + RESERVED +CVE-2022-25356 + RESERVED +CVE-2022-25344 + RESERVED +CVE-2022-25343 + RESERVED +CVE-2022-25342 + RESERVED +CVE-2022-25341 + RESERVED +CVE-2022-25340 + RESERVED +CVE-2022-25339 + RESERVED +CVE-2022-25338 + RESERVED +CVE-2022-24914 + RESERVED +CVE-2022-24436 + RESERVED +CVE-2022-24378 + RESERVED +CVE-2022-24067 + RESERVED +CVE-2022-23403 + RESERVED +CVE-2022-23182 + RESERVED +CVE-2022-22139 + RESERVED +CVE-2022-21225 + RESERVED +CVE-2022-21198 + RESERVED +CVE-2022-21183 + RESERVED +CVE-2022-25337 (Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x bef ...) + NOT-FOR-US: Ibexa +CVE-2022-25336 (Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x bef ...) + NOT-FOR-US: Ibexa +CVE-2022-25335 (RigoBlock Dragos through 2022-02-17 lacks the onlyOwner modifier for s ...) + NOT-FOR-US: RigoBlock Dragos +CVE-2022-25334 + RESERVED +CVE-2022-25333 + RESERVED +CVE-2022-25332 + RESERVED +CVE-2022-25331 + RESERVED +CVE-2022-25330 + RESERVED +CVE-2022-25329 + RESERVED +CVE-2022-25328 + RESERVED +CVE-2022-25327 + RESERVED +CVE-2022-25326 + RESERVED +CVE-2022-23183 + RESERVED +CVE-2022-21179 + RESERVED +CVE-2022-0683 + RESERVED +CVE-2022-0682 + RESERVED +CVE-2022-0681 + RESERVED +CVE-2022-0680 + RESERVED +CVE-2022-0679 + RESERVED +CVE-2022-0678 (Cross-site Scripting (XSS) - Reflected in Packagist microweber/microwe ...) + NOT-FOR-US: microweber +CVE-2022-0677 + RESERVED +CVE-2022-25323 (ZEROF Web Server 2.0 allows /admin.back XSS. ...) + NOT-FOR-US: ZEROF Web Server +CVE-2022-25322 (ZEROF Web Server 2.0 allows /HandleEvent SQL Injection. ...) + NOT-FOR-US: ZEROF Web Server +CVE-2022-25321 (An issue was discovered in Cerebrate through 1.4. XSS could occur in t ...) + NOT-FOR-US: Cerebrate +CVE-2022-25320 (An issue was discovered in Cerebrate through 1.4. Username enumeration ...) + NOT-FOR-US: Cerebrate +CVE-2022-25319 (An issue was discovered in Cerebrate through 1.4. Endpoints could be o ...) + NOT-FOR-US: Cerebrate +CVE-2022-25318 (An issue was discovered in Cerebrate through 1.4. An incorrect sharing ...) + NOT-FOR-US: Cerebrate +CVE-2022-25317 (An issue was discovered in Cerebrate through 1.4. genericForm allows r ...) + NOT-FOR-US: Cerebrate +CVE-2022-25316 + RESERVED +CVE-2022-25312 + RESERVED +CVE-2022-21132 + RESERVED +CVE-2022-0676 (Heap-based Buffer Overflow in NPM radare2.js prior to 5.6.4. ...) + TODO: check +CVE-2022-0675 + RESERVED +CVE-2022-25315 (In Expat (aka libexpat) before 2.4.5, there is an integer overflow in ...) + - expat 2.4.5-1 + NOTE: https://github.com/libexpat/libexpat/pull/559 + NOTE: https://github.com/libexpat/libexpat/commit/eb0362808b4f9f1e2345a0cf203b8cc196d776d9 +CVE-2022-25314 (In Expat (aka libexpat) before 2.4.5, there is an integer overflow in ...) + - expat 2.4.5-1 + NOTE: https://github.com/libexpat/libexpat/pull/560 + NOTE: https://github.com/libexpat/libexpat/commit/efcb347440ade24b9f1054671e6bd05e60b4cafd +CVE-2022-25313 (In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack ex ...) + - expat 2.4.5-1 + NOTE: https://github.com/libexpat/libexpat/pull/558 + NOTE: https://github.com/libexpat/libexpat/commit/9b4ce651b26557f16103c3a366c91934ecd439ab +CVE-2022-25311 + RESERVED +CVE-2022-25310 + RESERVED +CVE-2022-25309 + RESERVED +CVE-2022-25308 + RESERVED +CVE-2022-25307 + RESERVED +CVE-2022-25306 + RESERVED +CVE-2022-25305 + RESERVED +CVE-2022-21158 + RESERVED +CVE-2022-0674 + RESERVED +CVE-2022-0673 (A flaw was found in LemMinX in versions prior to 0.19.0. Cache poisoni ...) + NOT-FOR-US: LemMinX +CVE-2022-0672 (A flaw was found in LemMinX in versions prior to 0.19.0. Insecure redi ...) + NOT-FOR-US: LemMinX +CVE-2022-0671 (A flaw was found in vscode-xml in versions prior to 0.19.0. Schema dow ...) + TODO: check +CVE-2022-0670 + RESERVED +CVE-2022-0669 + RESERVED +CVE-2022-0668 + RESERVED +CVE-2022-0667 + RESERVED +CVE-2022-0666 (CRLF Injection leads to Stack Trace Exposure due to lack of filtering ...) + NOT-FOR-US: microweber +CVE-2022-0665 + RESERVED +CVE-2022-0664 (Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker ...) + NOT-FOR-US: Go github.com/gravitl/netmaker +CVE-2022-0663 + RESERVED +CVE-2022-0662 + RESERVED +CVE-2022-0661 + RESERVED +CVE-2022-0660 (Generation of Error Message Containing Sensitive Information in Packag ...) + NOT-FOR-US: microweber +CVE-2022-0659 + RESERVED +CVE-2022-0658 + RESERVED +CVE-2022-0657 + RESERVED +CVE-2022-0656 + RESERVED +CVE-2022-XXXX [Arbitrary File Write Vulnerability ] + - libpgjava 42.3.3-1 + NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8 + NOTE: https://github.com/pgjdbc/pgjdbc/commit/f6d47034a4ce292e1a659fa00963f6f713117064 (REL42.3.3-rc1) +CVE-2022-25299 (This affects the package cesanta/mongoose before 7.6. The unsafe handl ...) + TODO: check +CVE-2022-25298 (This affects the package sprinfall/webcc before 0.3.0. It is possible ...) + NOT-FOR-US: webcc +CVE-2022-25297 (This affects the package drogonframework/drogon before 1.7.5. The unsa ...) + TODO: check +CVE-2022-25296 + RESERVED +CVE-2022-25295 + RESERVED +CVE-2022-25294 + RESERVED +CVE-2022-25293 + RESERVED +CVE-2022-25292 + RESERVED +CVE-2022-25291 + RESERVED +CVE-2022-25290 + RESERVED +CVE-2022-25289 + RESERVED +CVE-2022-25288 + RESERVED +CVE-2022-25287 + RESERVED +CVE-2022-25286 + RESERVED +CVE-2022-25285 + RESERVED +CVE-2022-25284 + RESERVED +CVE-2022-25283 + RESERVED +CVE-2022-25282 + RESERVED +CVE-2022-25281 + RESERVED +CVE-2022-25280 + RESERVED +CVE-2022-25279 + RESERVED +CVE-2022-25278 + RESERVED +CVE-2022-25277 + RESERVED +CVE-2022-25276 + RESERVED +CVE-2022-25275 + RESERVED +CVE-2022-25274 + RESERVED +CVE-2022-25273 + RESERVED +CVE-2022-25272 + RESERVED +CVE-2022-25270 (The Quick Edit module does not properly check entity access in some ci ...) + NOT-FOR-US: Drupal 9.x +CVE-2022-25269 + RESERVED +CVE-2022-25268 + RESERVED +CVE-2022-25267 + RESERVED +CVE-2022-25266 + RESERVED +CVE-2022-25265 (In the Linux kernel through 5.16.10, certain binary files may have the ...) + - linux <unfixed> + NOTE: https://github.com/x0reaxeax/exec-prot-bypass +CVE-2022-25264 + RESERVED +CVE-2022-25263 + RESERVED +CVE-2022-25262 + RESERVED +CVE-2022-25261 + RESERVED +CVE-2022-25260 + RESERVED +CVE-2022-25259 + RESERVED +CVE-2022-25258 (An issue was discovered in drivers/usb/gadget/composite.c in the Linux ...) + - linux 5.16.10-1 + NOTE: https://github.com/szymonh/d-os-descriptor + NOTE: https://git.kernel.org/linus/75e5b4849b81e19e9efe1654b30d7f3151c33c2c (5.17-rc4) +CVE-2022-0655 + RESERVED +CVE-2022-0654 + RESERVED +CVE-2022-0653 + RESERVED +CVE-2022-0652 + RESERVED +CVE-2022-0651 + RESERVED +CVE-2022-0650 + RESERVED +CVE-2022-0649 + RESERVED +CVE-2022-25257 + RESERVED +CVE-2022-25256 (SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonAndRend ...) + NOT-FOR-US: SAS Web Report Studio +CVE-2022-25255 (In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux ...) + - qt6-base <unfixed> + - qtbase-opensource-src 5.15.2+dfsg-15 + - qtbase-opensource-src-gles <unfixed> + NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/393113 + NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/394914 + NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/396020 + NOTE: https://download.qt.io/official_releases/qt/5.15/qprocess5-15.diff + NOTE: https://download.qt.io/official_releases/qt/6.2/qprocess6-2.diff +CVE-2022-25254 + RESERVED +CVE-2022-25253 + RESERVED +CVE-2022-25252 + RESERVED +CVE-2022-25251 + RESERVED +CVE-2022-25250 + RESERVED +CVE-2022-25249 + RESERVED +CVE-2022-25248 + RESERVED +CVE-2022-25247 + RESERVED +CVE-2022-25246 + RESERVED +CVE-2022-24374 + RESERVED +CVE-2022-23916 + RESERVED +CVE-2022-23810 + RESERVED +CVE-2022-21142 + RESERVED +CVE-2022-0648 + RESERVED +CVE-2022-0647 + RESERVED +CVE-2022-0646 (A flaw use after free in the Linux kernel Management Component Transpo ...) + - linux <unfixed> + NOTE: https://lore.kernel.org/all/20220211011552.1861886-1-jk@codeconstruct.com.au/T/ +CVE-2022-0645 + RESERVED +CVE-2022-0644 [vfs: check fd has read access in kernel_read_file_from_fd()] + RESERVED + - linux 5.14.16-1 + [bullseye] - linux 5.10.84-1 + [stretch] - linux 4.9.290-1 + NOTE: https://git.kernel.org/linus/032146cda85566abcd1c4884d9d23e4e30a07e9a (5.15-rc7) +CVE-2022-0643 + RESERVED +CVE-2022-0642 + RESERVED +CVE-2022-0641 + RESERVED +CVE-2022-0640 + RESERVED +CVE-2022-0639 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...) + - node-url-parse 1.5.7-1 + [bullseye] - node-url-parse <no-dsa> (Minor issue) + [buster] - node-url-parse <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/83a6bc9a-b542-4a38-82cd-d995a1481155 + NOTE: https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788 (1.5.7) +CVE-2022-0638 (Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber p ...) + NOT-FOR-US: microweber +CVE-2022-0637 + RESERVED +CVE-2022-0636 + RESERVED +CVE-2022-0635 + RESERVED +CVE-2022-0634 + RESERVED +CVE-2022-0633 (The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0632 (NULL Pointer Dereference in Homebrew mruby prior to 3.2. ...) + - mruby <not-affected> (Vulnerable code introduced later) + NOTE: https://huntr.dev/bounties/3e5bb8f6-30fd-4553-86dd-761e9459ce1b + NOTE: https://github.com/mruby/mruby/commit/44f591aa8f7091e6ca6cb418e428ae6d4ceaf77d +CVE-2022-0631 (Heap-based Buffer Overflow in Homebrew mruby prior to 3.2. ...) + - mruby <not-affected> (Vulnerable code introduced later) + NOTE: https://huntr.dev/bounties/9bdc49ca-6697-4adc-a785-081e1961bf40 + NOTE: https://github.com/mruby/mruby/commit/47068ae07a5fa3aa9a1879cdfe98a9ce0f339299 +CVE-2022-0630 (Out-of-bounds Read in Homebrew mruby prior to 3.2. ...) + - mruby <not-affected> (Vulnerable code introduced later) + NOTE: https://huntr.dev/bounties/f7cdd680-1a7f-4992-b4b8-44b5e4ba3e32 + NOTE: https://github.com/mruby/mruby/commit/ff3a5ebed6ffbe3e70481531cfb969b497aa73ad +CVE-2022-0629 (Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/95e2b0da-e480-4ee8-9324-a93a2ab0a877/ + NOTE: https://github.com/vim/vim/commit/34f8117dec685ace52cd9e578e2729db278163fc (v8.2.4397) +CVE-2022-0628 + RESERVED +CVE-2022-0627 + RESERVED +CVE-2022-0626 + RESERVED +CVE-2022-0625 + RESERVED +CVE-2022-0624 + RESERVED +CVE-2022-25271 (Drupal core's form API has a vulnerability where certain contributed o ...) + {DLA-2925-1} + - drupal7 <removed> + NOTE: https://www.drupal.org/sa-core-2022-003 + NOTE: https://git.drupalcode.org/project/drupal/-/commit/43c757167380643b5f73287a63a8739731a5b712 +CVE-2022-25245 + RESERVED +CVE-2022-25244 + RESERVED +CVE-2022-25243 + RESERVED +CVE-2022-25242 (In FileCloud before 21.3, file upload is not protected against Cross-S ...) + NOT-FOR-US: FileCloud +CVE-2022-25241 (In FileCloud before 21.3, the CSV user import functionality is vulnera ...) + NOT-FOR-US: FileCloud +CVE-2022-25240 + RESERVED +CVE-2022-25239 + RESERVED +CVE-2022-25238 + RESERVED +CVE-2022-25237 + RESERVED +CVE-2022-25236 (xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to in ...) + - expat 2.4.5-1 (bug #1005895) + NOTE: https://github.com/libexpat/libexpat/pull/561 + NOTE: https://github.com/libexpat/libexpat/commit/6881a4fc8596307ab9ff2e85e605afa2e413ab71 + NOTE: https://github.com/libexpat/libexpat/commit/a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 + NOTE: https://github.com/libexpat/libexpat/commit/2de077423fb22750ebea599677d523b53cb93b1d +CVE-2022-25235 (xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain valid ...) + - expat 2.4.5-1 (bug #1005894) + NOTE: https://github.com/libexpat/libexpat/pull/562 + NOTE: https://github.com/libexpat/libexpat/commit/ee2a5b50e7d1940ba8745715b62ceb9efd3a96da + NOTE: https://github.com/libexpat/libexpat/commit/3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6 + NOTE: https://github.com/libexpat/libexpat/commit/c85a3025e7a1be086dc34e7559fbc543914d047f + NOTE: https://github.com/libexpat/libexpat/commit/6a5510bc6b7efe743356296724e0b38300f05379 +CVE-2022-25229 + RESERVED +CVE-2022-25228 + RESERVED +CVE-2022-25227 + RESERVED +CVE-2022-25226 + RESERVED +CVE-2022-25225 + RESERVED +CVE-2022-25224 + RESERVED +CVE-2022-25223 + RESERVED +CVE-2022-25222 + RESERVED +CVE-2022-25221 + RESERVED +CVE-2022-25220 + RESERVED +CVE-2022-25219 + RESERVED +CVE-2022-25218 + RESERVED +CVE-2022-25217 + RESERVED +CVE-2022-25216 + RESERVED +CVE-2022-25215 + RESERVED +CVE-2022-25214 + RESERVED +CVE-2022-25213 + RESERVED +CVE-2022-24915 + RESERVED +CVE-2022-24432 + RESERVED +CVE-2022-22985 + RESERVED +CVE-2022-21146 + RESERVED +CVE-2022-0623 (Out-of-bounds Read in Homebrew mruby prior to 3.2. ...) + - mruby <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/mruby/mruby/commit/ff3a5ebed6ffbe3e70481531cfb969b497aa73ad + NOTE: https://huntr.dev/bounties/5b908ac7-d8f1-4fcd-9355-85df565f7580 +CVE-2022-0622 (Generation of Error Message Containing Sensitive Information in Packag ...) + NOT-FOR-US: snipe-it +CVE-2022-0621 + RESERVED +CVE-2022-0620 + RESERVED +CVE-2022-0619 + RESERVED +CVE-2022-25209 (Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XM ...) + NOT-FOR-US: Jenkins Chef Sinatra Plugin +CVE-2022-25175 (Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier use ...) + NOT-FOR-US: Jenkins Pipeline: Multibranch Plugin +CVE-2022-25169 + RESERVED +CVE-2022-25168 + RESERVED +CVE-2022-25167 + RESERVED +CVE-2022-24435 + RESERVED +CVE-2022-23986 + RESERVED +CVE-2022-21159 + RESERVED +CVE-2022-0618 + RESERVED +CVE-2022-0617 (A flaw null pointer dereference in the Linux kernel UDF file system fu ...) + - linux 5.16.7-1 + NOTE: https://git.kernel.org/linus/7fc3b7c2981bbd1047916ade327beccb90994eee + NOTE: https://git.kernel.org/linus/ea8569194b43f0f01f0a84c689388542c7254a1f +CVE-2022-0616 + RESERVED +CVE-2022-0615 + RESERVED +CVE-2022-0614 (Use of Out-of-range Pointer Offset in Homebrew mruby prior to 3.2. ...) + - mruby <not-affected> (Vulnerable code introduced later) + NOTE: https://huntr.dev/bounties/a980ce4d-c359-4425-92c4-e844c0055879 + NOTE: https://github.com/mruby/mruby/commit/ff3a5ebed6ffbe3e70481531cfb969b497aa73ad +CVE-2022-0613 (Authorization Bypass Through User-Controlled Key in NPM urijs prior to ...) + NOT-FOR-US: Node urijs +CVE-2022-25212 (A cross-site request forgery (CSRF) vulnerability in Jenkins SWAMP Plu ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25211 (A missing permission check in Jenkins SWAMP Plugin 1.2.6 and earlier a ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25210 (Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier uses static ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25208 (A missing permission check in Jenkins Chef Sinatra Plugin 1.20 and ear ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25207 (A cross-site request forgery (CSRF) vulnerability in Jenkins Chef Sina ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25206 (A missing check in Jenkins dbCharts Plugin 0.5.2 and earlier allows at ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25205 (A cross-site request forgery (CSRF) vulnerability in Jenkins dbCharts ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25204 (Jenkins Doktor Plugin 0.4.1 and earlier implements functionality that ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25203 (Jenkins Team Views Plugin 0.9.0 and earlier does not escape team names ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25202 (Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escap ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25201 (Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and ear ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25200 (A cross-site request forgery (CSRF) vulnerability in Jenkins Checkmarx ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25199 (A missing permission check in Jenkins SCP publisher Plugin 1.8 and ear ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25198 (A cross-site request forgery (CSRF) vulnerability in Jenkins SCP publi ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25197 (Jenkins HashiCorp Vault Plugin 336.v182c0fbaaeb7 and earlier implement ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25196 (Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25195 (A missing permission check in Jenkins autonomiq Plugin 1.15 and earlie ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25194 (A cross-site request forgery (CSRF) vulnerability in Jenkins autonomiq ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25193 (Missing permission checks in Jenkins Snow Commander Plugin 2.0 and ear ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25192 (A cross-site request forgery (CSRF) vulnerability in Jenkins Snow Comm ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25191 (Jenkins Agent Server Parameter Plugin 1.0 and earlier does not escape ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25190 (A missing permission check in Jenkins Conjur Secrets Plugin 1.0.11 and ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25189 (Jenkins Custom Checkbox Parameter Plugin 1.1 and earlier does not esca ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25188 (Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appNa ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25187 (Jenkins Support Core Plugin 2.79 and earlier does not redact some sens ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25186 (Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functional ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25185 (Jenkins Generic Webhook Trigger Plugin 1.81 and earlier does not escap ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25184 (Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25183 (Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25182 (A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libr ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25181 (A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libr ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25180 (Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier include ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25179 (Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier fol ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25178 (Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25177 (Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25176 (Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25174 (Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25173 (Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses th ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-25166 + RESERVED +CVE-2022-25165 + RESERVED +CVE-2022-25164 + RESERVED +CVE-2022-25163 + RESERVED +CVE-2022-25162 + RESERVED +CVE-2022-25161 + RESERVED +CVE-2022-25160 + RESERVED +CVE-2022-25159 + RESERVED +CVE-2022-25158 + RESERVED +CVE-2022-25157 + RESERVED +CVE-2022-25156 + RESERVED +CVE-2022-25155 + RESERVED +CVE-2022-25154 + RESERVED +CVE-2022-25153 + RESERVED +CVE-2022-25152 + RESERVED +CVE-2022-25151 + RESERVED +CVE-2022-25150 (In Malwarebytes Binisoft Windows Firewall Control before 6.8.1.0, prog ...) + NOT-FOR-US: Malwarebytes Binisoft Windows Firewall Control +CVE-2022-25149 + RESERVED +CVE-2022-25148 + RESERVED +CVE-2022-0612 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...) + NOT-FOR-US: livehelperchat +CVE-2022-0611 (Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3 ...) + NOT-FOR-US: snipe-it +CVE-2022-25147 + RESERVED +CVE-2022-0610 + RESERVED + {DSA-5079-1} + - chromium 98.0.4758.102-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) + NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html +CVE-2022-0609 + RESERVED + {DSA-5079-1} + - chromium 98.0.4758.102-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) + NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html +CVE-2022-0608 + RESERVED + {DSA-5079-1} + - chromium 98.0.4758.102-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) + NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html +CVE-2022-0607 + RESERVED + {DSA-5079-1} + - chromium 98.0.4758.102-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) + NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html +CVE-2022-0606 + RESERVED + {DSA-5079-1} + - chromium 98.0.4758.102-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) + NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html +CVE-2022-0605 + RESERVED + {DSA-5079-1} + - chromium 98.0.4758.102-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) + NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html +CVE-2022-0604 + RESERVED + {DSA-5079-1} + - chromium 98.0.4758.102-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) + NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html +CVE-2022-0603 + RESERVED + {DSA-5079-1} + - chromium 98.0.4758.102-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) + NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html +CVE-2022-0602 + RESERVED +CVE-2022-0601 + RESERVED +CVE-2022-0600 + RESERVED +CVE-2022-0599 + RESERVED +CVE-2022-0598 + RESERVED +CVE-2022-0597 (Open Redirect in Packagist microweber/microweber prior to 1.2.11. ...) + NOT-FOR-US: microweber +CVE-2022-0596 (Business Logic Errors in Packagist microweber/microweber prior to 1.2. ...) + NOT-FOR-US: microweber +CVE-2022-0595 + RESERVED +CVE-2022-0594 + RESERVED +CVE-2022-0593 + RESERVED +CVE-2022-0592 + RESERVED +CVE-2022-0591 + RESERVED +CVE-2022-0590 + RESERVED +CVE-2022-0589 (Cross-site Scripting (XSS) - Stored in Packagist librenms/librenms pri ...) + NOT-FOR-US: LibreNMS +CVE-2022-0588 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...) + NOT-FOR-US: LibreNMS +CVE-2022-0587 (Improper Authorization in Packagist librenms/librenms prior to 22.2.0. ...) + NOT-FOR-US: LibreNMS +CVE-2022-25146 + RESERVED +CVE-2022-25145 + RESERVED +CVE-2022-25144 + RESERVED +CVE-2022-25143 + RESERVED +CVE-2022-25142 + RESERVED +CVE-2022-25141 + RESERVED +CVE-2022-25140 + RESERVED +CVE-2022-25139 (njs through 0.7.0, used in NGINX, was discovered to contain a heap use ...) + NOT-FOR-US: njs +CVE-2022-25138 + RESERVED +CVE-2022-25137 (A command injection vulnerability in the function recvSlaveUpgstatus o ...) + NOT-FOR-US: TOTOLINK +CVE-2022-25136 (A command injection vulnerability in the function meshSlaveUpdate of T ...) + NOT-FOR-US: TOTOLINK +CVE-2022-25135 (A command injection vulnerability in the function recv_mesh_info_sync ...) + NOT-FOR-US: TOTOLINK +CVE-2022-25134 (A command injection vulnerability in the function setUpgradeFW of TOTO ...) + NOT-FOR-US: TOTOLINK +CVE-2022-25133 (A command injection vulnerability in the function isAssocPriDevice of ...) + NOT-FOR-US: TOTOLINK +CVE-2022-25132 (A command injection vulnerability in the function meshSlaveDlfw of TOT ...) + NOT-FOR-US: TOTOLINK +CVE-2022-25131 (A command injection vulnerability in the function recvSlaveCloudCheckS ...) + NOT-FOR-US: TOTOLINK +CVE-2022-25130 (A command injection vulnerability in the function updateWifiInfo of TO ...) + NOT-FOR-US: TOTOLINK +CVE-2022-25129 + RESERVED +CVE-2022-25128 + RESERVED +CVE-2022-25127 + RESERVED +CVE-2022-25126 + RESERVED +CVE-2022-25125 + RESERVED +CVE-2022-25124 + RESERVED +CVE-2022-25123 + RESERVED +CVE-2022-25122 + RESERVED +CVE-2022-25121 + RESERVED +CVE-2022-25120 + RESERVED +CVE-2022-25119 + RESERVED +CVE-2022-25118 + RESERVED +CVE-2022-25117 + RESERVED +CVE-2022-25116 + RESERVED +CVE-2022-25115 + RESERVED +CVE-2022-25114 + RESERVED +CVE-2022-25113 + RESERVED +CVE-2022-25112 + RESERVED +CVE-2022-25111 + RESERVED +CVE-2022-25110 + RESERVED +CVE-2022-25109 + RESERVED +CVE-2022-25108 + RESERVED +CVE-2022-25107 + RESERVED +CVE-2022-25106 + RESERVED +CVE-2022-25105 + RESERVED +CVE-2022-25104 + RESERVED +CVE-2022-25103 + RESERVED +CVE-2022-25102 + RESERVED +CVE-2022-25101 + RESERVED +CVE-2022-25100 + RESERVED +CVE-2022-25099 + RESERVED +CVE-2022-25098 + RESERVED +CVE-2022-25097 + RESERVED +CVE-2022-25096 + RESERVED +CVE-2022-25095 + RESERVED +CVE-2022-25094 + RESERVED +CVE-2022-25093 + RESERVED +CVE-2022-25092 + RESERVED +CVE-2022-25091 + RESERVED +CVE-2022-25090 + RESERVED +CVE-2022-25089 + RESERVED +CVE-2022-25088 + RESERVED +CVE-2022-25087 + RESERVED +CVE-2022-25086 + RESERVED +CVE-2022-25085 + RESERVED +CVE-2022-25084 + RESERVED +CVE-2022-25083 + RESERVED +CVE-2022-25082 + RESERVED +CVE-2022-25081 + RESERVED +CVE-2022-25080 + RESERVED +CVE-2022-25079 + RESERVED +CVE-2022-25078 + RESERVED +CVE-2022-25077 + RESERVED +CVE-2022-25076 + RESERVED +CVE-2022-25075 + RESERVED +CVE-2022-25074 + RESERVED +CVE-2022-25073 + RESERVED +CVE-2022-25072 + RESERVED +CVE-2022-25071 + RESERVED +CVE-2022-25070 + RESERVED +CVE-2022-25069 + RESERVED +CVE-2022-25068 + RESERVED +CVE-2022-25067 + RESERVED +CVE-2022-25066 + RESERVED +CVE-2022-25065 + RESERVED +CVE-2022-25064 + RESERVED +CVE-2022-25063 + RESERVED +CVE-2022-25062 + RESERVED +CVE-2022-25061 + RESERVED +CVE-2022-25060 + RESERVED +CVE-2022-25059 + RESERVED +CVE-2022-25058 + RESERVED +CVE-2022-25057 + RESERVED +CVE-2022-25056 + RESERVED +CVE-2022-25055 + RESERVED +CVE-2022-25054 + RESERVED +CVE-2022-25053 + RESERVED +CVE-2022-25052 + RESERVED +CVE-2022-25051 + RESERVED +CVE-2022-25050 + RESERVED +CVE-2022-25049 + RESERVED +CVE-2022-25048 + RESERVED +CVE-2022-25047 + RESERVED +CVE-2022-25046 + RESERVED +CVE-2022-25045 + RESERVED +CVE-2022-25044 + RESERVED +CVE-2022-25043 + RESERVED +CVE-2022-25042 + RESERVED +CVE-2022-25041 + RESERVED +CVE-2022-25040 + RESERVED +CVE-2022-25039 + RESERVED +CVE-2022-25038 + RESERVED +CVE-2022-25037 + RESERVED +CVE-2022-25036 + RESERVED +CVE-2022-25035 + RESERVED +CVE-2022-25034 + RESERVED +CVE-2022-25033 + RESERVED +CVE-2022-25032 + RESERVED +CVE-2022-25031 + RESERVED +CVE-2022-25030 + RESERVED +CVE-2022-25029 + RESERVED +CVE-2022-25028 + RESERVED +CVE-2022-25027 + RESERVED +CVE-2022-25026 + RESERVED +CVE-2022-25025 + RESERVED +CVE-2022-25024 + RESERVED +CVE-2022-25023 + RESERVED +CVE-2022-25022 + RESERVED +CVE-2022-25021 + RESERVED +CVE-2022-25020 + RESERVED +CVE-2022-25019 + RESERVED +CVE-2022-25018 + RESERVED +CVE-2022-25017 + RESERVED +CVE-2022-25016 + RESERVED +CVE-2022-25015 + RESERVED +CVE-2022-25014 + RESERVED +CVE-2022-25013 + RESERVED +CVE-2022-25012 + RESERVED +CVE-2022-25011 + RESERVED +CVE-2022-25010 + RESERVED +CVE-2022-25009 + RESERVED +CVE-2022-25008 + RESERVED +CVE-2022-25007 + RESERVED +CVE-2022-25006 + RESERVED +CVE-2022-25005 + RESERVED +CVE-2022-25004 + RESERVED +CVE-2022-25003 + RESERVED +CVE-2022-25002 + RESERVED +CVE-2022-25001 + RESERVED +CVE-2022-25000 + RESERVED +CVE-2022-24999 + RESERVED +CVE-2022-24998 + RESERVED +CVE-2022-24997 + RESERVED +CVE-2022-24996 + RESERVED +CVE-2022-24995 + RESERVED +CVE-2022-24994 + RESERVED +CVE-2022-24993 + RESERVED +CVE-2022-24992 + RESERVED +CVE-2022-24991 + RESERVED +CVE-2022-24990 + RESERVED +CVE-2022-24989 + RESERVED +CVE-2022-24988 (In galois_2p8 before 0.1.2, PrimitivePolynomialField::new has an off-b ...) + NOT-FOR-US: galois_2p8 +CVE-2022-24987 + RESERVED +CVE-2022-24986 + RESERVED +CVE-2022-24985 (Forms generated by JQueryForm.com before 2022-02-05 allows a remote au ...) + NOT-FOR-US: JQueryForm.com +CVE-2022-24984 (Forms generated by JQueryForm.com before 2022-02-05 (if file-upload ca ...) + NOT-FOR-US: JQueryForm.com +CVE-2022-24983 (Forms generated by JQueryForm.com before 2022-02-05 allow remote attac ...) + NOT-FOR-US: JQueryForm.com +CVE-2022-24982 (Forms generated by JQueryForm.com before 2022-02-05 allows a remote au ...) + NOT-FOR-US: JQueryForm.com +CVE-2022-24981 (A reflected cross-site scripting (XSS) vulnerability in forms generate ...) + NOT-FOR-US: JQueryForm.com +CVE-2022-0586 (Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3.6.1 ...) + - wireshark <unfixed> + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17813 + NOTE: https://www.wireshark.org/security/wnpa-sec-2022-01.html +CVE-2022-0585 (Large loops in multiple protocol dissectors in Wireshark 3.6.0 to 3.6. ...) + - wireshark <unfixed> + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2054049 + NOTE: https://www.wireshark.org/security/wnpa-sec-2022-02.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17829 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17842 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17847 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17855 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17891 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17925 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17926 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17931 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17932 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17933 +CVE-2022-0584 + RESERVED +CVE-2022-0583 (Crash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3 ...) + - wireshark <unfixed> + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17840 + NOTE: https://www.wireshark.org/security/wnpa-sec-2022-03.html +CVE-2022-0582 (Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to ...) + - wireshark <unfixed> + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17882 + NOTE: https://www.wireshark.org/security/wnpa-sec-2022-04.html +CVE-2022-0581 (Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3. ...) + - wireshark <unfixed> + [bullseye] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark <no-dsa> (Minor issue) + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17935 + NOTE: https://www.wireshark.org/security/wnpa-sec-2022-05.html +CVE-2022-0580 (Improper Access Control in Packagist librenms/librenms prior to 22.2.0 ...) + NOT-FOR-US: LibreNMS +CVE-2022-24980 (An issue was discovered in the Kitodo.Presentation (aka dif) extension ...) + NOT-FOR-US: TYPO3 extension +CVE-2022-24979 (An issue was discovered in the Varnishcache extension before 2.0.1 for ...) + NOT-FOR-US: TYPO3 extension +CVE-2022-24978 + RESERVED +CVE-2022-24977 (ImpressCMS before 1.4.2 allows unauthenticated remote code execution v ...) + NOT-FOR-US: ImpressCMS +CVE-2022-0579 (Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3 ...) + NOT-FOR-US: snipe-it +CVE-2022-0578 + RESERVED +CVE-2022-24976 (Atheme IRC Services before 7.2.12, when used in conjunction with InspI ...) + - atheme-services 7.2.12-1 + [bullseye] - atheme-services <no-dsa> (Minor issue; can be fixed via point release) + [buster] - atheme-services <no-dsa> (Minor issue; can be fixed via point release) + [stretch] - atheme-services <postponed> (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/4 + NOTE: https://github.com/atheme/atheme/commit/4e664c75d0b280a052eb8b5e81aa41944e593c52 +CVE-2022-0577 + RESERVED +CVE-2022-0576 (Cross-site Scripting (XSS) - Generic in Packagist librenms/librenms pr ...) + NOT-FOR-US: LibreNMS +CVE-2022-0575 (Cross-site Scripting (XSS) - Stored in Packagist librenms/librenms pri ...) + NOT-FOR-US: LibreNMS +CVE-2022-0574 + RESERVED +CVE-2022-0573 + RESERVED +CVE-2022-0572 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/bf3e0643-03e9-4436-a1c8-74e7111c32bf + NOTE: https://github.com/vim/vim/commit/6e28703a8e41f775f64e442c5d11ce1ff599aa3f (v8.2.4359) +CVE-2022-0571 (Cross-site Scripting (XSS) - Reflected in GitHub repository phoronix-t ...) + - phoronix-test-suite <removed> +CVE-2022-0570 (Heap-based Buffer Overflow in Homebrew mruby prior to 3.2. ...) + - mruby <not-affected> (Vulnerable code introduced later) + NOTE: https://huntr.dev/bounties/65a7632e-f95b-4836-b1a7-9cb95e5124f1 + NOTE: https://github.com/mruby/mruby/commit/38b164ace7d6ae1c367883a3d67d7f559783faad +CVE-2022-0569 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...) + NOT-FOR-US: snipe-it +CVE-2022-24975 (The --mirror documentation for Git through 2.35.1 does not mention the ...) + - git <unfixed> (unimportant) + NOTE: https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ + NOTE: CVE is specifically about --mirror documentation not mentioning the availability + NOTE: of deleted content. +CVE-2022-24974 + RESERVED +CVE-2022-24973 + RESERVED +CVE-2022-24972 + RESERVED +CVE-2022-24971 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24970 + RESERVED +CVE-2022-24969 + RESERVED +CVE-2022-24968 (In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoo ...) + NOT-FOR-US: Mellium +CVE-2022-24967 + RESERVED +CVE-2022-24966 + RESERVED +CVE-2022-24965 + RESERVED +CVE-2022-24964 + RESERVED +CVE-2022-24963 + RESERVED +CVE-2022-24962 + RESERVED +CVE-2022-0568 + RESERVED +CVE-2022-0567 + RESERVED +CVE-2022-0566 + RESERVED + - thunderbird 1:91.6.1-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-07/#CVE-2022-0566 +CVE-2022-0565 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...) + NOT-FOR-US: pimcore +CVE-2022-24961 (In Portainer Agent before 2.11.1, an API server can continue running e ...) + NOT-FOR-US: Portainer +CVE-2022-24960 + RESERVED +CVE-2022-24959 (An issue was discovered in the Linux kernel before 5.16.5. There is a ...) + - linux 5.16.7-1 + NOTE: https://git.kernel.org/linus/29eb31542787e1019208a2e1047bb7c76c069536 (5.17-rc2) +CVE-2022-24958 (drivers/usb/gadget/legacy/inode.c in the Linux kernel through 5.16.8 m ...) + - linux <unfixed> + NOTE: Fixed by: https://git.kernel.org/linus/89f3594d0de58e8a57d92d497dea9fee3d4b9cda (5.17-rc1) + NOTE: Fixed by: https://git.kernel.org/linus/501e38a5531efbd77d5c73c0ba838a889bfc1d74 (5.17-rc1) +CVE-2022-24957 + RESERVED +CVE-2022-24956 + RESERVED +CVE-2022-24955 (Foxit PDF Reader before 11.2.1 and Foxit PDF Editor before 11.2.1 have ...) + NOT-FOR-US: Foxit +CVE-2022-24954 (Foxit PDF Reader before 11.2.1 and Foxit PDF Editor before 11.2.1 have ...) + NOT-FOR-US: Foxit +CVE-2022-24953 (The Crypt_GPG extension before 1.6.7 for PHP does not prevent addition ...) + - php-crypt-gpg 1.6.7-1 (bug #1005921) + [bullseye] - php-crypt-gpg <no-dsa> (Minor issue; can be fixed via point release) + NOTE: https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04 (v1.6.7) +CVE-2022-24952 + RESERVED +CVE-2022-24951 + RESERVED +CVE-2022-24950 + RESERVED +CVE-2022-24949 + RESERVED +CVE-2022-24948 + RESERVED +CVE-2022-24947 + RESERVED +CVE-2022-24946 + RESERVED +CVE-2022-24945 + RESERVED +CVE-2022-24944 + RESERVED +CVE-2022-24943 + RESERVED +CVE-2022-24942 + RESERVED +CVE-2022-24941 + RESERVED +CVE-2022-24940 + RESERVED +CVE-2022-24939 + RESERVED +CVE-2022-24938 + RESERVED +CVE-2022-24937 + RESERVED +CVE-2022-24936 + RESERVED +CVE-2022-24935 + RESERVED +CVE-2022-24934 + RESERVED +CVE-2022-24933 + RESERVED +CVE-2022-24932 + RESERVED +CVE-2022-24931 + RESERVED +CVE-2022-24930 + RESERVED +CVE-2022-24929 + RESERVED +CVE-2022-24928 + RESERVED +CVE-2022-24927 (Improper privilege management vulnerability in Samsung Video Player pr ...) + NOT-FOR-US: Samsung +CVE-2022-24926 (Improper input validation vulnerability in SmartTagPlugin prior to ver ...) + NOT-FOR-US: Samsung +CVE-2022-24925 (Improper input validation vulnerability in SettingsProvider prior to A ...) + NOT-FOR-US: Samsung +CVE-2022-24924 (An improper access control in LiveWallpaperService prior to versions 3 ...) + NOT-FOR-US: Samsung +CVE-2022-24923 (Improper access control vulnerability in Samsung SearchWidget prior to ...) + NOT-FOR-US: Samsung +CVE-2022-24922 + RESERVED +CVE-2022-24921 + RESERVED +CVE-2022-24920 + RESERVED +CVE-2022-24919 + RESERVED +CVE-2022-24918 + RESERVED +CVE-2022-24917 + RESERVED +CVE-2022-24911 + RESERVED +CVE-2022-0564 (A vulnerability in Qlik Sense Enterprise on Windows could allow an rem ...) + NOT-FOR-US: Qlik Sense Enterprise +CVE-2022-24916 (Optimism before @eth-optimism/l2geth@0.5.11 allows economic griefing b ...) + NOT-FOR-US: Optimism +CVE-2022-24908 + RESERVED +CVE-2022-24907 + RESERVED +CVE-2022-24906 + RESERVED +CVE-2022-24905 + RESERVED +CVE-2022-24904 + RESERVED +CVE-2022-24903 + RESERVED +CVE-2022-24902 + RESERVED +CVE-2022-24901 + RESERVED +CVE-2022-24900 + RESERVED +CVE-2022-24899 + RESERVED +CVE-2022-24898 + RESERVED +CVE-2022-24897 + RESERVED +CVE-2022-24896 + RESERVED +CVE-2022-24895 + RESERVED +CVE-2022-24894 + RESERVED +CVE-2022-24893 + RESERVED +CVE-2022-24892 + RESERVED +CVE-2022-24891 + RESERVED +CVE-2022-24890 + RESERVED +CVE-2022-24889 + RESERVED +CVE-2022-24888 + RESERVED +CVE-2022-24887 + RESERVED +CVE-2022-24886 + RESERVED +CVE-2022-24885 + RESERVED +CVE-2022-24884 + RESERVED +CVE-2022-24883 + RESERVED +CVE-2022-24882 + RESERVED +CVE-2022-24881 + RESERVED +CVE-2022-24880 + RESERVED +CVE-2022-24879 + RESERVED +CVE-2022-24878 + RESERVED +CVE-2022-24877 + RESERVED +CVE-2022-24876 + RESERVED +CVE-2022-24875 + RESERVED +CVE-2022-24874 + RESERVED +CVE-2022-24873 + RESERVED +CVE-2022-24872 + RESERVED +CVE-2022-24871 + RESERVED +CVE-2022-24870 + RESERVED +CVE-2022-24869 + RESERVED +CVE-2022-24868 + RESERVED +CVE-2022-24867 + RESERVED +CVE-2022-24866 + RESERVED +CVE-2022-24865 + RESERVED +CVE-2022-24864 + RESERVED +CVE-2022-24863 + RESERVED +CVE-2022-24862 + RESERVED +CVE-2022-24861 + RESERVED +CVE-2022-24860 + RESERVED +CVE-2022-24859 + RESERVED +CVE-2022-24858 + RESERVED +CVE-2022-24857 + RESERVED +CVE-2022-24856 + RESERVED +CVE-2022-24855 + RESERVED +CVE-2022-24854 + RESERVED +CVE-2022-24853 + RESERVED +CVE-2022-24852 + RESERVED +CVE-2022-24851 + RESERVED +CVE-2022-24850 + RESERVED +CVE-2022-24849 + RESERVED +CVE-2022-24848 + RESERVED +CVE-2022-24847 + RESERVED +CVE-2022-24846 + RESERVED +CVE-2022-24845 + RESERVED +CVE-2022-24844 + RESERVED +CVE-2022-24843 + RESERVED +CVE-2022-24842 + RESERVED +CVE-2022-24841 + RESERVED +CVE-2022-24840 + RESERVED +CVE-2022-24839 + RESERVED +CVE-2022-24838 + RESERVED +CVE-2022-24837 + RESERVED +CVE-2022-24836 + RESERVED +CVE-2022-24835 + RESERVED +CVE-2022-24834 + RESERVED +CVE-2022-24833 + RESERVED +CVE-2022-24832 + RESERVED +CVE-2022-24831 + RESERVED +CVE-2022-24830 + RESERVED +CVE-2022-24829 + RESERVED +CVE-2022-24828 + RESERVED +CVE-2022-24827 + RESERVED +CVE-2022-24826 + RESERVED +CVE-2022-24825 + RESERVED +CVE-2022-24824 + RESERVED +CVE-2022-24823 + RESERVED +CVE-2022-24822 + RESERVED +CVE-2022-24821 + RESERVED +CVE-2022-24820 + RESERVED +CVE-2022-24819 + RESERVED +CVE-2022-24818 + RESERVED +CVE-2022-24817 + RESERVED +CVE-2022-24816 + RESERVED +CVE-2022-24815 + RESERVED +CVE-2022-24814 + RESERVED +CVE-2022-24813 + RESERVED +CVE-2022-24812 + RESERVED +CVE-2022-24811 + RESERVED +CVE-2022-24810 + RESERVED +CVE-2022-24809 + RESERVED +CVE-2022-24808 + RESERVED +CVE-2022-24807 + RESERVED +CVE-2022-24806 + RESERVED +CVE-2022-24805 + RESERVED +CVE-2022-24804 + RESERVED +CVE-2022-24803 + RESERVED +CVE-2022-24802 + RESERVED +CVE-2022-24801 + RESERVED +CVE-2022-24800 + RESERVED +CVE-2022-24799 + RESERVED +CVE-2022-24798 + RESERVED +CVE-2022-24797 + RESERVED +CVE-2022-24796 + RESERVED +CVE-2022-24795 + RESERVED +CVE-2022-24794 + RESERVED +CVE-2022-24793 + RESERVED +CVE-2022-24792 + RESERVED +CVE-2022-24791 + RESERVED +CVE-2022-24790 + RESERVED +CVE-2022-24789 + RESERVED +CVE-2022-24788 + RESERVED +CVE-2022-24787 + RESERVED +CVE-2022-24786 + RESERVED +CVE-2022-24785 + RESERVED +CVE-2022-24784 + RESERVED +CVE-2022-24783 + RESERVED +CVE-2022-24782 + RESERVED +CVE-2022-24781 + RESERVED +CVE-2022-24780 + RESERVED +CVE-2022-24779 + RESERVED +CVE-2022-24778 + RESERVED +CVE-2022-24777 + RESERVED +CVE-2022-24776 + RESERVED +CVE-2022-24775 + RESERVED +CVE-2022-24774 + RESERVED +CVE-2022-24773 + RESERVED +CVE-2022-24772 + RESERVED +CVE-2022-24771 + RESERVED +CVE-2022-24770 + RESERVED +CVE-2022-24769 + RESERVED +CVE-2022-24768 + RESERVED +CVE-2022-24767 + RESERVED +CVE-2022-24766 + RESERVED +CVE-2022-24765 + RESERVED +CVE-2022-24764 + RESERVED +CVE-2022-24763 + RESERVED +CVE-2022-24762 + RESERVED +CVE-2022-24761 + RESERVED +CVE-2022-24760 + RESERVED +CVE-2022-24759 + RESERVED +CVE-2022-24758 + RESERVED +CVE-2022-24757 + RESERVED +CVE-2022-24756 + RESERVED +CVE-2022-24755 + RESERVED +CVE-2022-24754 + RESERVED +CVE-2022-24753 + RESERVED +CVE-2022-24752 + RESERVED +CVE-2022-24751 + RESERVED +CVE-2022-24750 + RESERVED +CVE-2022-24749 + RESERVED +CVE-2022-24748 + RESERVED +CVE-2022-24747 + RESERVED +CVE-2022-24746 + RESERVED +CVE-2022-24745 + RESERVED +CVE-2022-24744 + RESERVED +CVE-2022-24743 + RESERVED +CVE-2022-24742 + RESERVED +CVE-2022-24741 + RESERVED +CVE-2022-24740 + RESERVED +CVE-2022-24739 + RESERVED +CVE-2022-24738 + RESERVED +CVE-2022-24737 + RESERVED +CVE-2022-24736 + RESERVED +CVE-2022-24735 + RESERVED +CVE-2022-24734 + RESERVED +CVE-2022-24733 + RESERVED +CVE-2022-24732 + RESERVED +CVE-2022-24731 + RESERVED +CVE-2022-24730 + RESERVED +CVE-2022-24729 + RESERVED +CVE-2022-24728 + RESERVED +CVE-2022-24727 + RESERVED +CVE-2022-24726 + RESERVED +CVE-2022-24725 + RESERVED +CVE-2022-24724 + RESERVED +CVE-2022-24723 + RESERVED +CVE-2022-24722 + RESERVED +CVE-2022-24721 + RESERVED +CVE-2022-24720 + RESERVED +CVE-2022-24719 + RESERVED +CVE-2022-24718 + RESERVED +CVE-2022-24717 + RESERVED +CVE-2022-24716 + RESERVED +CVE-2022-24715 + RESERVED +CVE-2022-24714 + RESERVED +CVE-2022-24713 + RESERVED +CVE-2022-24712 + RESERVED +CVE-2022-24711 + RESERVED +CVE-2022-24710 + RESERVED +CVE-2022-24709 + RESERVED +CVE-2022-24708 + RESERVED +CVE-2022-24707 + RESERVED +CVE-2022-24706 + RESERVED +CVE-2022-24705 (The rad_packet_recv function in radius/packet.c suffers from a memcpy ...) + NOT-FOR-US: ACCEL-PPP +CVE-2022-24704 (The rad_packet_recv function in opt/src/accel-pppd/radius/packet.c suf ...) + NOT-FOR-US: ACCEL-PPP +CVE-2022-23922 + RESERVED +CVE-2022-23104 + RESERVED +CVE-2022-0563 (A flaw was found in the util-linux chfn and chsh utilities when compil ...) + - util-linux <unfixed> (unimportant) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2053151 + NOTE: https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w@ws.net.home/T/#u + NOTE: https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17 + NOTE: util-linux in Debian does build with readline support but chfn and chsh are provided + NOTE: by src:shadow and util-linux is configured with --disable-chfn-chsh +CVE-2022-0562 (Null source pointer passed as an argument to memcpy() function within ...) + - tiff 4.3.0-4 + [bullseye] - tiff <no-dsa> (Minor issue) + [buster] - tiff <no-dsa> (Minor issue) + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/362 + NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/-/commit/561599c99f987dc32ae110370cfdd7df7975586b +CVE-2022-0561 (Null source pointer passed as an argument to memcpy() function within ...) + - tiff 4.3.0-4 + [bullseye] - tiff <no-dsa> (Minor issue) + [buster] - tiff <no-dsa> (Minor issue) + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/362 + NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/-/commit/eecb0712f4c3a5b449f70c57988260a667ddbdef +CVE-2022-0560 (Open Redirect in Packagist microweber/microweber prior to 1.2.11. ...) + NOT-FOR-US: microweber +CVE-2022-0559 (Use After Free in GitHub repository radareorg/radare2 prior to 5.6.2. ...) + - radare2 <unfixed> + NOTE: https://huntr.dev/bounties/aa80adb7-e900-44a5-ad05-91f3ccdfc81e + NOTE: https://github.com/radareorg/radare2/commit/b5cb90b28ec71fda3504da04e3cc94a362807f5e +CVE-2022-0558 (Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber ...) + NOT-FOR-US: microweber +CVE-2022-0557 (OS Command Injection in Packagist microweber/microweber prior to 1.2.1 ...) + NOT-FOR-US: microweber +CVE-2022-24703 + RESERVED +CVE-2022-24702 + RESERVED +CVE-2022-24701 + RESERVED +CVE-2022-24700 + RESERVED +CVE-2022-0556 + RESERVED +CVE-2022-0555 + RESERVED +CVE-2022-0554 (Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/7e8f6cd0-b5ee-48a2-8255-6a86f4c46c71/ + NOTE: https://github.com/vim/vim/commit/e3537aec2f8d6470010547af28dcbd83d41461b8 (v8.2.4327) +CVE-2022-0553 + RESERVED +CVE-2022-0552 + RESERVED +CVE-2022-24699 + RESERVED +CVE-2022-24698 + RESERVED +CVE-2022-24697 + RESERVED +CVE-2022-0551 + RESERVED +CVE-2022-0550 + RESERVED +CVE-2022-0549 + RESERVED +CVE-2022-0548 + RESERVED +CVE-2022-24696 + RESERVED +CVE-2022-24695 + RESERVED +CVE-2022-24694 (In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and 21.10 before ...) + - mahara <removed> +CVE-2022-24693 + RESERVED +CVE-2022-24692 + RESERVED +CVE-2022-24691 + RESERVED +CVE-2022-24690 + RESERVED +CVE-2022-24689 + RESERVED +CVE-2022-24688 + RESERVED +CVE-2022-24687 + RESERVED +CVE-2022-24686 (HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and ...) + - nomad <unfixed> + NOTE: https://discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559 +CVE-2022-24685 + RESERVED +CVE-2022-24684 (HashiCorp Nomad and Nomad Enterprise before 1.0.17, 1.1.x before 1.1.1 ...) + - nomad <undetermined> + NOTE: https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers/35562 +CVE-2022-24683 (HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and ...) + - nomad <unfixed> + NOTE: https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560 +CVE-2022-24682 (An issue was discovered in the Calendar feature in Zimbra Collaboratio ...) + NOT-FOR-US: Zimbra +CVE-2022-24681 + RESERVED +CVE-2022-24680 + RESERVED +CVE-2022-24679 + RESERVED +CVE-2022-24678 + RESERVED +CVE-2022-24677 (Admin.php in HYBBS2 through 2.3.2 allows remote code execution because ...) + NOT-FOR-US: HYBBS2 +CVE-2022-24676 (update_code in Admin.php in HYBBS2 through 2.3.2 allows arbitrary file ...) + NOT-FOR-US: HYBBS2 +CVE-2022-24675 + RESERVED +CVE-2022-24674 + RESERVED +CVE-2022-24673 + RESERVED +CVE-2022-24672 + RESERVED +CVE-2022-24383 + RESERVED +CVE-2022-21228 + RESERVED +CVE-2022-21214 + RESERVED +CVE-2022-21202 + RESERVED +CVE-2022-21168 + RESERVED +CVE-2022-24671 + RESERVED +CVE-2022-24670 + RESERVED +CVE-2022-24669 + RESERVED +CVE-2022-0547 + RESERVED +CVE-2022-0546 + RESERVED +CVE-2022-0545 + RESERVED +CVE-2022-0544 + RESERVED +CVE-2022-0543 (It was discovered, that redis, a persistent key-value database, due to ...) + {DSA-5081-1} + - redis <unfixed> (bug #1005787) + NOTE: https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce +CVE-2022-0542 + RESERVED +CVE-2022-0541 + RESERVED +CVE-2022-0540 + RESERVED +CVE-2022-0539 (Cross-site Scripting (XSS) - Stored in Packagist ptrofimov/beanstalk_c ...) + NOT-FOR-US: beanstalk_console +CVE-2022-0538 (Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStr ...) + - jenkins <removed> +CVE-2022-0537 + RESERVED +CVE-2022-0536 (Exposure of Sensitive Information to an Unauthorized Actor in NPM foll ...) + - node-follow-redirects 1.14.8+~1.14.0-1 + [bullseye] - node-follow-redirects <no-dsa> (Minor issue) + [buster] - node-follow-redirects <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db/ + NOTE: https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445 (v1.14.8) +CVE-2022-0535 + RESERVED +CVE-2022-0534 (A vulnerability was found in htmldoc version 1.9.15 where the stack ou ...) + - htmldoc 1.9.15-1 (unimportant) + NOTE: https://github.com/michaelrsweet/htmldoc/issues/463 + NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/776cf0fc4c760f1fb7b966ce28dc92dd7d44ed50 (v1.9.15) + NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/312f0f9c12f26fbe015cd0e6cefa40e4b99017d9 (v1.9.15) + NOTE: Crash in CLI tool, no security impact +CVE-2022-0533 + RESERVED +CVE-2022-0532 (An incorrect sysctls validation vulnerability was found in CRI-O 1.18 ...) + NOT-FOR-US: cri-o +CVE-2022-0531 + RESERVED +CVE-2022-0530 (A flaw was found in unzip 6.0. The vulnerability occurs during the con ...) + - unzip <unfixed> + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2051395 + NOTE: Crash in CLI tool, no security impact +CVE-2022-0529 (A flaw was found in unzip 6.0. The vulnerability occurs during the con ...) + - unzip <unfixed> + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2051402 +CVE-2022-24668 (A program using swift-nio-http2 is vulnerable to a denial of service a ...) + NOT-FOR-US: swift-nio-http2 +CVE-2022-24667 (A program using swift-nio-http2 is vulnerable to a denial of service a ...) + NOT-FOR-US: swift-nio-http2 +CVE-2022-24666 (A program using swift-nio-http2 is vulnerable to a denial of service a ...) + NOT-FOR-US: swift-nio-http2 +CVE-2022-0528 + RESERVED +CVE-2022-0527 (Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chat ...) + NOT-FOR-US: chatwoot +CVE-2022-0526 (Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chat ...) + NOT-FOR-US: chatwoot +CVE-2022-0525 (Out-of-bounds Read in Homebrew mruby prior to 3.2. ...) + - mruby <not-affected> (Vulnerable code introduced later) + NOTE: https://huntr.dev/bounties/e19e109f-acf0-4048-8ee8-1b10a870f1e9 + NOTE: https://github.com/mruby/mruby/commit/0849a2885f81cfd82134992c06df3ccd59052ac7 +CVE-2022-0524 (Business Logic Errors in GitHub repository publify/publify prior to 9. ...) + NOT-FOR-US: Publify +CVE-2022-0523 (Expired Pointer Dereference in GitHub repository radareorg/radare2 pri ...) + - radare2 <unfixed> + NOTE: https://huntr.dev/bounties/9d8d6ae0-fe00-40b9-ae1e-b0e8103bac69 + NOTE: https://github.com/radareorg/radare2/commit/35482cb760db10f87a62569e2f8872dbd95e9269 +CVE-2022-0522 (Access of Memory Location Before Start of Buffer in NPM radare2.js pri ...) + NOT-FOR-US: Node radare2.js +CVE-2022-0521 (Access of Memory Location After End of Buffer in GitHub repository rad ...) + - radare2 <unfixed> + NOTE: https://huntr.dev/bounties/4d436311-bbf1-45a3-8774-bdb666d7f7ca + NOTE: https://github.com/radareorg/radare2/commit/6c4428f018d385fc80a33ecddcb37becea685dd5 +CVE-2022-0520 (Use After Free in NPM radare2.js prior to 5.6.2. ...) + NOT-FOR-US: Node radare2.js +CVE-2022-0519 (Buffer Access with Incorrect Length Value in GitHub repository radareo ...) + - radare2 <unfixed> + NOTE: https://huntr.dev/bounties/af85b9e1-d1cf-4c0e-ba12-525b82b7c1e3 + NOTE: https://github.com/radareorg/radare2/commit/6c4428f018d385fc80a33ecddcb37becea685dd5 +CVE-2022-0518 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prio ...) + - radare2 <unfixed> + NOTE: https://huntr.dev/bounties/10051adf-7ddc-4042-8fd0-8e9e0c5b1184 + NOTE: https://github.com/radareorg/radare2/commit/9650e3c352f675687bf6c6f65ff2c4a3d0e288fa +CVE-2022-0517 + RESERVED +CVE-2022-0516 [KVM: s390: Return error on SIDA memop on normal guest] + RESERVED + - linux 5.16.10-1 + [buster] - linux <not-affected> (Vulnerable code not present) + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: Fixed by: https://git.kernel.org/linus/2c212e1baedcd782b2535a3f86bc491977677c0e + NOTE: https://www.openwall.com/lists/oss-security/2022/02/11/2 +CVE-2022-24665 (PHP Everywhere <= 2.0.3 included functionality that allowed executi ...) + NOT-FOR-US: PHP Everywhere +CVE-2022-24664 (PHP Everywhere <= 2.0.3 included functionality that allowed executi ...) + NOT-FOR-US: PHP Everywhere +CVE-2022-24663 (PHP Everywhere <= 2.0.3 included functionality that allowed executi ...) + NOT-FOR-US: PHP Everywhere +CVE-2022-24662 + RESERVED +CVE-2022-24661 + RESERVED +CVE-2022-24660 + RESERVED +CVE-2022-24659 + RESERVED +CVE-2022-24658 + RESERVED +CVE-2022-24657 + RESERVED +CVE-2022-24656 + RESERVED +CVE-2022-24655 + RESERVED +CVE-2022-24654 + RESERVED +CVE-2022-24653 + RESERVED +CVE-2022-24652 + RESERVED +CVE-2022-24651 + RESERVED +CVE-2022-24650 + RESERVED +CVE-2022-24649 + RESERVED +CVE-2022-24648 + RESERVED +CVE-2022-24647 (Cuppa CMS v1.0 was discovered to contain an arbitrary file deletion vu ...) + NOT-FOR-US: Cuppa CMS +CVE-2022-24646 (Hospital Management System v4.0 was discovered to contain a SQL inject ...) + NOT-FOR-US: Hospital Management System +CVE-2022-24645 + RESERVED +CVE-2022-24644 + RESERVED +CVE-2022-24643 + RESERVED +CVE-2022-24642 + RESERVED +CVE-2022-24641 + RESERVED +CVE-2022-24640 + RESERVED +CVE-2022-24639 + RESERVED +CVE-2022-24638 + RESERVED +CVE-2022-24637 + RESERVED +CVE-2022-24636 + RESERVED +CVE-2022-24635 + RESERVED +CVE-2022-24634 + RESERVED +CVE-2022-24633 + RESERVED +CVE-2022-24632 + RESERVED +CVE-2022-24631 + RESERVED +CVE-2022-24630 + RESERVED +CVE-2022-24629 + RESERVED +CVE-2022-24628 + RESERVED +CVE-2022-24627 + RESERVED +CVE-2022-24626 + RESERVED +CVE-2022-24625 + RESERVED +CVE-2022-24624 + RESERVED +CVE-2022-24623 + RESERVED +CVE-2022-24622 + RESERVED +CVE-2022-24621 + RESERVED +CVE-2022-24620 + RESERVED +CVE-2022-24619 + RESERVED +CVE-2022-24618 + RESERVED +CVE-2022-24617 + RESERVED +CVE-2022-24616 + RESERVED +CVE-2022-24615 + RESERVED +CVE-2022-24614 + RESERVED +CVE-2022-24613 + RESERVED +CVE-2022-24612 + RESERVED +CVE-2022-24611 + RESERVED +CVE-2022-24610 + RESERVED +CVE-2022-24609 + RESERVED +CVE-2022-24608 + RESERVED +CVE-2022-24607 + RESERVED +CVE-2022-24606 + RESERVED +CVE-2022-24605 + RESERVED +CVE-2022-24604 + RESERVED +CVE-2022-24603 + RESERVED +CVE-2022-24602 + RESERVED +CVE-2022-24601 + RESERVED +CVE-2022-24600 + RESERVED +CVE-2022-24599 + RESERVED +CVE-2022-24598 + RESERVED +CVE-2022-24597 + RESERVED +CVE-2022-24596 + RESERVED +CVE-2022-24595 + RESERVED +CVE-2022-24594 + RESERVED +CVE-2022-24593 + RESERVED +CVE-2022-24592 + RESERVED +CVE-2022-24591 + RESERVED +CVE-2022-24590 (A stored cross-site scripting (XSS) vulnerability in the Add Link func ...) + NOT-FOR-US: BackdropCMS +CVE-2022-24589 (Burden v3.0 was discovered to contain a stored cross-site scripting (X ...) + NOT-FOR-US: Burden +CVE-2022-24588 (Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS ...) + NOT-FOR-US: Flatpress +CVE-2022-24587 (A stored cross-site scripting (XSS) vulnerability in the component cor ...) + - pluxml <undetermined> + NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24587/CVE-2022-24587.pdf + TODO: check if reported upstream +CVE-2022-24586 (A stored cross-site scripting (XSS) vulnerability in the component /co ...) + - pluxml <undetermined> + NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24586/CVE-2022-24586.pdf + TODO: check if reported upstream +CVE-2022-24585 (A stored cross-site scripting (XSS) vulnerability in the component /co ...) + - pluxml <undetermined> + NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24585/CVE-2022-24585.pdf + TODO: check if reported upstream +CVE-2022-24584 + RESERVED +CVE-2022-24583 + RESERVED +CVE-2022-24582 + RESERVED +CVE-2022-24581 + RESERVED +CVE-2022-24580 + RESERVED +CVE-2022-24579 + RESERVED +CVE-2022-24578 + RESERVED +CVE-2022-24577 + RESERVED +CVE-2022-24576 + RESERVED +CVE-2022-24575 + RESERVED +CVE-2022-24574 + RESERVED +CVE-2022-24573 + RESERVED +CVE-2022-24572 + RESERVED +CVE-2022-24571 + RESERVED +CVE-2022-24570 + RESERVED +CVE-2022-24569 + RESERVED +CVE-2022-24568 (Novel-plus v3.6.0 was discovered to be vulnerable to Server-Side Reque ...) + NOT-FOR-US: Novel-plus +CVE-2022-24567 + RESERVED +CVE-2022-24566 + RESERVED +CVE-2022-24565 + RESERVED +CVE-2022-24564 (Checkmk <=2.0.0p19 contains a Cross Site Scripting (XSS) vulnerabil ...) + TODO: check +CVE-2022-24563 + RESERVED +CVE-2022-24562 + RESERVED +CVE-2022-24561 + RESERVED +CVE-2022-24560 + RESERVED +CVE-2022-24559 + RESERVED +CVE-2022-24558 + RESERVED +CVE-2022-24557 + RESERVED +CVE-2022-24556 + RESERVED +CVE-2022-24555 + RESERVED +CVE-2022-24554 + RESERVED +CVE-2022-24553 (An issue was found in Zfaka <= 1.4.5. The verification of the backg ...) + NOT-FOR-US: Zfaka +CVE-2022-24552 (StarWind SAN and NAS before 0.2 build 1685 allows remote code executio ...) + NOT-FOR-US: StarWind +CVE-2022-24551 (StarWind SAN and NAS before 0.2 build 1685 allows users to reset other ...) + NOT-FOR-US: StarWind +CVE-2022-24550 + RESERVED +CVE-2022-24549 + RESERVED +CVE-2022-24548 + RESERVED +CVE-2022-24547 + RESERVED +CVE-2022-24546 + RESERVED +CVE-2022-24545 + RESERVED +CVE-2022-24544 + RESERVED +CVE-2022-24543 + RESERVED +CVE-2022-24542 + RESERVED +CVE-2022-24541 + RESERVED +CVE-2022-24540 + RESERVED +CVE-2022-24539 + RESERVED +CVE-2022-24538 + RESERVED +CVE-2022-24537 + RESERVED +CVE-2022-24536 + RESERVED +CVE-2022-24535 + RESERVED +CVE-2022-24534 + RESERVED +CVE-2022-24533 + RESERVED +CVE-2022-24532 + RESERVED +CVE-2022-24531 + RESERVED +CVE-2022-24530 + RESERVED +CVE-2022-24529 + RESERVED +CVE-2022-24528 + RESERVED +CVE-2022-24527 + RESERVED +CVE-2022-24526 + RESERVED +CVE-2022-24525 + RESERVED +CVE-2022-24524 + RESERVED +CVE-2022-24523 + RESERVED +CVE-2022-24522 + RESERVED +CVE-2022-24521 + RESERVED +CVE-2022-24520 + RESERVED +CVE-2022-24519 + RESERVED +CVE-2022-24518 + RESERVED +CVE-2022-24517 + RESERVED +CVE-2022-24516 + RESERVED +CVE-2022-24515 + RESERVED +CVE-2022-24514 + RESERVED +CVE-2022-24513 + RESERVED +CVE-2022-24512 + RESERVED +CVE-2022-24511 + RESERVED +CVE-2022-24510 + RESERVED +CVE-2022-24509 + RESERVED +CVE-2022-24508 + RESERVED +CVE-2022-24507 + RESERVED +CVE-2022-24506 + RESERVED +CVE-2022-24505 + RESERVED +CVE-2022-24504 + RESERVED +CVE-2022-24503 + RESERVED +CVE-2022-24502 + RESERVED +CVE-2022-24501 + RESERVED +CVE-2022-24500 + RESERVED +CVE-2022-24499 + RESERVED +CVE-2022-24498 + RESERVED +CVE-2022-24497 + RESERVED +CVE-2022-24496 + RESERVED +CVE-2022-24495 + RESERVED +CVE-2022-24494 + RESERVED +CVE-2022-24493 + RESERVED +CVE-2022-24492 + RESERVED +CVE-2022-24491 + RESERVED +CVE-2022-24490 + RESERVED +CVE-2022-24489 + RESERVED +CVE-2022-24488 + RESERVED +CVE-2022-24487 + RESERVED +CVE-2022-24486 + RESERVED +CVE-2022-24485 + RESERVED +CVE-2022-24484 + RESERVED +CVE-2022-24483 + RESERVED +CVE-2022-24482 + RESERVED +CVE-2022-24481 + RESERVED +CVE-2022-24480 + RESERVED +CVE-2022-24479 + RESERVED +CVE-2022-24478 + RESERVED +CVE-2022-24477 + RESERVED +CVE-2022-24476 + RESERVED +CVE-2022-24475 + RESERVED +CVE-2022-24474 + RESERVED +CVE-2022-24473 + RESERVED +CVE-2022-24472 + RESERVED +CVE-2022-24471 + RESERVED +CVE-2022-24470 + RESERVED +CVE-2022-24469 + RESERVED +CVE-2022-24468 + RESERVED +CVE-2022-24467 + RESERVED +CVE-2022-24466 + RESERVED +CVE-2022-24465 + RESERVED +CVE-2022-24464 + RESERVED +CVE-2022-24463 + RESERVED +CVE-2022-24462 + RESERVED +CVE-2022-24461 + RESERVED +CVE-2022-24460 + RESERVED +CVE-2022-24459 + RESERVED +CVE-2022-24458 + RESERVED +CVE-2022-24457 + RESERVED +CVE-2022-24456 + RESERVED +CVE-2022-24455 + RESERVED +CVE-2022-24454 + RESERVED +CVE-2022-24453 + RESERVED +CVE-2022-24452 + RESERVED +CVE-2022-24451 + RESERVED +CVE-2022-24450 (NATS nats-server before 2.7.2 has Incorrect Access Control. Any authen ...) + NOT-FOR-US: nats-server +CVE-2022-24449 + RESERVED +CVE-2022-24448 (An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.1 ...) + - linux 5.16.7-1 + NOTE: Fixed by: https://git.kernel.org/linus/ac795161c93699d600db16c1a8cc23a65a1eceaf (5.17-rc2) +CVE-2022-24447 + RESERVED +CVE-2022-24446 + RESERVED +CVE-2022-24445 + REJECTED +CVE-2022-24444 + RESERVED +CVE-2022-24443 + RESERVED +CVE-2022-24442 + RESERVED +CVE-2022-24428 + RESERVED +CVE-2022-24427 + RESERVED +CVE-2022-24426 + RESERVED +CVE-2022-24425 + RESERVED +CVE-2022-24424 + RESERVED +CVE-2022-24423 + RESERVED +CVE-2022-24422 + RESERVED +CVE-2022-24421 + RESERVED +CVE-2022-24420 + RESERVED +CVE-2022-24419 + RESERVED +CVE-2022-24418 + RESERVED +CVE-2022-24417 + RESERVED +CVE-2022-24416 + RESERVED +CVE-2022-24415 + RESERVED +CVE-2022-24414 + RESERVED +CVE-2022-24413 + RESERVED +CVE-2022-24412 + RESERVED +CVE-2022-24411 + RESERVED +CVE-2022-24410 + RESERVED +CVE-2022-24409 + RESERVED +CVE-2022-24380 + RESERVED +CVE-2022-22147 + RESERVED +CVE-2022-21130 + RESERVED +CVE-2022-0515 + RESERVED +CVE-2022-0514 + RESERVED +CVE-2022-0513 (The WP Statistics WordPress plugin is vulnerable to SQL Injection due ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0512 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...) + - node-url-parse 1.5.7-1 + [bullseye] - node-url-parse <no-dsa> (Minor issue) + [buster] - node-url-parse <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b + NOTE: https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40 (1.5.6) +CVE-2022-0511 + RESERVED + - firefox 97.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-04/#CVE-2022-0511 +CVE-2022-0510 (Cross-site Scripting (XSS) - Reflected in Packagist pimcore/pimcore pr ...) + NOT-FOR-US: pimcore +CVE-2022-0509 (Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior ...) + NOT-FOR-US: pimcore +CVE-2022-0508 (Server-Side Request Forgery (SSRF) in GitHub repository chocobozzz/pee ...) + - peertube <itp> (bug #950821) +CVE-2022-0507 + RESERVED +CVE-2022-0506 (Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber ...) + NOT-FOR-US: microweber +CVE-2022-0505 (Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber p ...) + NOT-FOR-US: microweber +CVE-2022-0504 (Generation of Error Message Containing Sensitive Information in Packag ...) + NOT-FOR-US: microweber +CVE-2022-0503 + RESERVED +CVE-2022-0502 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...) + NOT-FOR-US: livehelperchat +CVE-2022-24408 + RESERVED +CVE-2022-0501 (Cross-site Scripting (XSS) - Reflected in Packagist ptrofimov/beanstal ...) + NOT-FOR-US: beanstalk_console +CVE-2022-0500 + RESERVED + - linux <unfixed> + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044578 +CVE-2022-0499 + RESERVED +CVE-2022-0498 + REJECTED +CVE-2022-0497 + RESERVED + - openscad 2021.01-4 (unimportant; bug #1005641) + NOTE: https://github.com/openscad/openscad/issues/4043 + NOTE: Crash in CLI tool, no security impact +CVE-2022-0496 + RESERVED + - openscad 2021.01-4 (unimportant; bug #1005641) + NOTE: https://github.com/openscad/openscad/issues/4037 + NOTE: Crash in CLI tool, no security impact +CVE-2022-0495 + RESERVED +CVE-2022-0494 + RESERVED +CVE-2022-0493 + RESERVED +CVE-2022-24407 + RESERVED +CVE-2022-24406 + RESERVED +CVE-2022-24405 + RESERVED +CVE-2022-24404 + RESERVED +CVE-2022-24403 + RESERVED +CVE-2022-24402 + RESERVED +CVE-2022-24401 + RESERVED +CVE-2022-24400 + RESERVED +CVE-2022-24382 + RESERVED +CVE-2022-24379 + RESERVED +CVE-2022-24297 + RESERVED +CVE-2022-23917 + RESERVED +CVE-2022-23914 + RESERVED +CVE-2022-22730 + RESERVED +CVE-2022-21807 + RESERVED +CVE-2022-21795 + RESERVED +CVE-2022-21233 + RESERVED +CVE-2022-21128 + RESERVED +CVE-2022-0492 [cgroup-v1: Require capabilities to set release_agent] + RESERVED + - linux 5.16.7-1 + NOTE: https://www.openwall.com/lists/oss-security/2022/02/04/1 + NOTE: https://git.kernel.org/linus/24f6008564183aa120d07c03d9289519c2fe02af +CVE-2022-0491 + RESERVED +CVE-2022-0490 + RESERVED +CVE-2022-0489 + RESERVED +CVE-2022-0488 + RESERVED +CVE-2022-24399 + RESERVED +CVE-2022-24398 + RESERVED +CVE-2022-24397 + RESERVED +CVE-2022-24396 + RESERVED +CVE-2022-24395 + RESERVED +CVE-2022-24394 + RESERVED +CVE-2022-24393 + RESERVED +CVE-2022-24392 + RESERVED +CVE-2022-24391 + RESERVED +CVE-2022-24390 + RESERVED +CVE-2022-24389 + RESERVED +CVE-2022-24388 + RESERVED +CVE-2022-24387 + RESERVED +CVE-2022-24386 + RESERVED +CVE-2022-24385 + RESERVED +CVE-2022-24384 + RESERVED +CVE-2022-21241 (Cross-site scripting vulnerability in CSV+ prior to 0.8.1 allows a rem ...) + NOT-FOR-US: CSV+ +CVE-2022-0487 (A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in ...) + - linux 5.16.10-1 (unimportant) + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1194516 + NOTE: https://lore.kernel.org/all/20220114075934.302464-1-gregkh@linuxfoundation.org/ + NOTE: https://git.kernel.org/linus/bd2db32e7c3e35bd4d9b8bbff689434a50893546 (5.17-rc4) + NOTE: CONFIG_MMC_MOXART is not set in Debian. +CVE-2022-0486 + RESERVED +CVE-2022-0485 [nbdcopy: missing error handling may create corrupted destination image] + RESERVED + - libnbd 1.10.5-1 (bug #1005307) + [bullseye] - libnbd <no-dsa> (Minor issue) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2050324 + NOTE: Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/8d444b41d09a700c7ee6f9182a649f3f2d325abb (v1.11.8) + NOTE: Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/9219d2e70c770d8efb98d6e8eaf68e8e354631e3 (v1.10.4) + NOTE: Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/6c8f2f859926b82094fb5e85c446ea099700fa10 (v1.6.6) + NOTE: https://listman.redhat.com/archives/libguestfs/2022-February/msg00104.html +CVE-2022-0484 (Lack of validation of URLs causes Mirantis Container Cloud Lens Extens ...) + NOT-FOR-US: Mirantis Container Cloud Lens +CVE-2022-0483 (Local privilege escalation due to insecure folder permissions. The fol ...) + NOT-FOR-US: Acronis VSS Doctor +CVE-2022-0482 + RESERVED +CVE-2022-24372 + RESERVED +CVE-2022-24371 + RESERVED +CVE-2022-24370 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Foxit +CVE-2022-24369 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24368 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Foxit +CVE-2022-24367 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24366 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24365 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24364 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24363 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24362 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24361 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24360 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24359 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24358 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24357 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24356 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Foxit +CVE-2022-24355 (This vulnerability allows network-adjacent attackers to execute arbitr ...) + NOT-FOR-US: TP-Link +CVE-2022-24354 (This vulnerability allows network-adjacent attackers to execute arbitr ...) + NOT-FOR-US: TP-Link +CVE-2022-24353 + RESERVED +CVE-2022-24352 + RESERVED +CVE-2022-24351 + RESERVED +CVE-2022-24350 + RESERVED +CVE-2022-24349 + RESERVED +CVE-2022-24348 (Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal ...) + NOT-FOR-US: Argo CD +CVE-2022-24347 + RESERVED +CVE-2022-24346 + RESERVED +CVE-2022-24345 + RESERVED +CVE-2022-24344 + RESERVED +CVE-2022-24343 + RESERVED +CVE-2022-24342 + RESERVED +CVE-2022-24341 + RESERVED +CVE-2022-24340 + RESERVED +CVE-2022-24339 + RESERVED +CVE-2022-24338 + RESERVED +CVE-2022-24337 + RESERVED +CVE-2022-24336 + RESERVED +CVE-2022-24335 + RESERVED +CVE-2022-24334 + RESERVED +CVE-2022-24333 + RESERVED +CVE-2022-24332 + RESERVED +CVE-2022-24331 + RESERVED +CVE-2022-24330 + RESERVED +CVE-2022-24329 + RESERVED +CVE-2022-24328 + RESERVED +CVE-2022-24327 + RESERVED +CVE-2022-24326 + RESERVED +CVE-2022-24325 + RESERVED +CVE-2022-23402 + RESERVED +CVE-2022-23401 + RESERVED +CVE-2022-22729 + RESERVED +CVE-2022-22151 + RESERVED +CVE-2022-22148 + RESERVED +CVE-2022-22145 + RESERVED +CVE-2022-22141 + RESERVED +CVE-2022-21808 + RESERVED +CVE-2022-21194 + RESERVED +CVE-2022-21177 + RESERVED +CVE-2022-0481 (NULL Pointer Dereference in Homebrew mruby prior to 3.2. ...) + - mruby <unfixed> + [bullseye] - mruby <no-dsa> (Minor issue) + [buster] - mruby <no-dsa> (Minor issue) + [stretch] - mruby <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/54725c8c-87f4-41b6-878c-01d8e0ee7027 + NOTE: https://github.com/mruby/mruby/commit/ae3c99767a27f5c6c584162e2adc6a5d0eb2c54e + TODO: check, possibly only introduced with dccd66f9efecd0a974b735c62836fe566015cf37 in 3.1.0-rc +CVE-2022-24324 + RESERVED +CVE-2022-24323 + RESERVED +CVE-2022-24322 + RESERVED +CVE-2022-24321 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...) + NOT-FOR-US: Schneider Electric +CVE-2022-24320 (A CWE-295: Improper Certificate Validation vulnerability exists that c ...) + NOT-FOR-US: Schneider Electric +CVE-2022-24319 (A CWE-295: Improper Certificate Validation vulnerability exists that c ...) + NOT-FOR-US: Schneider Electric +CVE-2022-24318 (A CWE-326: Inadequate Encryption Strength vulnerability exists that co ...) + NOT-FOR-US: Schneider Electric +CVE-2022-24317 (A CWE-862: Missing Authorization vulnerability exists that could cause ...) + NOT-FOR-US: Schneider Electric +CVE-2022-24316 (A CWE-665: Improper Initialization vulnerability exists that could cau ...) + NOT-FOR-US: Schneider Electric +CVE-2022-24315 (A CWE-125: Out-of-bounds Read vulnerability exists that could cause de ...) + NOT-FOR-US: Schneider Electric +CVE-2022-24314 (A CWE-125: Out-of-bounds Read vulnerability exists that could cause me ...) + NOT-FOR-US: Schneider Electric +CVE-2022-24313 (A CWE-120: Buffer Copy without Checking Size of Input vulnerability ex ...) + NOT-FOR-US: Schneider Electric +CVE-2022-24312 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) + NOT-FOR-US: Schneider Electric +CVE-2022-24311 (A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ...) + NOT-FOR-US: Schneider Electric +CVE-2022-24310 (A CWE-190: Integer Overflow or Wraparound vulnerability exists that co ...) + NOT-FOR-US: Schneider Electric +CVE-2022-24309 + RESERVED +CVE-2022-0480 + RESERVED + - linux 5.15.3-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2049700 + NOTE: https://git.kernel.org/linus/0f12156dff2862ac54235fc72703f18770769042 (5.15-rc1) +CVE-2022-0479 + RESERVED +CVE-2022-0478 + RESERVED +CVE-2022-0477 + RESERVED +CVE-2022-0476 + RESERVED +CVE-2022-0475 + RESERVED +CVE-2022-0474 (Full list of recipients from customer users in a contact field could b ...) + NOT-FOR-US: OTRS + NOTE: Only affects 8.x, so won't affect znuny fork packaged in Debian +CVE-2022-0473 (OTRS administrators can configure dynamic field and inject malicious J ...) + NOT-FOR-US: OTRS + NOTE: Only affects 7.x, so won't affect znuny fork packaged in Debian +CVE-2022-24308 + RESERVED +CVE-2022-24307 (Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access cont ...) + NOT-FOR-US: Mastodon +CVE-2022-24306 + RESERVED +CVE-2022-24305 + RESERVED +CVE-2022-24304 + RESERVED +CVE-2022-24303 + RESERVED + - pillow <unfixed> + [bullseye] - pillow <ignored> (Minor issue) + [buster] - pillow <ignored> (Minor issue) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2052682 + NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security + NOTE: https://github.com/python-pillow/Pillow/commit/427221ef5f19157001bf8b1ad7cfe0b905ca8c26 (9.0.1) +CVE-2022-24302 + RESERVED +CVE-2022-24296 + RESERVED +CVE-2022-24295 (Okta Advanced Server Access Client for Windows prior to version 1.57.0 ...) + NOT-FOR-US: Okta Advanced Server Access Client +CVE-2022-22986 + RESERVED +CVE-2022-0472 (Unrestricted Upload of File with Dangerous Type in Packagist jsdecena/ ...) + NOT-FOR-US: jsdecena/laracom +CVE-2022-0471 + RESERVED +CVE-2022-24294 + RESERVED +CVE-2022-24293 + RESERVED +CVE-2022-24292 + RESERVED +CVE-2022-24291 + RESERVED +CVE-2022-24290 + RESERVED +CVE-2022-24289 (Hessian serialization is a network protocol that supports object-based ...) + NOT-FOR-US: Apache Cayenne +CVE-2022-24288 + RESERVED +CVE-2022-24287 + RESERVED +CVE-2022-21799 (Cross-site scripting vulnerability in ELECOM LAN router WRC-300FEBK-R ...) + NOT-FOR-US: ELECOM +CVE-2022-21173 (Hidden functionality vulnerability in ELECOM LAN routers (WRH-300BK3 f ...) + NOT-FOR-US: ELECOM +CVE-2022-0470 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0469 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0468 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0467 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0466 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0465 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0464 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0463 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0462 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0461 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0460 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0459 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0458 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0457 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0456 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0455 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0454 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0453 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0452 + RESERVED + {DSA-5068-1} + - chromium 98.0.4758.80-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0451 (Dart SDK contains the HTTPClient in dart:io library whcih includes aut ...) + NOT-FOR-US: Dart SDK +CVE-2022-0450 + RESERVED +CVE-2022-0449 + RESERVED +CVE-2022-0448 + RESERVED +CVE-2022-0447 + RESERVED +CVE-2022-0446 + RESERVED +CVE-2022-0445 + RESERVED +CVE-2022-0444 + RESERVED +CVE-2022-0443 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/b987c8cb-bbbe-4601-8a6c-54ff907c6b51 + NOTE: https://github.com/vim/vim/commit/9b4a80a66544f2782040b641498754bcb5b8d461 (v8.2.4281) +CVE-2022-0442 + RESERVED +CVE-2022-0441 + RESERVED +CVE-2022-0440 + RESERVED +CVE-2022-0439 + RESERVED +CVE-2022-0438 + RESERVED +CVE-2022-24286 + RESERVED +CVE-2022-24285 + RESERVED +CVE-2022-24284 + RESERVED +CVE-2022-24283 + RESERVED +CVE-2022-0437 (Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14. ...) + NOT-FOR-US: Node karma +CVE-2022-0436 + RESERVED +CVE-2022-24282 + RESERVED +CVE-2022-24281 + RESERVED +CVE-2022-24280 + RESERVED +CVE-2022-24277 + RESERVED +CVE-2022-24276 + RESERVED +CVE-2022-24275 + RESERVED +CVE-2022-24274 + RESERVED +CVE-2022-24273 + RESERVED +CVE-2022-24272 + RESERVED +CVE-2022-23400 + RESERVED +CVE-2022-0435 + RESERVED + - linux 5.16.10-1 + NOTE: https://www.openwall.com/lists/oss-security/2022/02/10/1 + NOTE: Fixed by: https://git.kernel.org/linus/9aa422ad326634b76309e8ff342c246800621216 +CVE-2022-0434 + RESERVED +CVE-2022-0433 [missing initialization in bloom filter map in kernel/bpf/bloom_filter.c can lead to DoS] + RESERVED + - linux <not-affected> (Vulnerable code newer in a supported Debian release; only affected experimental) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2048259 + NOTE: Fixed by: https://git.kernel.org/linus/3ccdcee28415c4226de05438b4d89eb5514edf73 (5.17-rc1) +CVE-2022-0432 (Prototype Pollution in GitHub repository mastodon/mastodon prior to 3. ...) + NOT-FOR-US: Mastodon +CVE-2022-0431 + RESERVED +CVE-2022-0430 + RESERVED +CVE-2022-0429 + RESERVED +CVE-2022-0428 + RESERVED +CVE-2022-0427 + RESERVED +CVE-2022-0426 + RESERVED +CVE-2022-0425 + RESERVED +CVE-2022-0424 + RESERVED +CVE-2022-0423 + RESERVED +CVE-2022-0422 + RESERVED +CVE-2022-0421 + RESERVED +CVE-2022-0420 + RESERVED +CVE-2022-24271 + RESERVED +CVE-2022-24270 + RESERVED +CVE-2022-24269 + RESERVED +CVE-2022-24268 + RESERVED +CVE-2022-24267 + RESERVED +CVE-2022-24266 (Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability ...) + NOT-FOR-US: Cuppa CMS +CVE-2022-24265 (Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability ...) + NOT-FOR-US: Cuppa CMS +CVE-2022-24264 (Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability ...) + NOT-FOR-US: Cuppa CMS +CVE-2022-24263 (Hospital Management System v4.0 was discovered to contain a SQL inject ...) + NOT-FOR-US: Hospital Management System +CVE-2022-24262 (The config restore function of Voipmonitor GUI before v24.96 does not ...) + NOT-FOR-US: Voipmonitor +CVE-2022-24261 + RESERVED +CVE-2022-24260 (A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows ...) + NOT-FOR-US: Voipmonitor +CVE-2022-24259 (An incorrect check in the component cdr.php of Voipmonitor GUI before ...) + NOT-FOR-US: Voipmonitor +CVE-2022-24258 + RESERVED +CVE-2022-24257 + RESERVED +CVE-2022-24256 + RESERVED +CVE-2022-24255 + RESERVED +CVE-2022-24254 + RESERVED +CVE-2022-24253 + RESERVED +CVE-2022-24252 + RESERVED +CVE-2022-24251 + RESERVED +CVE-2022-24250 + RESERVED +CVE-2022-24249 (A Null Pointer Dereference vulnerability exists in GPAC 1.1.0 via the ...) + - gpac <unfixed> + [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <no-dsa> (Minor issue) + NOTE: https://github.com/gpac/gpac/issues/2081 + NOTE: https://github.com/gpac/gpac/commit/71f9871fc210e60df041b58c84572782b4849de9 +CVE-2022-24248 + RESERVED +CVE-2022-24247 + RESERVED +CVE-2022-24246 + RESERVED +CVE-2022-24245 + RESERVED +CVE-2022-24244 + RESERVED +CVE-2022-24243 + RESERVED +CVE-2022-24242 + RESERVED +CVE-2022-24241 + RESERVED +CVE-2022-24240 + RESERVED +CVE-2022-24239 + RESERVED +CVE-2022-24238 + RESERVED +CVE-2022-24237 + RESERVED +CVE-2022-24236 + RESERVED +CVE-2022-24235 + RESERVED +CVE-2022-24234 + RESERVED +CVE-2022-24233 + RESERVED +CVE-2022-24232 + RESERVED +CVE-2022-24231 + RESERVED +CVE-2022-24230 + RESERVED +CVE-2022-24229 + RESERVED +CVE-2022-24228 + RESERVED +CVE-2022-24227 (A cross-site scripting (XSS) vulnerability in BoltWire v7.10 allows at ...) + NOT-FOR-US: BoltWire +CVE-2022-24226 (Hospital Management System v4.0 was discovered to contain a blind SQL ...) + NOT-FOR-US: Hospital Management System +CVE-2022-24225 + RESERVED +CVE-2022-24224 + RESERVED +CVE-2022-24223 (AtomCMS v2.0 was discovered to contain a SQL injection vulnerability v ...) + NOT-FOR-US: AtomCMS +CVE-2022-24222 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) + NOT-FOR-US: eliteCMS +CVE-2022-24221 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) + NOT-FOR-US: eliteCMS +CVE-2022-24220 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) + NOT-FOR-US: eliteCMS +CVE-2022-24219 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) + NOT-FOR-US: eliteCMS +CVE-2022-24218 (An issue in /admin/delete_image.php of eliteCMS v1.0 allows attackers ...) + NOT-FOR-US: eliteCMS +CVE-2022-24217 + RESERVED +CVE-2022-24216 + RESERVED +CVE-2022-24215 + RESERVED +CVE-2022-24214 + RESERVED +CVE-2022-24213 + RESERVED +CVE-2022-24212 + RESERVED +CVE-2022-24211 + RESERVED +CVE-2022-24210 + RESERVED +CVE-2022-24209 + RESERVED +CVE-2022-24208 + RESERVED +CVE-2022-24207 + RESERVED +CVE-2022-24206 (Tongda2000 v11.10 was discovered to contain a SQL injection vulnerabil ...) + NOT-FOR-US: Tongda2000 +CVE-2022-24205 + RESERVED +CVE-2022-24204 + RESERVED +CVE-2022-24203 + RESERVED +CVE-2022-24202 + RESERVED +CVE-2022-24201 + RESERVED +CVE-2022-24200 + RESERVED +CVE-2022-24199 + RESERVED +CVE-2022-24198 (iText v7.1.17 was discovered to contain an out-of-bounds exception via ...) + NOT-FOR-US: iText +CVE-2022-24197 (iText v7.1.17 was discovered to contain a stack-based buffer overflow ...) + NOT-FOR-US: iText +CVE-2022-24196 (iText v7.1.17 was discovered to contain an out-of-memory error via the ...) + NOT-FOR-US: iText +CVE-2022-24195 + RESERVED +CVE-2022-24194 + RESERVED +CVE-2022-24193 + RESERVED +CVE-2022-24192 + RESERVED +CVE-2022-24191 + RESERVED +CVE-2022-24190 + RESERVED +CVE-2022-24189 + RESERVED +CVE-2022-24188 + RESERVED +CVE-2022-24187 + RESERVED +CVE-2022-24186 + RESERVED +CVE-2022-24185 + RESERVED +CVE-2022-24184 + RESERVED +CVE-2022-24183 + RESERVED +CVE-2022-24182 + RESERVED +CVE-2022-24181 + RESERVED +CVE-2022-24180 + RESERVED +CVE-2022-24179 + RESERVED +CVE-2022-24178 + RESERVED +CVE-2022-24177 + RESERVED +CVE-2022-24176 + RESERVED +CVE-2022-24175 + RESERVED +CVE-2022-24174 + RESERVED +CVE-2022-24173 + RESERVED +CVE-2022-24172 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2022-24171 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2022-24170 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2022-24169 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2022-24168 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2022-24167 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2022-24166 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2022-24165 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2022-24164 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + NOT-FOR-US: Tenda routers +CVE-2022-24163 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24162 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24161 (Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in ...) + NOT-FOR-US: Tenda routers +CVE-2022-24160 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24159 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24158 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24157 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24156 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24155 (Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in ...) + NOT-FOR-US: Tenda routers +CVE-2022-24154 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24153 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24152 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24151 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24150 (Tenda AX3 v16.03.12.10_CN was discovered to contain a command injectio ...) + NOT-FOR-US: Tenda routers +CVE-2022-24149 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24148 (Tenda AX3 v16.03.12.10_CN was discovered to contain a command injectio ...) + NOT-FOR-US: Tenda routers +CVE-2022-24147 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24146 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24145 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24144 (Tenda AX3 v16.03.12.10_CN was discovered to contain a command injectio ...) + NOT-FOR-US: Tenda routers +CVE-2022-24143 (Tenda AX3 v16.03.12.10_CN and AX12 22.03.01.2_CN was discovered to con ...) + NOT-FOR-US: Tenda routers +CVE-2022-24142 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + NOT-FOR-US: Tenda routers +CVE-2022-24141 + RESERVED +CVE-2022-24140 + RESERVED +CVE-2022-24139 + RESERVED +CVE-2022-24138 + RESERVED +CVE-2022-24137 + RESERVED +CVE-2022-24136 + RESERVED +CVE-2022-24135 + RESERVED +CVE-2022-24134 + RESERVED +CVE-2022-24133 + RESERVED +CVE-2022-24132 + RESERVED +CVE-2022-24131 + RESERVED +CVE-2022-21170 + RESERVED +CVE-2022-0419 (NULL Pointer Dereference in GitHub repository radareorg/radare2 prior ...) + - radare2 <unfixed> + NOTE: https://huntr.dev/bounties/1f84e79d-70e7-4b29-8b48-a108f81c89aa + NOTE: https://github.com/radareorg/radare2/commit/feaa4e7f7399c51ee6f52deb84dc3f795b4035d6 (5.6.0) +CVE-2022-0418 + RESERVED +CVE-2022-0417 (Heap-based Buffer Overflow GitHub repository vim/vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/fc86bc8d-c866-4ade-8b7f-e49cec306d1a/ + NOTE: https://github.com/vim/vim/commit/652dee448618589de5528a9e9a36995803f5557a (v8.2.4245) +CVE-2022-0416 + RESERVED +CVE-2022-0415 + RESERVED +CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows attacke ...) + {DLA-2913-1} + - xterm 370-2 (bug #1004689) + [bullseye] - xterm <no-dsa> (Minor issue) + [buster] - xterm <no-dsa> (Minor issue) + NOTE: https://twitter.com/nickblack/status/1487731459398025216 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3 + NOTE: https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d +CVE-2022-24129 (The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allow ...) + NOT-FOR-US: Shibboleth identity provider OIDC OP plugin +CVE-2022-24128 + RESERVED +CVE-2022-24127 + RESERVED +CVE-2022-24126 + RESERVED +CVE-2022-24125 + RESERVED +CVE-2022-24124 (The query API in Casdoor before 1.13.1 has a SQL injection vulnerabili ...) + NOT-FOR-US: Casdoor +CVE-2022-24123 (MarkText through 0.16.3 does not sanitize the input of a mermaid block ...) + NOT-FOR-US: MarkText +CVE-2022-24121 (SQL Injection vulnerability discovered in Unified Office Total Connect ...) + NOT-FOR-US: Unified Office +CVE-2022-0414 (Business Logic Errors in Packagist dolibarr/dolibarr prior to 16.0. ...) + - dolibarr <removed> +CVE-2022-0413 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/563d1e8f-5c3d-4669-941c-3216f4a87c38 + NOTE: https://github.com/vim/vim/commit/37f47958b8a2a44abc60614271d9537e7f14e51a (v8.2.4253) +CVE-2022-0412 + RESERVED +CVE-2022-0411 + RESERVED +CVE-2022-0410 + RESERVED +CVE-2022-24122 (kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivil ...) + - linux 5.15.15-2 + [bullseye] - linux <not-affected> (Vulnerable code not present) + [buster] - linux <not-affected> (Vulnerable code not present) + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/29/1 + NOTE: https://git.kernel.org/linus/f9d87929d451d3e649699d0f1d74f71f77ad38f5 +CVE-2022-24120 + RESERVED +CVE-2022-24119 + RESERVED +CVE-2022-24118 + RESERVED +CVE-2022-24117 + RESERVED +CVE-2022-24116 + RESERVED +CVE-2022-24115 (Local privilege escalation due to unrestricted loading of unsigned lib ...) + NOT-FOR-US: Acronis +CVE-2022-24114 (Local privilege escalation due to race condition on application startu ...) + NOT-FOR-US: Acronis +CVE-2022-24113 (Local privilege escalation due to excessive permissions assigned to ch ...) + NOT-FOR-US: Acronis +CVE-2022-0409 (Unrestricted Upload of File with Dangerous Type in Packagist showdoc/s ...) + NOT-FOR-US: ShowDoc +CVE-2022-0408 (Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/5e635bad-5cf6-46cd-aeac-34ef224e179d + NOTE: https://github.com/vim/vim/commit/06f15416bb8d5636200a10776f1752c4d6e49f31 (v8.2.4247) +CVE-2022-0407 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/81822bf7-aafe-4d37-b836-1255d46e572c + NOTE: https://github.com/vim/vim/commit/44db8213d38c39877d2148eff6a72f4beccfb94e (v8.2.4219) +CVE-2022-24112 (An attacker can abuse the batch-requests plugin to send requests to by ...) + NOT-FOR-US: Apache APISIX +CVE-2022-0406 + RESERVED +CVE-2022-0405 + RESERVED +CVE-2022-0404 + RESERVED +CVE-2022-0403 + RESERVED +CVE-2022-0402 + RESERVED +CVE-2022-0401 (Path Traversal in NPM w-zip prior to 1.0.12. ...) + NOT-FOR-US: Node w-zip +CVE-2022-0400 [Out of bounds read in the smc protocol stack] + RESERVED + - linux <unfixed> + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044575 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2040604 (not public) +CVE-2022-0399 + RESERVED +CVE-2022-0398 + RESERVED +CVE-2022-0397 + RESERVED +CVE-2022-24111 (In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios cr ...) + - mahara <removed> +CVE-2022-24110 (Kiteworks MFT 7.5 may allow an unauthorized user to reset other users' ...) + NOT-FOR-US: Kiteworks managed file transfer +CVE-2022-24109 + RESERVED +CVE-2022-24108 + RESERVED +CVE-2022-24107 + RESERVED +CVE-2022-24106 + RESERVED +CVE-2022-24105 + RESERVED +CVE-2022-24104 + RESERVED +CVE-2022-24103 + RESERVED +CVE-2022-24102 + RESERVED +CVE-2022-24101 + RESERVED +CVE-2022-24100 + RESERVED +CVE-2022-24099 + RESERVED +CVE-2022-24098 + RESERVED +CVE-2022-24097 + RESERVED +CVE-2022-24096 + RESERVED +CVE-2022-24095 + RESERVED +CVE-2022-24094 + RESERVED +CVE-2022-24093 + RESERVED +CVE-2022-24092 + RESERVED +CVE-2022-24091 + RESERVED +CVE-2022-24090 + RESERVED +CVE-2022-24089 + RESERVED +CVE-2022-24088 + RESERVED +CVE-2022-24087 + RESERVED +CVE-2022-24086 (Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earli ...) + NOT-FOR-US: Adobe +CVE-2022-24085 + RESERVED +CVE-2022-24084 + RESERVED +CVE-2022-24083 + RESERVED +CVE-2022-24082 + RESERVED +CVE-2022-24081 + RESERVED +CVE-2022-24080 + RESERVED +CVE-2022-24079 + RESERVED +CVE-2022-24078 + RESERVED +CVE-2022-24077 + RESERVED +CVE-2022-24076 + RESERVED +CVE-2022-24075 + RESERVED +CVE-2022-24074 + RESERVED +CVE-2022-24073 + RESERVED +CVE-2022-24072 + RESERVED +CVE-2022-24071 (A Built-in extension in Whale browser before 3.12.129.46 allows attack ...) + NOT-FOR-US: Whale browser +CVE-2022-24070 + RESERVED +CVE-2022-0396 + RESERVED +CVE-2022-0395 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...) + NOT-FOR-US: livehelperchat +CVE-2022-0394 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...) + NOT-FOR-US: livehelperchat +CVE-2022-0393 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/ecc8f488-01a0-477f-848f-e30b8e524bba + NOTE: https://github.com/vim/vim/commit/a4bc2dd7cccf5a4a9f78b58b6f35a45d17164323 (v8.2.4233) +CVE-2022-24069 (An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel ...) + NOT-FOR-US: Insyde +CVE-2022-24064 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Sante DICOM Viewer +CVE-2022-24063 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Sante DICOM Viewer +CVE-2022-24062 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Sante DICOM Viewer +CVE-2022-24061 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Sante DICOM Viewer +CVE-2022-24060 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Sante DICOM Viewer +CVE-2022-24059 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Sante DICOM Viewer +CVE-2022-24058 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Sante DICOM Viewer +CVE-2022-24057 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Sante DICOM Viewer +CVE-2022-24056 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Sante DICOM Viewer +CVE-2022-24055 (This vulnerability allows remote attackers to disclose sensitive infor ...) + NOT-FOR-US: Sante DICOM Viewer +CVE-2022-24054 + RESERVED +CVE-2022-24053 + RESERVED +CVE-2022-24052 (This vulnerability allows local attackers to escalate privileges on af ...) + - mariadb-10.6 1:10.6.7-1 + - mariadb-10.5 <removed> + - mariadb-10.3 <removed> + NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-366/ +CVE-2022-24051 (This vulnerability allows local attackers to escalate privileges on af ...) + - mariadb-10.6 1:10.6.7-1 + - mariadb-10.5 <removed> + - mariadb-10.3 <removed> + NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-318/ + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-365/ +CVE-2022-24050 (This vulnerability allows local attackers to escalate privileges on af ...) + - mariadb-10.6 1:10.6.7-1 + - mariadb-10.5 <removed> + - mariadb-10.3 <removed> + NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-364/ +CVE-2022-24049 (This vulnerability allows remote attackers to execute arbitrary code o ...) + NOT-FOR-US: Sonos One Speaker +CVE-2022-24048 (This vulnerability allows local attackers to escalate privileges on af ...) + - mariadb-10.6 1:10.6.7-1 + - mariadb-10.5 <removed> + - mariadb-10.3 <removed> + NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-363/ +CVE-2022-24047 (This vulnerability allows remote attackers to bypass authentication on ...) + NOT-FOR-US: BMC Track-It! +CVE-2022-24046 (This vulnerability allows network-adjacent attackers to execute arbitr ...) + NOT-FOR-US: Sonos One Speaker +CVE-2022-24045 + RESERVED +CVE-2022-24044 + RESERVED +CVE-2022-24043 + RESERVED +CVE-2022-24042 + RESERVED +CVE-2022-24041 + RESERVED +CVE-2022-24040 + RESERVED +CVE-2022-24039 + RESERVED +CVE-2022-24038 + RESERVED +CVE-2022-24037 + RESERVED +CVE-2022-24036 + RESERVED +CVE-2022-23921 + RESERVED +CVE-2022-22987 (The affected product has a hardcoded private key available inside the ...) + NOT-FOR-US: Advantech +CVE-2022-21798 + RESERVED +CVE-2022-21154 + RESERVED +CVE-2022-0392 (Heap-based Buffer Overflow in GitHub repository vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/d00a2acd-1935-4195-9d5b-4115ef6b3126 + NOTE: https://github.com/vim/vim/commit/806d037671e133bd28a7864248763f643967973a (v8.2.4218) +CVE-2022-0391 (A flaw was found in Python, specifically within the urllib.parse modul ...) + - python3.9 3.9.7-1 + [bullseye] - python3.9 <no-dsa> (Minor issue) + - python3.7 <removed> + [buster] - python3.7 <no-dsa> (Minor issue) + - python3.5 <removed> + [stretch] - python3.5 <postponed> (Minor issue; regressions reports) + - python3.4 <removed> + NOTE: https://bugs.python.org/issue43882 + NOTE: Fixed by: https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 (v3.10.0b1) + NOTE: Followup for 3.10.x: https://github.com/python/cpython/commit/24f1d1a8a2c4aa58a606b4b6d5fa4305a3b91705 (v3.10.0b2) + NOTE: Fixed by: https://github.com/python/cpython/commit/491fde0161d5e527eeff8586dd3972d7d3a631a7 (v3.9.5) + NOTE: Followup for 3.9.x: https://github.com/python/cpython/commit/8a595744e696a0fb92dccc5d4e45da41571270a1 (v3.9.6) + NOTE: Fixed by: https://github.com/python/cpython/commit/515a7bc4e13645d0945b46a8e1d9102b918cd407 (v3.8.11) + NOTE: Fixed by: https://github.com/python/cpython/commit/f4dac7ec55477a6c5d965e594e74bd6bda786903 (v3.7.11) + NOTE: Fixed by: https://github.com/python/cpython/commit/6c472d3a1d334d4eeb4a25eba7bf3b01611bf667 (v3.6.14) +CVE-2022-0390 + RESERVED +CVE-2022-0389 + RESERVED +CVE-2022-0388 + RESERVED +CVE-2022-24035 + RESERVED +CVE-2022-24034 + RESERVED +CVE-2022-24033 + RESERVED +CVE-2022-24032 (Adenza AxiomSL ControllerView through 10.8.1 is vulnerable to user enu ...) + NOT-FOR-US: Adenza AxiomSL ControllerView +CVE-2022-24031 (An issue was discovered in NvmExpressDxe in Insyde InsydeH2O with kern ...) + NOT-FOR-US: Insyde +CVE-2022-24030 (An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel ...) + NOT-FOR-US: Insyde +CVE-2022-24029 + RESERVED +CVE-2022-24028 + RESERVED +CVE-2022-24027 + RESERVED +CVE-2022-24026 + RESERVED +CVE-2022-24025 + RESERVED +CVE-2022-24024 + RESERVED +CVE-2022-24023 + RESERVED +CVE-2022-24022 + RESERVED +CVE-2022-24021 + RESERVED +CVE-2022-24020 + RESERVED +CVE-2022-24019 + RESERVED +CVE-2022-24018 + RESERVED +CVE-2022-24017 + RESERVED +CVE-2022-24016 + RESERVED +CVE-2022-24015 + RESERVED +CVE-2022-24014 + RESERVED +CVE-2022-24013 + RESERVED +CVE-2022-24012 + RESERVED +CVE-2022-24011 + RESERVED +CVE-2022-24010 + RESERVED +CVE-2022-24009 + RESERVED +CVE-2022-24008 + RESERVED +CVE-2022-24007 + RESERVED +CVE-2022-24006 + RESERVED +CVE-2022-24005 + RESERVED +CVE-2022-0387 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...) + NOT-FOR-US: livehelperchat +CVE-2022-0386 + RESERVED +CVE-2022-0385 + RESERVED +CVE-2022-0384 + RESERVED +CVE-2022-24004 + RESERVED +CVE-2022-24003 (Exposure of Sensitive Information vulnerability in Bixby Vision prior ...) + NOT-FOR-US: Samsung +CVE-2022-24002 (Improper Authorization vulnerability in Link Sharing prior to version ...) + NOT-FOR-US: Samsung +CVE-2022-24001 (Information disclosure vulnerability in Edge Panel prior to Android S( ...) + NOT-FOR-US: Samsung +CVE-2022-24000 (PendingIntent hijacking vulnerability in DataUsageReminderReceiver pri ...) + NOT-FOR-US: Samsung +CVE-2022-23999 (PendingIntent hijacking vulnerability in CpaReceiver prior to SMR Feb- ...) + NOT-FOR-US: Samsung +CVE-2022-23998 (Improper access control vulnerability in Camera prior to versions 11.1 ...) + NOT-FOR-US: Samsung +CVE-2022-23997 (Unprotected component vulnerability in StTheaterModeDurationAlarmRecei ...) + NOT-FOR-US: Samsung +CVE-2022-23996 (Unprotected component vulnerability in StTheaterModeReceiver in Wear O ...) + NOT-FOR-US: Samsung +CVE-2022-23995 (Unprotected component vulnerability in StBedtimeModeAlarmReceiver in W ...) + NOT-FOR-US: Samsung +CVE-2022-23994 (An Improper access control vulnerability in StBedtimeModeReceiver in W ...) + NOT-FOR-US: Samsung +CVE-2022-23993 (/usr/local/www/pkg.php in pfSense through 2.5.2 uses $_REQUEST['pkg_fi ...) + NOT-FOR-US: pfSense +CVE-2022-23992 (XCOM Data Transport for Windows, Linux, and UNIX 11.6 releases contain ...) + NOT-FOR-US: XCOM Data Transport +CVE-2022-23991 + RESERVED +CVE-2022-23990 (Expat (aka libexpat) before 2.4.4 has an integer overflow in the doPro ...) + {DSA-5073-1 DLA-2904-1} + - expat 2.4.3-3 + NOTE: https://github.com/libexpat/libexpat/pull/551 + NOTE: Introduced with: https://github.com/libexpat/libexpat/commit/cb8a4c756d057b948c1b41e7185dd69ef3ade3fb (R_1_95_4) + NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/ede41d1e186ed2aba88a06e84cac839b770af3a1 (R_2_4_4) +CVE-2022-23989 + RESERVED +CVE-2022-23988 + RESERVED +CVE-2022-23987 + RESERVED +CVE-2022-23984 (Sensitive information disclosure discovered in wpDiscuz WordPress plug ...) + NOT-FOR-US: WordPress plugin +CVE-2022-23983 (Cross-Site Request Forgery (CSRF) vulnerability leading to plugin Sett ...) + NOT-FOR-US: WordPress plugin +CVE-2022-23982 (The vulnerability discovered in WordPress Perfect Brands for WooCommer ...) + NOT-FOR-US: WordPress plugin +CVE-2022-23981 (The vulnerability allows Subscriber+ level users to create brands in W ...) + NOT-FOR-US: WordPress plugin +CVE-2022-23980 (Cross-Site Scripting (XSS) vulnerability discovered in Yasr – Ye ...) + NOT-FOR-US: WordPress plugin +CVE-2022-23979 (Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability ...) + NOT-FOR-US: WordPress plugin +CVE-2022-23978 + RESERVED +CVE-2022-23977 + RESERVED +CVE-2022-23976 + RESERVED +CVE-2022-23975 + RESERVED +CVE-2022-23974 + RESERVED +CVE-2022-23103 + RESERVED +CVE-2022-0383 + RESERVED +CVE-2022-0382 (An information leak flaw was found due to uninitialized memory in the ...) + - linux 5.15.15-1 + NOTE: Fixed by: https://git.kernel.org/linus/d6d86830705f173fca6087a3e67ceaf68db80523 +CVE-2022-0381 (The Embed Swagger WordPress plugin is vulnerable to Reflected Cross-Si ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0380 (The Fotobook WordPress plugin is vulnerable to Reflected Cross-Site Sc ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0379 (Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber ...) + NOT-FOR-US: microweber +CVE-2022-0378 (Cross-site Scripting (XSS) - Reflected in Packagist microweber/microwe ...) + NOT-FOR-US: microweber +CVE-2022-0377 + RESERVED +CVE-2022-0376 + RESERVED +CVE-2022-0375 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...) + NOT-FOR-US: livehelperchat +CVE-2022-0374 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...) + NOT-FOR-US: livehelperchat +CVE-2022-0373 + RESERVED +CVE-2022-0372 (Cross-site Scripting (XSS) - Stored in Packagist bytefury/crater prior ...) + NOT-FOR-US: Crater +CVE-2022-23973 + RESERVED +CVE-2022-23972 + RESERVED +CVE-2022-23971 + RESERVED +CVE-2022-23970 + RESERVED +CVE-2022-23969 + RESERVED +CVE-2022-23968 (Xerox VersaLink devices on specific versions of firmware before 2022-0 ...) + NOT-FOR-US: Xerox +CVE-2022-23967 (In TightVNC 1.3.10, there is an integer signedness error and resultant ...) + TODO: check +CVE-2022-23966 + RESERVED +CVE-2022-23965 + RESERVED +CVE-2022-23964 + RESERVED +CVE-2022-23963 + RESERVED +CVE-2022-23962 + RESERVED +CVE-2022-23961 + RESERVED +CVE-2022-23960 + RESERVED +CVE-2022-23959 (In Varnish Cache before 6.6.2 and 7.x before 7.0.2, Varnish Cache 6.0 ...) + {DLA-2920-1} + - varnish <unfixed> (bug #1004433) + NOTE: https://varnish-cache.org/security/VSV00008.html + NOTE: https://docs.varnish-software.com/security/VSV00008/ + NOTE: Fixed by: https://github.com/varnishcache/varnish-cache/commit/fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4 (master) + NOTE: Fixed by: https://github.com/varnishcache/varnish-cache/commit/9ed39d1f796369caafb647fe37b729c07f332327 (6.6.2) + NOTE: Test case: https://github.com/varnishcache/varnish-cache/commit/ec531e16b9cd139bbf8971c5b306561c669681f4 (6.6.2) +CVE-2022-23958 + RESERVED +CVE-2022-23957 + RESERVED +CVE-2022-23956 + RESERVED +CVE-2022-23955 + RESERVED +CVE-2022-23954 + RESERVED +CVE-2022-23953 + RESERVED +CVE-2022-23952 + RESERVED +CVE-2022-23951 + RESERVED +CVE-2022-23950 + RESERVED +CVE-2022-23949 + RESERVED +CVE-2022-23948 + RESERVED +CVE-2022-0371 + RESERVED +CVE-2022-0370 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...) + NOT-FOR-US: livehelperchat +CVE-2022-0369 + RESERVED +CVE-2022-23947 (A stack-based buffer overflow vulnerability exists in the Gerber Viewe ...) + NOT-FOR-US: Gerber +CVE-2022-23946 (A stack-based buffer overflow vulnerability exists in the Gerber Viewe ...) + NOT-FOR-US: Gerber +CVE-2022-23945 (Missing authentication on ShenYu Admin when register by HTTP. This iss ...) + NOT-FOR-US: Apache ShenYu Admin +CVE-2022-23944 (User can access /plugin api without authentication. This issue affecte ...) + NOT-FOR-US: Apache ShenYu Admin +CVE-2022-23943 + RESERVED +CVE-2022-23942 + RESERVED +CVE-2022-21184 + RESERVED +CVE-2022-0368 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/bca9ce1f-400a-4bf9-9207-3f3187cb3fa9/ + NOTE: https://github.com/vim/vim/commit/8d02ce1ed75d008c34a5c9aaa51b67cbb9d33baa (v8.2.4217) +CVE-2022-0367 + RESERVED +CVE-2022-0366 (An authenticated and authorized agent user could potentially gain admi ...) + NOT-FOR-US: Sophos +CVE-2022-0365 (The affected product is vulnerable to an authenticated OS command inje ...) + NOT-FOR-US: Ricon Mobile +CVE-2022-0364 + RESERVED +CVE-2022-0363 + RESERVED +CVE-2022-0362 (SQL Injection in Packagist showdoc/showdoc prior to 2.10.3. ...) + NOT-FOR-US: ShowDoc +CVE-2022-0361 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/a055618c-0311-409c-a78a-99477121965b + NOTE: https://github.com/vim/vim/commit/dc5490e2cbc8c16022a23b449b48c1bd0083f366 (v8.2.4215) +CVE-2022-0360 + RESERVED +CVE-2022-0359 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/a3192d90-4f82-4a67-b7a6-37046cc88def + NOTE: https://github.com/vim/vim/commit/85b6747abc15a7a81086db31289cf1b8b17e6cb1 (v8.2.4214) +CVE-2022-0358 + RESERVED + - qemu <unfixed> + [buster] - qemu <not-affected> (Vulnerable code not present) + [stretch] - qemu <not-affected> (virtiofsd added in 5.0) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca +CVE-2022-0357 + RESERVED +CVE-2022-0356 + RESERVED +CVE-2022-23941 + RESERVED +CVE-2022-23940 + RESERVED +CVE-2022-23939 + RESERVED +CVE-2022-23938 + RESERVED +CVE-2022-23937 + RESERVED +CVE-2022-23936 + RESERVED +CVE-2022-23935 (lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ / ...) + - libimage-exiftool-perl 12.38+dfsg-1 + [bullseye] - libimage-exiftool-perl <no-dsa> (Minor issue) + [buster] - libimage-exiftool-perl <no-dsa> (Minor issue) + [stretch] - libimage-exiftool-perl <no-dsa> (Minor issue) + NOTE: https://github.com/exiftool/exiftool/commit/74dbab1d2766d6422bb05b033ac6634bf8d1f582 (12.38) +CVE-2022-23934 + RESERVED +CVE-2022-23933 + RESERVED +CVE-2022-23932 + RESERVED +CVE-2022-23931 + RESERVED +CVE-2022-23930 + RESERVED +CVE-2022-23929 + RESERVED +CVE-2022-23928 + RESERVED +CVE-2022-23927 + RESERVED +CVE-2022-23926 + RESERVED +CVE-2022-23925 + RESERVED +CVE-2022-23924 + RESERVED +CVE-2022-23919 + RESERVED +CVE-2022-23918 + RESERVED +CVE-2022-23399 + RESERVED +CVE-2022-22144 + RESERVED +CVE-2022-22140 + RESERVED +CVE-2022-21201 + RESERVED +CVE-2022-21178 + RESERVED +CVE-2022-0355 (Exposure of Sensitive Information to an Unauthorized Actor in NPM simp ...) + NOT-FOR-US: simple-get nodejs module +CVE-2022-0354 + RESERVED +CVE-2022-0353 + RESERVED +CVE-2022-23913 (In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker coul ...) + NOT-FOR-US: Apache ActiveMQ Artemis +CVE-2022-23912 + RESERVED +CVE-2022-23911 + RESERVED +CVE-2022-23910 + RESERVED +CVE-2022-23909 + RESERVED +CVE-2022-23908 + RESERVED +CVE-2022-23907 + RESERVED +CVE-2022-23906 + RESERVED +CVE-2022-23905 + RESERVED +CVE-2022-23904 + RESERVED +CVE-2022-23903 + RESERVED +CVE-2022-23902 (Tongda2000 v11.10 was discovered to contain a SQL injection vulnerabil ...) + NOT-FOR-US: Tongda2000 +CVE-2022-23901 + RESERVED +CVE-2022-23900 + RESERVED +CVE-2022-23899 + RESERVED +CVE-2022-23898 + RESERVED +CVE-2022-23897 + RESERVED +CVE-2022-23896 + RESERVED +CVE-2022-23895 + RESERVED +CVE-2022-23894 + RESERVED +CVE-2022-23893 + RESERVED +CVE-2022-23892 + RESERVED +CVE-2022-23891 + RESERVED +CVE-2022-23890 + RESERVED +CVE-2022-23889 (The comment function in YzmCMS v6.3 was discovered as being able to be ...) + NOT-FOR-US: YzmCMS +CVE-2022-23888 (YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgey (CSR ...) + NOT-FOR-US: YzmCMS +CVE-2022-23887 (YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgery (CS ...) + NOT-FOR-US: YzmCMS +CVE-2022-23886 + RESERVED +CVE-2022-23885 + RESERVED +CVE-2022-23884 + RESERVED +CVE-2022-23883 + RESERVED +CVE-2022-23882 + RESERVED +CVE-2022-23881 + RESERVED +CVE-2022-23880 + RESERVED +CVE-2022-23879 + RESERVED +CVE-2022-23878 + RESERVED +CVE-2022-23877 + RESERVED +CVE-2022-23876 + RESERVED +CVE-2022-23875 + RESERVED +CVE-2022-23874 + RESERVED +CVE-2022-23873 (Victor CMS v1.0 was discovered to contain a SQL injection vulnerabilit ...) + NOT-FOR-US: Victor CMS +CVE-2022-23872 (Emlog pro v1.1.1 was discovered to contain a stored cross-site scripti ...) + NOT-FOR-US: Emlog pro +CVE-2022-23871 (Multiple cross-site scripting (XSS) vulnerabilities in the component o ...) + NOT-FOR-US: Gibbon CMS +CVE-2022-23870 + RESERVED +CVE-2022-23869 + RESERVED +CVE-2022-23868 + RESERVED +CVE-2022-23867 + RESERVED +CVE-2022-23866 + RESERVED +CVE-2022-23865 + RESERVED +CVE-2022-0352 (Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6 ...) + NOT-FOR-US: calibre-web +CVE-2022-0351 (Access of Memory Location Before Start of Buffer in GitHub repository ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/8b36db58-b65c-4298-be7f-40b9e37fd161 + NOTE: https://github.com/vim/vim/commit/fe6fb267e6ee5c5da2f41889e4e0e0ac5bf4b89d (v8.2.4206) +CVE-2022-0350 + RESERVED +CVE-2022-0349 + RESERVED +CVE-2022-0348 (Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior ...) + NOT-FOR-US: pimcore +CVE-2022-0347 + RESERVED +CVE-2022-0346 + RESERVED +CVE-2022-0345 + RESERVED +CVE-2022-0344 + RESERVED +CVE-2022-0343 + RESERVED +CVE-2022-0342 + RESERVED +CVE-2022-23864 + RESERVED +CVE-2022-23863 (Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authen ...) + NOT-FOR-US: Zoho ManageEngine +CVE-2022-23862 + RESERVED +CVE-2022-23861 + RESERVED +CVE-2022-23860 + RESERVED +CVE-2022-23859 + RESERVED +CVE-2022-23858 (In StarWind Command Center before V2 build 6021, an authenticated read ...) + NOT-FOR-US: StarWind Command Center +CVE-2022-23857 (model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to ...) + NOT-FOR-US: Navidrome +CVE-2022-23856 (An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 ...) + NOT-FOR-US: Saviynt Enterprise Identity Cloud (EIC) +CVE-2022-23855 (An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 ...) + NOT-FOR-US: Saviynt Enterprise Identity Cloud (EIC) +CVE-2022-23854 + RESERVED +CVE-2022-23853 (The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 a ...) + - kate <unfixed> + [bullseye] - kate <no-dsa> (Minor issue) + [buster] - kate <no-dsa> (Minor issue) + [stretch] - kate <no-dsa> (Minor issue) + - ktexteditor <unfixed> + [bullseye] - ktexteditor <no-dsa> (Minor issue) + [buster] - ktexteditor <no-dsa> (Minor issue) + [stretch] - ktexteditor <no-dsa> (Minor issue) + NOTE: https://kde.org/info/security/advisory-20220131-1.txt + NOTE: KTextEditor: Fixed by: https://commits.kde.org/ktexteditor/804e49444c093fe58ec0df2ab436565e50dc147e + NOTE: KTextEditor: Fixed by: https://commits.kde.org/ktexteditor/c80f935c345de2e2fb10635202800839ca9697bf + NOTE: Kate: prerequisites: + NOTE: https://commits.kde.org/kate/361dd43e42994829dbdb35e78fb7698d27cbb0e2 + NOTE: https://commits.kde.org/kate/6fc3bf6e5bd540e842e32c4a959c2158c8573be5 + NOTE: https://commits.kde.org/kate/92a9c65e30b4b63b8b116eb5c8dcb1e1a2d867bc + NOTE: Fixed by: https://commits.kde.org/kate/c5d66f3b70ae4778d6162564309aee95f643e7c9 + NOTE: Fixed by: https://commits.kde.org/kate/7e08a58fb50d28ba96aedd5f5cd79a9479b4a0ad +CVE-2022-23852 (Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML ...) + {DSA-5073-1 DLA-2904-1} + - expat 2.4.3-2 + NOTE: https://github.com/libexpat/libexpat/pull/550 + NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40 (R_2_4_4) + NOTE: Tests: https://github.com/libexpat/libexpat/commit/acf956f14bf79a5e6383a969aaffec98bfbc2e44 +CVE-2022-23851 + RESERVED +CVE-2022-0341 + RESERVED +CVE-2022-0340 + RESERVED +CVE-2022-24300 (Minetest before 5.4.0 allows attackers to add or modify arbitrary meta ...) + {DSA-5075-1} + - minetest 5.4.1+repack-1 (bug #1004223) + [stretch] - minetest <end-of-life> (games are not supported in LTS) + NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-hwj2-xf72-r4cf + NOTE: Fixed by: https://github.com/minetest/minetest/commit/b5956bde259faa240a81060ff4e598e25ad52dae (5.4.0) + NOTE: When fixing this issue the fix for GHSA-7q63-4fq2-hqcr should be included, + NOTE: which is not a vulnerability by itself, and won't get a CVE assigned: + NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-7q63-4fq2-hqcr + NOTE: https://github.com/minetest/minetest/commit/8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 (5.2.0) +CVE-2022-24301 (In Minetest before 5.4.0, players can add or subtract items from a dif ...) + {DSA-5075-1} + - minetest 5.4.1+repack-1 + [stretch] - minetest <end-of-life> (games are not supported in LTS) + NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-fvwv-qcq6-wmp5 + NOTE: Fixed by: https://github.com/minetest/minetest/commit/3693b6871eba268ecc79b3f52d00d3cefe761131 (5.4.0) +CVE-2022-23850 (xhtml_translate_entity in xhtml.c in epub2txt (aka epub2txt2) through ...) + - epub2txt2 <itp> (bug #1004115) +CVE-2022-23849 + RESERVED +CVE-2022-0339 (Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16. ...) + NOT-FOR-US: calibre-web +CVE-2022-0338 (Improper Privilege Management in Conda loguru prior to 0.5.3. ...) + - loguru <unfixed> (unimportant) + NOTE: https://huntr.dev/bounties/359bea50-2bc6-426a-b2f9-175d401b1ed0/ + NOTE: Document best practices for security: https://github.com/delgan/loguru/commit/ea39375e62f9b8f18e2ca798a5c0fb8c972b7eaa + NOTE: loguru documents security considerations and best practices to follow +CVE-2022-23848 (In Alluxio before 2.7.3, the logserver does not validate the input str ...) + NOT-FOR-US: Alluxio +CVE-2022-23847 + RESERVED +CVE-2022-23846 + RESERVED +CVE-2022-23845 + RESERVED +CVE-2022-23844 + RESERVED +CVE-2022-23843 + RESERVED +CVE-2022-23842 + RESERVED +CVE-2022-23841 + RESERVED +CVE-2022-23840 + RESERVED +CVE-2022-23839 + RESERVED +CVE-2022-23838 + RESERVED +CVE-2022-23837 (In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the ...) + - ruby-sidekiq <unfixed> (bug #1004193) + NOTE: https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956 (v6.4.0) +CVE-2022-23836 + RESERVED +CVE-2022-23835 + RESERVED +CVE-2022-0337 + RESERVED +CVE-2022-0336 [Samba AD users with permission to write to an account can impersonate arbitrary services] + RESERVED + - samba <unfixed> (bug #1004694) + [bullseye] - samba 2:4.13.13+dfsg-1~deb11u3 + [buster] - samba <no-dsa> (Minor issue; affects Samba as AD DC) + NOTE: https://www.samba.org/samba/security/CVE-2022-0336.html + NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14950 +CVE-2022-23834 + RESERVED +CVE-2022-23833 (An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27 ...) + {DLA-2906-1} + - python-django 2:3.2.12-1 (bug #1004752) + [bullseye] - python-django <no-dsa> (Minor issue) + [buster] - python-django <no-dsa> (Minor issue) + NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ + NOTE: https://github.com/django/django/commit/fc18f36c4ab94399366ca2f2007b3692559a6f23 (main) + NOTE: https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9 (4.0.2) + NOTE: https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468 (3.2.12) + NOTE: https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a (2.2.27) +CVE-2022-23832 + RESERVED +CVE-2022-23831 + RESERVED +CVE-2022-23830 + RESERVED +CVE-2022-23829 + RESERVED +CVE-2022-23828 + RESERVED +CVE-2022-23827 + RESERVED +CVE-2022-23826 + RESERVED +CVE-2022-23825 + RESERVED +CVE-2022-23824 + RESERVED +CVE-2022-23823 + RESERVED +CVE-2022-23822 + RESERVED +CVE-2022-23821 + RESERVED +CVE-2022-23820 + RESERVED +CVE-2022-23819 + RESERVED +CVE-2022-23818 + RESERVED +CVE-2022-23817 + RESERVED +CVE-2022-23816 + RESERVED +CVE-2022-23815 + RESERVED +CVE-2022-23814 + RESERVED +CVE-2022-23813 + RESERVED +CVE-2022-22146 (Cross-site scripting vulnerability in TransmitMail 2.5.0 to 2.6.1 allo ...) + NOT-FOR-US: TransmitMail +CVE-2022-21193 (Directory traversal vulnerability in TransmitMail 2.5.0 to 2.6.1 allow ...) + NOT-FOR-US: TransmitMail +CVE-2022-21176 (MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior ...) + NOT-FOR-US: Airspan Networks +CVE-2022-21143 (MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior ...) + NOT-FOR-US: Airspan Networks +CVE-2022-21141 (MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior ...) + NOT-FOR-US: Airspan Networks +CVE-2022-0335 (A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, ...) + - moodle <removed> +CVE-2022-0334 (A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, ...) + - moodle <removed> +CVE-2022-0333 (A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, ...) + - moodle <removed> +CVE-2022-0332 (A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injectio ...) + - moodle <removed> +CVE-2022-0331 + RESERVED +CVE-2022-0330 [drm/i915: Flush TLBs before releasing backing store] + RESERVED + - linux 5.15.15-2 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/25/12 + NOTE: https://git.kernel.org/linus/7938d61591d33394a21bdd7797a245b65428f44c +CVE-2022-0329 + REJECTED +CVE-2022-0328 + RESERVED +CVE-2022-0327 + RESERVED +CVE-2022-23809 + RESERVED +CVE-2022-23808 (An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker ca ...) + - phpmyadmin 4:5.1.3+dfsg1-1 (unimportant) + NOTE: https://www.phpmyadmin.net/security/PMASA-2022-2/ + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/5118acce1dfcdb09cbc0f73927bf51c46feeaf38 + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/44eb12f15a562718bbe54c9a16af91ceea335d59 + NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/28 (setup not available) +CVE-2022-23807 (An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before ...) + - phpmyadmin 4:5.1.3+dfsg1-1 (unimportant) + NOTE: https://www.phpmyadmin.net/security/PMASA-2022-1/ + NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa5d7796fdf4b32 + NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/3 (missing 2FA packages) + NOTE: 2FA support is not packaged in Debian +CVE-2022-23806 (Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x bef ...) + - golang-1.18 1.18~rc1-1 + - golang-1.17 1.17.7-1 + - golang-1.15 <removed> + [bullseye] - golang-1.15 <no-dsa> (Minor issue) + - golang-1.11 <removed> + [buster] - golang-1.11 <no-dsa> (Minor issue) + - golang-1.8 <removed> + - golang-1.7 <removed> + NOTE: https://github.com/golang/go/issues/50974 + NOTE: https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ + NOTE: https://github.com/golang/go/commit/e16331902340c02bdf1831b5508df2307b871ef6 (go1.17.7) +CVE-2022-23805 (A security out-of-bounds read information disclosure vulnerability in ...) + NOT-FOR-US: Trend Micro +CVE-2022-23804 (A stack-based buffer overflow vulnerability exists in the Gerber Viewe ...) + TODO: check +CVE-2022-23803 (A stack-based buffer overflow vulnerability exists in the Gerber Viewe ...) + TODO: check +CVE-2022-23802 + RESERVED +CVE-2022-23801 + RESERVED +CVE-2022-23800 + RESERVED +CVE-2022-23799 + RESERVED +CVE-2022-23798 + RESERVED +CVE-2022-23797 + RESERVED +CVE-2022-23796 + RESERVED +CVE-2022-23795 + RESERVED +CVE-2022-23794 + RESERVED +CVE-2022-23793 + RESERVED +CVE-2022-0326 (NULL Pointer Dereference in Homebrew mruby prior to 3.2. ...) + - mruby <not-affected> (Vulnerable code introduced later) + NOTE: Introduced by: https://github.com/mruby/mruby/commit/dccd66f9efecd0a974b735c62836fe566015cf37 (3.1.0-rc) + NOTE: Fixed by: https://github.com/mruby/mruby/commit/b611c43a5de061ec21b343967e1b64c45c373d7e +CVE-2022-0325 + RESERVED +CVE-2022-0324 + RESERVED +CVE-2022-23792 + RESERVED +CVE-2022-23791 + RESERVED +CVE-2022-23790 + RESERVED +CVE-2022-23789 + RESERVED +CVE-2022-23788 + RESERVED +CVE-2022-23787 + RESERVED +CVE-2022-23786 + RESERVED +CVE-2022-23785 + RESERVED +CVE-2022-23784 + RESERVED +CVE-2022-23783 + RESERVED +CVE-2022-23782 + RESERVED +CVE-2022-23781 + RESERVED +CVE-2022-23780 + RESERVED +CVE-2022-21147 + RESERVED +CVE-2022-0323 (Improper Neutralization of Special Elements Used in a Template Engine ...) + NOT-FOR-US: Mustache (implementation in PHP) +CVE-2022-0322 [DoS in sctp_addto_chunk in net/sctp/sm_make_chunk.c] + RESERVED + - linux 5.14.16-1 + [bullseye] - linux 5.10.84-1 + [stretch] - linux <not-affected> (Vulnerable code introduced later) + NOTE: https://git.kernel.org/linus/a2d859e3fc97e79d907761550dbc03ff1b36479c (5.15-rc6) +CVE-2022-0321 + RESERVED +CVE-2022-0320 (The Essential Addons for Elementor WordPress plugin before 5.0.5 does ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0319 (Out-of-bounds Read in vim/vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/ba622fd2-e6ef-4ad9-95b4-17f87b68755b + NOTE: https://github.com/vim/vim/commit/05b27615481e72e3b338bb12990fb3e0c2ecc2a9 (v8.2.4154) +CVE-2022-0318 (Heap-based Buffer Overflow in vim/vim prior to 8.2. ...) + - vim <unfixed> (bug #1004859) + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/0d10ba02-b138-4e68-a284-67f781a62d08 + NOTE: https://github.com/vim/vim/commit/57df9e8a9f9ae1aafdde9b86b10ad907627a87dc (v8.2.4151) +CVE-2022-0317 (An improper input validation vulnerability in go-attestation before 0. ...) + NOT-FOR-US: go-attestation +CVE-2022-0316 + RESERVED +CVE-2022-0315 + RESERVED +CVE-2022-23779 + RESERVED +CVE-2022-23778 + RESERVED +CVE-2022-23777 + RESERVED +CVE-2022-23776 + RESERVED +CVE-2022-23775 + RESERVED +CVE-2022-23774 (Docker Desktop before 4.4.4 on Windows allows attackers to move arbitr ...) + NOT-FOR-US: Docker Desktop +CVE-2022-23773 (cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret ...) + - golang-1.18 1.18~rc1-1 + - golang-1.17 1.17.7-1 + - golang-1.15 <removed> + [bullseye] - golang-1.15 <no-dsa> (Minor issue) + - golang-1.11 <removed> + [buster] - golang-1.11 <no-dsa> (Minor issue) + - golang-1.8 <removed> + - golang-1.7 <removed> + NOTE: https://github.com/golang/go/issues/35671 + NOTE: https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ + NOTE: https://github.com/golang/go/commit/fbcc30a2c9d076b27b4b411e2cec91ec13528081 (go1.17.7) +CVE-2022-23772 (Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17. ...) + - golang-1.18 1.18~beta2-1 + - golang-1.17 1.17.7-1 + - golang-1.15 <removed> + [bullseye] - golang-1.15 <no-dsa> (Minor issue) + - golang-1.11 <removed> + [buster] - golang-1.11 <no-dsa> (Minor issue) + - golang-1.8 <removed> + - golang-1.7 <removed> + NOTE: https://github.com/golang/go/issues/50699 + NOTE: https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ + NOTE: https://github.com/golang/go/commit/539d430efb5043cc6a2d4d4fcd2866b11717039a (go1.17.7) +CVE-2022-23771 + RESERVED +CVE-2022-23770 + RESERVED +CVE-2022-23769 + RESERVED +CVE-2022-23768 + RESERVED +CVE-2022-23767 + RESERVED +CVE-2022-23766 + RESERVED +CVE-2022-23765 + RESERVED +CVE-2022-23764 + RESERVED +CVE-2022-23763 + RESERVED +CVE-2022-23762 + RESERVED +CVE-2022-23761 RESERVED -CVE-2022-21644 +CVE-2022-23760 RESERVED -CVE-2022-21643 +CVE-2022-23759 RESERVED -CVE-2022-21642 +CVE-2022-23758 RESERVED +CVE-2022-23757 + RESERVED +CVE-2022-23756 + RESERVED +CVE-2022-23755 + RESERVED +CVE-2022-23754 + RESERVED +CVE-2022-23753 + RESERVED +CVE-2022-23752 + RESERVED +CVE-2022-23751 + RESERVED +CVE-2022-23750 + RESERVED +CVE-2022-23749 + RESERVED +CVE-2022-23748 + RESERVED +CVE-2022-23747 + RESERVED +CVE-2022-23746 + RESERVED +CVE-2022-23745 + RESERVED +CVE-2022-23744 + RESERVED +CVE-2022-23743 + RESERVED +CVE-2022-23742 + RESERVED +CVE-2022-23741 + RESERVED +CVE-2022-23740 + RESERVED +CVE-2022-23739 + RESERVED +CVE-2022-23738 + RESERVED +CVE-2022-23737 + RESERVED +CVE-2022-23736 + RESERVED +CVE-2022-23735 + RESERVED +CVE-2022-23734 + RESERVED +CVE-2022-23733 + RESERVED +CVE-2022-23732 + RESERVED +CVE-2022-23731 + RESERVED +CVE-2022-23730 + RESERVED +CVE-2022-23729 + RESERVED +CVE-2022-23728 (Attacker can reset the device with AT Command in the process of reboot ...) + NOT-FOR-US: LG +CVE-2022-23727 (There is a privilege escalation vulnerability in some webOS TVs. Due t ...) + NOT-FOR-US: LG +CVE-2022-23726 + RESERVED +CVE-2022-23725 + RESERVED +CVE-2022-23724 + RESERVED +CVE-2022-23723 + RESERVED +CVE-2022-23722 + RESERVED +CVE-2022-23721 + RESERVED +CVE-2022-23720 + RESERVED +CVE-2022-23719 + RESERVED +CVE-2022-23718 + RESERVED +CVE-2022-23717 + RESERVED +CVE-2022-23716 + RESERVED +CVE-2022-23715 + RESERVED +CVE-2022-23714 + RESERVED +CVE-2022-23713 + RESERVED +CVE-2022-23712 + RESERVED +CVE-2022-23711 + RESERVED +CVE-2022-23710 + RESERVED +CVE-2022-23709 + RESERVED +CVE-2022-23708 + RESERVED +CVE-2022-23707 (An XSS vulnerability was found in Kibana index patterns. Using this vu ...) + - kibana <itp> (bug #700337) +CVE-2022-23706 + RESERVED +CVE-2022-23705 + RESERVED +CVE-2022-23704 + RESERVED +CVE-2022-23703 + RESERVED +CVE-2022-23702 + RESERVED +CVE-2022-23701 + RESERVED +CVE-2022-23700 + RESERVED +CVE-2022-23699 + RESERVED +CVE-2022-23698 + RESERVED +CVE-2022-23697 + RESERVED +CVE-2022-23696 + RESERVED +CVE-2022-23695 + RESERVED +CVE-2022-23694 + RESERVED +CVE-2022-23693 + RESERVED +CVE-2022-23692 + RESERVED +CVE-2022-23691 + RESERVED +CVE-2022-23690 + RESERVED +CVE-2022-23689 + RESERVED +CVE-2022-23688 + RESERVED +CVE-2022-23687 + RESERVED +CVE-2022-23686 + RESERVED +CVE-2022-23685 + RESERVED +CVE-2022-23684 + RESERVED +CVE-2022-23683 + RESERVED +CVE-2022-23682 + RESERVED +CVE-2022-23681 + RESERVED +CVE-2022-23680 + RESERVED +CVE-2022-23679 + RESERVED +CVE-2022-23678 + RESERVED +CVE-2022-23677 + RESERVED +CVE-2022-23676 + RESERVED +CVE-2022-23675 + RESERVED +CVE-2022-23674 + RESERVED +CVE-2022-23673 + RESERVED +CVE-2022-23672 + RESERVED +CVE-2022-23671 + RESERVED +CVE-2022-23670 + RESERVED +CVE-2022-23669 + RESERVED +CVE-2022-23668 + RESERVED +CVE-2022-23667 + RESERVED +CVE-2022-23666 + RESERVED +CVE-2022-23665 + RESERVED +CVE-2022-23664 + RESERVED +CVE-2022-23663 + RESERVED +CVE-2022-23662 + RESERVED +CVE-2022-23661 + RESERVED +CVE-2022-23660 + RESERVED +CVE-2022-23659 + RESERVED +CVE-2022-23658 + RESERVED +CVE-2022-23657 + RESERVED +CVE-2022-23656 + RESERVED +CVE-2022-23655 + RESERVED +CVE-2022-23654 + RESERVED +CVE-2022-23653 + RESERVED +CVE-2022-23652 + RESERVED +CVE-2022-23651 + RESERVED +CVE-2022-23650 (Netmaker is a platform for creating and managing virtual overlay netwo ...) + NOT-FOR-US: Netmaker +CVE-2022-23649 (Cosign provides container signing, verification, and storage in an OCI ...) + NOT-FOR-US: Cosign +CVE-2022-23648 + RESERVED +CVE-2022-23647 (Prism is a syntax highlighting library. Starting with version 1.14.0 a ...) + - node-prismjs 1.27.0+dfsg+~1.26.0-1 + NOTE: https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99 + NOTE: https://github.com/PrismJS/prism/issues/3340 + NOTE: https://github.com/PrismJS/prism/pull/3341 + NOTE: https://github.com/PrismJS/prism/commit/e002e78c343154e1c0ddf9d6a0bb85689e1a5c7c (v1.27.0) +CVE-2022-23646 (Next.js is a React framework. Starting with version 10.0.0 and prior t ...) + TODO: check +CVE-2022-23645 (swtpm is a libtpms-based TPM emulator with socket, character device, a ...) + - swtpm <unfixed> + NOTE: https://github.com/stefanberger/swtpm/security/advisories/GHSA-2qgm-8xf4-3hqw + NOTE: https://github.com/stefanberger/swtpm/commit/9f740868fc36761de27df3935513bdebf8852d19 +CVE-2022-23644 (BookWyrm is a decentralized social network for tracking reading habits ...) + NOT-FOR-US: BookWyrm +CVE-2022-23643 (Sourcegraph is a code search and navigation engine. Sourcegraph versio ...) + NOT-FOR-US: Sourcegraph +CVE-2022-23642 (Sourcegraph is a code search and navigation engine. Sourcegraph prior ...) + NOT-FOR-US: Sourcegraph +CVE-2022-23641 (Discourse is an open source discussion platform. In versions prior to ...) + NOT-FOR-US: Discourse +CVE-2022-23640 + RESERVED +CVE-2022-23639 (crossbeam-utils provides atomics, synchronization primitives, scoped t ...) + TODO: check +CVE-2022-23638 (svg-sanitizer is a SVG/XML sanitizer written in PHP. A cross-site scri ...) + TODO: check +CVE-2022-23637 (K-Box is a web-based application to manage documents, images, videos a ...) + NOT-FOR-US: K-Box +CVE-2022-23636 (Wasmtime is an open source runtime for WebAssembly & WASI. Prior t ...) + NOT-FOR-US: wasmtime +CVE-2022-23635 + RESERVED +CVE-2022-23634 (Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` ...) + - puma <unfixed> (bug #1005391) + NOTE: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h + NOTE: https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb + NOTE: Related issue to CVE-2022-23633 for src:rails +CVE-2022-23633 (Action Pack is a framework for handling and responding to web requests ...) + - rails <unfixed> (bug #1005389) + NOTE: https://www.openwall.com/lists/oss-security/2022/02/11/5 + NOTE: Fixed by: https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545 (v6.1.4.5) + NOTE: Followup: https://github.com/rails/rails/commit/d1267768e9f57ebcf86ff7f011aca7fb08e733eb (v6.1.4.6) + NOTE: Fixed by: https://github.com/rails/rails/commit/e9015f91dd685472f915f8aa1eb18b0e0763e013 (v6.0.4.5) + NOTE: Followup: https://github.com/rails/rails/commit/f85b396e5a0019eb614e4ee436ea713089696833 (v6.0.4.6) + NOTE: Fixed by: https://github.com/rails/rails/commit/ddaf5058350b3a72f59b7c3e0d713678354b9a08 (v5.2.6.1) + NOTE: Followup: https://github.com/rails/rails/commit/676ad96fa5d9d0213babc32c9bad8190597a00d1 (v5.2.6.2) +CVE-2022-23632 (Traefik is an HTTP reverse proxy and load balancer. Prior to version 2 ...) + NOT-FOR-US: Traefik +CVE-2022-23631 (superjson is a program to allow JavaScript expressions to be serialize ...) + TODO: check +CVE-2022-23630 (Gradle is a build tool with a focus on build automation and support fo ...) + - gradle <not-affected> (Vulnerable node not yet uploaded; introduced in 6.2) + NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-9pf5-88jw-3qgr + NOTE: https://github.com/gradle/gradle/commit/88ab9b652933bc3b2e3161b31ad8b8f4f0516351 (v7.4.0-RC2) +CVE-2022-23629 + RESERVED +CVE-2022-23628 (OPA is an open source, general-purpose policy engine. Under certain co ...) + NOT-FOR-US: OPA +CVE-2022-23627 (ArchiSteamFarm (ASF) is a C# application with primary purpose of idlin ...) + NOT-FOR-US: ArchiSteamFarm +CVE-2022-23626 (m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Erro ...) + NOT-FOR-US: m1k1o/blog +CVE-2022-23625 + RESERVED +CVE-2022-23624 (Frourio-express is a minimal full stack framework, for TypeScript. Fro ...) + NOT-FOR-US: Frourio-express +CVE-2022-23623 (Frourio is a full stack framework, for TypeScript. Frourio users who u ...) + NOT-FOR-US: Frourio +CVE-2022-23622 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + NOT-FOR-US: XWiki +CVE-2022-23621 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + NOT-FOR-US: XWiki +CVE-2022-23620 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + NOT-FOR-US: XWiki +CVE-2022-23619 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + NOT-FOR-US: XWiki +CVE-2022-23618 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + NOT-FOR-US: XWiki +CVE-2022-23617 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + NOT-FOR-US: XWiki +CVE-2022-23616 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + NOT-FOR-US: XWiki +CVE-2022-23615 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + NOT-FOR-US: XWiki +CVE-2022-23614 (Twig is an open source template language for PHP. When in a sandbox mo ...) + - php-twig 3.3.8-1 + NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v + NOTE: https://github.com/twigphp/Twig/pull/3641 + NOTE: https://github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5 (v3.3.8) +CVE-2022-23613 (xrdp is an open source remote desktop protocol (RDP) server. In affect ...) + - xrdp <unfixed> (bug #1005304) + [bullseye] - xrdp <not-affected> (Vulnerable code not present) + [buster] - xrdp <not-affected> (Vulnerable code not present) + [stretch] - xrdp <not-affected> (Vulnerable code not present) + NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-8h98-h426-xf32 + NOTE: Introduced by: https://github.com/neutrinolabs/xrdp/commit/738e346f810c97d578df9e99a36520616ee201be (v0.9.17) + NOTE: Fixed by: https://github.com/neutrinolabs/xrdp/commit/4def30ab8ea445cdc06832a44c3ec40a506a0ffa +CVE-2022-23612 + RESERVED +CVE-2022-23611 (iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows ...) + NOT-FOR-US: iTunesRPC-Remastered +CVE-2022-23610 + RESERVED +CVE-2022-23609 (iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows ...) + NOT-FOR-US: iTunesRPC-Remastered +CVE-2022-23608 + RESERVED +CVE-2022-23607 (treq is an HTTP library inspired by requests but written on top of Twi ...) + - python-treq <unfixed> (bug #1005041) + NOTE: https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc + NOTE: https://github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2 (release-22.1.0) +CVE-2022-23606 + RESERVED +CVE-2022-23605 (Wire webapp is a web client for the wire messaging protocol. In versio ...) + NOT-FOR-US: Wire webapp +CVE-2022-23604 (x26-Cogs is a repository of cogs made by Twentysix for the Red Discord ...) + NOT-FOR-US: x26-Cogs +CVE-2022-23603 (iTunesRPC-Remastered is a discord rich presence application for use wi ...) + NOT-FOR-US: iTunesRPC-Remastered +CVE-2022-23602 (Nimforum is a lightweight alternative to Discourse written in Nim. In ...) + NOT-FOR-US: Nimforum +CVE-2022-23601 (Symfony is a PHP framework for web and console applications and a set ...) + - symfony <not-affected> (Vulnerable code not present; no Debian released version contained the vulnerable code) + NOTE: https://symfony.com/blog/cve-2022-23601-csrf-token-missing-in-forms + NOTE: https://github.com/symfony/symfony/commit/f0ffb775febdf07e57117aabadac96fa37857f50 +CVE-2022-23600 (fleet is an open source device management, built on osquery. Versions ...) + NOT-FOR-US: Fleet +CVE-2022-23599 (Products.ATContentTypes are the core content types for Plone 2.1 - 4.3 ...) + NOT-FOR-US: Plone +CVE-2022-23598 (laminas-form is a package for validating and displaying simple and com ...) + NOT-FOR-US: laminas-form +CVE-2022-23597 (Element Desktop is a Matrix client for desktop platforms with Element ...) + NOT-FOR-US: Element Desktop +CVE-2022-23596 (Junrar is an open source java RAR archive library. In affected version ...) + NOT-FOR-US: Junrar +CVE-2022-23595 (Tensorflow is an Open Source Machine Learning Framework. When building ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23594 (Tensorflow is an Open Source Machine Learning Framework. The TFG diale ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23593 (Tensorflow is an Open Source Machine Learning Framework. The `simplify ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23592 (Tensorflow is an Open Source Machine Learning Framework. TensorFlow's ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23591 (Tensorflow is an Open Source Machine Learning Framework. The `GraphDef ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23590 (Tensorflow is an Open Source Machine Learning Framework. A `GraphDef` ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23589 (Tensorflow is an Open Source Machine Learning Framework. Under certain ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23588 (Tensorflow is an Open Source Machine Learning Framework. A malicious u ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23587 (Tensorflow is an Open Source Machine Learning Framework. Under certain ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23586 (Tensorflow is an Open Source Machine Learning Framework. A malicious u ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23585 (Tensorflow is an Open Source Machine Learning Framework. When decoding ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23584 (Tensorflow is an Open Source Machine Learning Framework. A malicious u ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23583 (Tensorflow is an Open Source Machine Learning Framework. A malicious u ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23582 (Tensorflow is an Open Source Machine Learning Framework. A malicious u ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23581 (Tensorflow is an Open Source Machine Learning Framework. The Grappler ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23580 (Tensorflow is an Open Source Machine Learning Framework. During shape ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23579 (Tensorflow is an Open Source Machine Learning Framework. The Grappler ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23578 (Tensorflow is an Open Source Machine Learning Framework. If a graph no ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23577 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23576 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23575 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23574 (Tensorflow is an Open Source Machine Learning Framework. There is a ty ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23573 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23572 (Tensorflow is an Open Source Machine Learning Framework. Under certain ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23571 (Tensorflow is an Open Source Machine Learning Framework. When decoding ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23570 (Tensorflow is an Open Source Machine Learning Framework. When decoding ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23569 (Tensorflow is an Open Source Machine Learning Framework. Multiple oper ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23568 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23567 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23566 (Tensorflow is an Open Source Machine Learning Framework. TensorFlow is ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23565 (Tensorflow is an Open Source Machine Learning Framework. An attacker c ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23564 (Tensorflow is an Open Source Machine Learning Framework. When decoding ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23563 (Tensorflow is an Open Source Machine Learning Framework. In multiple p ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23562 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23561 (Tensorflow is an Open Source Machine Learning Framework. An attacker c ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23560 (Tensorflow is an Open Source Machine Learning Framework. An attacker c ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23559 (Tensorflow is an Open Source Machine Learning Framework. An attacker c ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23558 (Tensorflow is an Open Source Machine Learning Framework. An attacker c ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23557 (Tensorflow is an Open Source Machine Learning Framework. An attacker c ...) + - tensorflow <itp> (bug #804612) +CVE-2022-23556 + RESERVED +CVE-2022-23555 + RESERVED +CVE-2022-23554 + RESERVED +CVE-2022-23553 + RESERVED +CVE-2022-23552 + RESERVED +CVE-2022-23551 + RESERVED +CVE-2022-23550 + RESERVED +CVE-2022-23549 + RESERVED +CVE-2022-23548 + RESERVED +CVE-2022-23547 + RESERVED +CVE-2022-23546 + RESERVED +CVE-2022-23545 + RESERVED +CVE-2022-23544 + RESERVED +CVE-2022-23543 + RESERVED +CVE-2022-23542 + RESERVED +CVE-2022-23541 + RESERVED +CVE-2022-23540 + RESERVED +CVE-2022-23539 + RESERVED +CVE-2022-23538 + RESERVED +CVE-2022-23537 + RESERVED +CVE-2022-23536 + RESERVED +CVE-2022-23535 + RESERVED +CVE-2022-23534 + RESERVED +CVE-2022-23533 + RESERVED +CVE-2022-23532 + RESERVED +CVE-2022-23531 + RESERVED +CVE-2022-23530 + RESERVED +CVE-2022-23529 + RESERVED +CVE-2022-23528 + RESERVED +CVE-2022-23527 + RESERVED +CVE-2022-23526 + RESERVED +CVE-2022-23525 + RESERVED +CVE-2022-23524 + RESERVED +CVE-2022-23523 + RESERVED +CVE-2022-23522 + RESERVED +CVE-2022-23521 + RESERVED +CVE-2022-23520 + RESERVED +CVE-2022-23519 + RESERVED +CVE-2022-23518 + RESERVED +CVE-2022-23517 + RESERVED +CVE-2022-23516 + RESERVED +CVE-2022-23515 + RESERVED +CVE-2022-23514 + RESERVED +CVE-2022-23513 + RESERVED +CVE-2022-23512 + RESERVED +CVE-2022-23511 + RESERVED +CVE-2022-23510 + RESERVED +CVE-2022-23509 + RESERVED +CVE-2022-23508 + RESERVED +CVE-2022-23507 + RESERVED +CVE-2022-23506 + RESERVED +CVE-2022-23505 + RESERVED +CVE-2022-23504 + RESERVED +CVE-2022-23503 + RESERVED +CVE-2022-23502 + RESERVED +CVE-2022-23501 + RESERVED +CVE-2022-23500 + RESERVED +CVE-2022-23499 + RESERVED +CVE-2022-23498 + RESERVED +CVE-2022-23497 + RESERVED +CVE-2022-23496 + RESERVED +CVE-2022-23495 + RESERVED +CVE-2022-23494 + RESERVED +CVE-2022-23493 + RESERVED +CVE-2022-23492 + RESERVED +CVE-2022-23491 + RESERVED +CVE-2022-23490 + RESERVED +CVE-2022-23489 + RESERVED +CVE-2022-23488 + RESERVED +CVE-2022-23487 + RESERVED +CVE-2022-23486 + RESERVED +CVE-2022-23485 + RESERVED +CVE-2022-23484 + RESERVED +CVE-2022-23483 + RESERVED +CVE-2022-23482 + RESERVED +CVE-2022-23481 + RESERVED +CVE-2022-23480 + RESERVED +CVE-2022-23479 + RESERVED +CVE-2022-23478 + RESERVED +CVE-2022-23477 + RESERVED +CVE-2022-23476 + RESERVED +CVE-2022-23475 + RESERVED +CVE-2022-23474 + RESERVED +CVE-2022-23473 + RESERVED +CVE-2022-23472 + RESERVED +CVE-2022-23471 + RESERVED +CVE-2022-23470 + RESERVED +CVE-2022-23469 + RESERVED +CVE-2022-23468 + RESERVED +CVE-2022-23467 + RESERVED +CVE-2022-23466 + RESERVED +CVE-2022-23465 + RESERVED +CVE-2022-23464 + RESERVED +CVE-2022-23463 + RESERVED +CVE-2022-23462 + RESERVED +CVE-2022-23461 + RESERVED +CVE-2022-23460 + RESERVED +CVE-2022-23459 + RESERVED +CVE-2022-23458 + RESERVED +CVE-2022-23457 + RESERVED +CVE-2022-0314 + RESERVED +CVE-2022-0313 (The Float menu WordPress plugin before 4.3.1 does not have CSRF check ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0312 + RESERVED +CVE-2022-0299 + RESERVED +CVE-2022-23456 (Potential arbitrary file deletion vulnerability has been identified in ...) + NOT-FOR-US: HP +CVE-2022-23455 + RESERVED +CVE-2022-23454 + RESERVED +CVE-2022-23453 + RESERVED +CVE-2022-23452 + RESERVED + - barbican <unfixed> + [bullseye] - barbican <no-dsa> (Minor issue) + [buster] - barbican <no-dsa> (Minor issue) + [stretch] - barbican <no-dsa> (Minor issue) + NOTE: https://storyboard.openstack.org/#!/story/2009297 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2025090 +CVE-2022-23451 + RESERVED + - barbican <unfixed> + [bullseye] - barbican <no-dsa> (Minor issue) + [buster] - barbican <no-dsa> (Minor issue) + [stretch] - barbican <no-dsa> (Minor issue) + NOTE: https://storyboard.openstack.org/#!/story/2009253 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2025089 +CVE-2022-23450 + RESERVED +CVE-2022-23449 + RESERVED +CVE-2022-23448 + RESERVED +CVE-2022-23447 + RESERVED +CVE-2022-23446 + RESERVED +CVE-2022-23445 + RESERVED +CVE-2022-23444 + RESERVED +CVE-2022-23443 + RESERVED +CVE-2022-23442 + RESERVED +CVE-2022-23441 + RESERVED +CVE-2022-23440 + RESERVED +CVE-2022-23439 + RESERVED +CVE-2022-23438 + RESERVED +CVE-2022-23437 (There's a vulnerability within the Apache Xerces Java (XercesJ) XML pa ...) + - libxerces2-java <unfixed> + [stretch] - libxerces2-java <postponed> (revisit when/if fix is complete) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/3 +CVE-2022-0311 (Heap buffer overflow in Task Manager in Google Chrome prior to 97.0.46 ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0310 (Heap buffer overflow in Task Manager in Google Chrome prior to 97.0.46 ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0309 (Inappropriate implementation in Autofill in Google Chrome prior to 97. ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0308 (Use after free in Data Transfer in Google Chrome on Chrome OS prior to ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0307 (Use after free in Optimization Guide in Google Chrome prior to 97.0.46 ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0306 (Heap buffer overflow in PDFium in Google Chrome prior to 97.0.4692.99 ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0305 (Inappropriate implementation in Service Worker API in Google Chrome pr ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0304 (Use after free in Bookmarks in Google Chrome prior to 97.0.4692.99 all ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0303 + RESERVED + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0302 (Use after free in Omnibox in Google Chrome prior to 97.0.4692.99 allow ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0301 (Heap buffer overflow in DevTools in Google Chrome prior to 97.0.4692.9 ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0300 (Use after free in Text Input Method Editor in Google Chrome on Android ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0298 (Use after free in Scheduling in Google Chrome prior to 97.0.4692.99 al ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0297 (Use after free in Vulkan in Google Chrome prior to 97.0.4692.99 allowe ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0296 (Use after free in Printing in Google Chrome prior to 97.0.4692.99 allo ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0295 (Use after free in Omnibox in Google Chrome prior to 97.0.4692.99 allow ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0294 (Inappropriate implementation in Push messaging in Google Chrome prior ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0293 (Use after free in Web packaging in Google Chrome prior to 97.0.4692.99 ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0292 (Inappropriate implementation in Fenced Frames in Google Chrome prior t ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0291 (Inappropriate implementation in Storage in Google Chrome prior to 97.0 ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0290 (Use after free in Site isolation in Google Chrome prior to 97.0.4692.9 ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0289 (Use after free in Safe browsing in Google Chrome prior to 97.0.4692.99 ...) + {DSA-5054-1} + - chromium 97.0.4692.99-1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0288 (The Ad Inserter WordPress plugin before 2.7.10, Ad Inserter Pro WordPr ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0287 + RESERVED +CVE-2022-0286 (A flaw was found in the Linux kernel. A null pointer dereference in bo ...) + - linux 5.14.6-1 + [bullseye] - linux 5.10.70-1 + [buster] - linux <not-affected> (Vulnerable code introduced later) + [stretch] - linux <not-affected> (Vulnerable code introduced later) +CVE-2022-0285 (Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior ...) + NOT-FOR-US: pimcore +CVE-2022-0284 + RESERVED + - imagemagick <not-affected> (Specific to IM7) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2045943 + NOTE: https://github.com/ImageMagick/ImageMagick/issues/4729 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/e50f19fd73c792ebe912df8ab83aa51a243a3da7 +CVE-2022-0283 + RESERVED +CVE-2022-0282 (Code Injection in Packagist microweber/microweber prior to 1.2.11. ...) + NOT-FOR-US: microweber +CVE-2022-0281 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...) + NOT-FOR-US: microweber +CVE-2022-0280 + RESERVED +CVE-2022-0279 (The AnyComment WordPress plugin before 0.2.18 is affected by a race co ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0278 (Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber ...) + NOT-FOR-US: microweber +CVE-2022-0277 (Improper Access Control in Packagist microweber/microweber prior to 1. ...) + NOT-FOR-US: microweber +CVE-2022-23436 + RESERVED +CVE-2022-23435 (decoding.c in android-gif-drawable before 1.2.24 does not limit the ma ...) + NOT-FOR-US: android-gif-drawable +CVE-2022-23434 (A vulnerability using PendingIntent in Bixby Vision prior to versions ...) + NOT-FOR-US: Samsung +CVE-2022-23433 (Improper access control vulnerability in Reminder prior to versions 12 ...) + NOT-FOR-US: Samsung +CVE-2022-23432 (An improper input validation in SMC_SRPMB_WSM handler of RPMB ldfw pri ...) + NOT-FOR-US: Samsung +CVE-2022-23431 (An improper boundary check in RPMB ldfw prior to SMR Feb-2022 Release ...) + NOT-FOR-US: Samsung +CVE-2022-23430 + RESERVED +CVE-2022-23429 (An improper boundary check in audio hal service prior to SMR Feb-2022 ...) + NOT-FOR-US: Samsung +CVE-2022-23428 (An improper boundary check in eden_runtime hal service prior to SMR Fe ...) + NOT-FOR-US: Samsung +CVE-2022-23427 (PendingIntent hijacking vulnerability in KnoxPrivacyNoticeReceiver pri ...) + NOT-FOR-US: Samsung +CVE-2022-23426 (A vulnerability using PendingIntent in DeX Home and DeX for PC prior t ...) + NOT-FOR-US: Samsung +CVE-2022-23425 (Improper input validation in Exynos baseband prior to SMR Feb-2022 Rel ...) + NOT-FOR-US: Samsung +CVE-2022-23424 + RESERVED +CVE-2022-23423 + RESERVED +CVE-2022-23422 + RESERVED +CVE-2022-23421 + RESERVED +CVE-2022-23420 + RESERVED +CVE-2022-23419 + RESERVED +CVE-2022-23418 + RESERVED +CVE-2022-23417 + RESERVED +CVE-2022-23416 + RESERVED +CVE-2022-23415 + RESERVED +CVE-2022-23414 + RESERVED +CVE-2022-23413 + RESERVED +CVE-2022-23412 + RESERVED +CVE-2022-23411 + RESERVED +CVE-2022-23410 (AXIS IP Utility prior to 4.17.0 allows for remote code execution and l ...) + NOT-FOR-US: AXIS IP Utility +CVE-2022-23409 (The Logs plugin before 3.0.4 for Craft CMS allows remote attackers to ...) + NOT-FOR-US: Craft CMS +CVE-2022-23408 (wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situatio ...) + - wolfssl 5.1.1-1 (bug #1004181) + [bullseye] - wolfssl <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022 + NOTE: https://github.com/wolfSSL/wolfssl/pull/4710 + NOTE: Introduced by: https://github.com/wolfSSL/wolfssl/commit/2871fc670f448e5f7cab7101479cb5b88e4d21f4 (WCv5.0-RC9) + NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/73b4cc9476f6355a91138f545f3fd007ce058255 (master) + NOTE: Fixed by: https://github.com/wolfSSL/wolfssl/commit/f3038b7aa5512572a04c14becee799ef275a6736 (v5.1.1-stable) +CVE-2022-23407 + RESERVED +CVE-2022-23406 + RESERVED +CVE-2022-23405 + RESERVED +CVE-2022-23404 + RESERVED +CVE-2022-0276 + RESERVED +CVE-2022-0275 + RESERVED +CVE-2022-23398 + RESERVED +CVE-2022-23397 + RESERVED +CVE-2022-23396 + RESERVED +CVE-2022-23395 + RESERVED +CVE-2022-23394 + RESERVED +CVE-2022-23393 + RESERVED +CVE-2022-23392 + RESERVED +CVE-2022-23391 (A cross-site scripting (XSS) vulnerability in Pybbs v6.0 allows attack ...) + NOT-FOR-US: Pybbs +CVE-2022-23390 (An issue in the getType function of BBS Forum v5.3 and below allows at ...) + NOT-FOR-US: BBS Forum +CVE-2022-23389 (PublicCMS v4.0 was discovered to contain a remote code execution (RCE) ...) + NOT-FOR-US: PublicCMS +CVE-2022-23388 + RESERVED +CVE-2022-23387 + RESERVED +CVE-2022-23386 + RESERVED +CVE-2022-23385 + RESERVED +CVE-2022-23384 (YzmCMS v6.3 is affected by Cross Site Request Forgery (CSRF) in /admin ...) + NOT-FOR-US: YzmCMS +CVE-2022-23383 + RESERVED +CVE-2022-23382 + RESERVED +CVE-2022-23381 + RESERVED +CVE-2022-23380 + RESERVED +CVE-2022-23379 (Emlog v6.0 was discovered to contain a SQL injection vulnerability via ...) + NOT-FOR-US: Emlog +CVE-2022-23378 (A Cross-Site Scripting (XSS) vulnerability exists within the 3.2.2 ver ...) + NOT-FOR-US: TastyIgniter +CVE-2022-23377 + RESERVED +CVE-2022-23376 (WikiDocs version 0.1.18 has multiple reflected XSS vulnerabilities on ...) + NOT-FOR-US: WikiDocs +CVE-2022-23375 (WikiDocs version 0.1.18 has an authenticated remote code execution vul ...) + NOT-FOR-US: WikiDocs +CVE-2022-23374 + RESERVED +CVE-2022-23373 + RESERVED +CVE-2022-23372 + RESERVED +CVE-2022-23371 + RESERVED +CVE-2022-23370 + RESERVED +CVE-2022-23369 + RESERVED +CVE-2022-23368 + RESERVED +CVE-2022-23367 (Fulusso v1.1 was discovered to contain a DOM-based cross-site scriptin ...) + NOT-FOR-US: Fulusso +CVE-2022-23366 (HMS v1.0 was discovered to contain a SQL injection vulnerability via p ...) + NOT-FOR-US: HMS (Hospital Managment System) +CVE-2022-23365 (HMS v1.0 was discovered to contain a SQL injection vulnerability via d ...) + NOT-FOR-US: HMS (Hospital Managment System) +CVE-2022-23364 (HMS v1.0 was discovered to contain a SQL injection vulnerability via a ...) + NOT-FOR-US: HMS (Hospital Managment System) +CVE-2022-23363 (Online Banking System v1.0 was discovered to contain a SQL injection v ...) + NOT-FOR-US: Online Banking System +CVE-2022-23362 + RESERVED +CVE-2022-23361 + RESERVED +CVE-2022-23360 + RESERVED +CVE-2022-23359 + RESERVED +CVE-2022-23358 (EasyCMS v1.6 allows for SQL injection via ArticlemAction.class.php. In ...) + NOT-FOR-US: EasyCMS +CVE-2022-23357 (mozilo2.0 was discovered to be vulnerable to directory traversal attac ...) + TODO: check +CVE-2022-23356 + RESERVED +CVE-2022-23355 + RESERVED +CVE-2022-23354 + RESERVED +CVE-2022-23353 + RESERVED +CVE-2022-23352 + RESERVED +CVE-2022-23351 + RESERVED +CVE-2022-23350 + RESERVED +CVE-2022-23349 + RESERVED +CVE-2022-23348 + RESERVED +CVE-2022-23347 + RESERVED +CVE-2022-23346 + RESERVED +CVE-2022-23345 + RESERVED +CVE-2022-23344 + RESERVED +CVE-2022-23343 + RESERVED +CVE-2022-23342 + RESERVED +CVE-2022-23341 + RESERVED +CVE-2022-23340 (Joplin 2.6.10 allows remote attackers to execute system commands throu ...) + NOT-FOR-US: Joplin +CVE-2022-23339 + RESERVED +CVE-2022-23338 + RESERVED +CVE-2022-23337 (DedeCMS v5.7.87 was discovered to contain a SQL injection vulnerabilit ...) + NOT-FOR-US: DedeCMS +CVE-2022-23336 (S-CMS v5.0 was discovered to contain a SQL injection vulnerability in ...) + NOT-FOR-US: S-CMS +CVE-2022-23335 (Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability ...) + NOT-FOR-US: Metinfo +CVE-2022-23334 + RESERVED +CVE-2022-23333 + RESERVED +CVE-2022-23332 + RESERVED +CVE-2022-23331 (In DataEase v1.6.1, an authenticated user can gain unauthorized access ...) + NOT-FOR-US: DataEase +CVE-2022-23330 (A remote code execution (RCE) vulnerability in HelloWorldAddonControll ...) + NOT-FOR-US: jpress +CVE-2022-23329 (A vulnerability in ${"freemarker.template.utility.Execute"?new() of UJ ...) + NOT-FOR-US: UJCMS Jspxcms +CVE-2022-23328 + RESERVED +CVE-2022-23327 + RESERVED +CVE-2022-23326 + RESERVED +CVE-2022-23325 + RESERVED +CVE-2022-23324 + RESERVED +CVE-2022-23323 + RESERVED +CVE-2022-23322 + RESERVED +CVE-2022-23321 (A persistent cross-site scripting (XSS) vulnerability exists on two in ...) + NOT-FOR-US: XMPie +CVE-2022-23320 (XMPie uStore 12.3.7244.0 allows for administrators to generate reports ...) + NOT-FOR-US: XMPie uStore +CVE-2022-23319 (A segmentation fault during PCF file parsing in pcf2bdf versions >= ...) + - pcf2bdf <unfixed> (unimportant) + NOTE: https://github.com/ganaware/pcf2bdf/issues/5 + NOTE: https://github.com/advisories/GHSA-p4gv-mjgc-3g68 + NOTE: Fixed by: https://github.com/ganaware/pcf2bdf/commit/3555aab4f3cfbec199141122177750a4351b8e79 + NOTE: Crash in CLI tool, no security impact +CVE-2022-23318 (A heap-buffer-overflow in pcf2bdf, versions >= 1.05 allows an attac ...) + - pcf2bdf <unfixed> (unimportant) + NOTE: https://github.com/ganaware/pcf2bdf/issues/4 + NOTE: https://github.com/advisories/GHSA-mhwp-x94h-mg49 + NOTE: Fixed by: https://github.com/ganaware/pcf2bdf/commit/aaf16808e4bb8d96eeab5f684df6550912a9e694 + NOTE: Crash in CLI tool, no security impact +CVE-2022-23317 (CobaltStrike <=4.5 HTTP(S) listener does not determine whether the ...) + NOT-FOR-US: CobaltStrike +CVE-2022-23316 (An issue was discovered in taoCMS v3.0.2. There is an arbitrary file r ...) + NOT-FOR-US: taocms +CVE-2022-23315 (MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnera ...) + NOT-FOR-US: MCMS +CVE-2022-23314 (MCMS v5.2.4 was discovered to contain a SQL injection vulnerability vi ...) + NOT-FOR-US: MCMS +CVE-2022-23313 + RESERVED +CVE-2022-22137 + RESERVED +CVE-2022-21801 (A denial of service vulnerability exists in the netserver recv_command ...) + NOT-FOR-US: Reolink +CVE-2022-21796 (A memory corruption vulnerability exists in the netserver parse_comman ...) + NOT-FOR-US: Reolink +CVE-2022-0274 (Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.C ...) + NOT-FOR-US: Orchard CMS +CVE-2022-0273 (Improper Access Control in Pypi calibreweb prior to 0.6.16. ...) + NOT-FOR-US: calibre-web +CVE-2022-0272 + RESERVED +CVE-2022-0271 + RESERVED +CVE-2022-0270 (Prior to v0.6.1, bored-agent failed to sanitize incoming kubernetes im ...) + NOT-FOR-US: bored-agent +CVE-2022-0269 (Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm ...) + NOT-FOR-US: yetiforce-crm +CVE-2022-0268 (Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to ...) + NOT-FOR-US: Grav CMS +CVE-2022-0267 + RESERVED +CVE-2022-23312 (A vulnerability has been identified in Spectrum Power 4 (All versions ...) + NOT-FOR-US: Siemens +CVE-2022-23311 + RESERVED +CVE-2022-23310 + RESERVED +CVE-2022-23309 + RESERVED +CVE-2022-23308 + RESERVED +CVE-2022-0266 (Authorization Bypass Through User-Controlled Key in Packagist remdex/l ...) + NOT-FOR-US: livehelperchat +CVE-2022-0265 + RESERVED +CVE-2022-23307 (CVE-2020-9493 identified a deserialization issue that was present in A ...) + {DLA-2905-1} + - apache-log4j1.2 1.2.17-11 (bug #1004482) + [bullseye] - apache-log4j1.2 <no-dsa> (Minor issue) + [buster] - apache-log4j1.2 <no-dsa> (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/5 +CVE-2022-23306 + RESERVED +CVE-2022-23305 (By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as ...) + {DLA-2905-1} + - apache-log4j1.2 1.2.17-11 (bug #1004482) + [bullseye] - apache-log4j1.2 <no-dsa> (Minor issue) + [buster] - apache-log4j1.2 <no-dsa> (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/4 +CVE-2022-0263 (Unrestricted Upload of File with Dangerous Type in Packagist pimcore/p ...) + NOT-FOR-US: pimcore +CVE-2022-0262 (Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior ...) + NOT-FOR-US: pimcore +CVE-2022-0261 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/fa795954-8775-4f23-98c6-d4d4d3fe8a82 + NOTE: https://github.com/vim/vim/commit/9f8c304c8a390ade133bac29963dc8e56ab14cbc (v8.2.4120) +CVE-2022-0260 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) + NOT-FOR-US: pimcore +CVE-2022-0259 + RESERVED +CVE-2022-0258 (pimcore is vulnerable to Improper Neutralization of Special Elements u ...) + NOT-FOR-US: pimcore +CVE-2022-0257 (pimcore is vulnerable to Improper Neutralization of Input During Web P ...) + NOT-FOR-US: pimcore +CVE-2022-0256 (pimcore is vulnerable to Improper Neutralization of Input During Web P ...) + NOT-FOR-US: pimcore +CVE-2022-0255 (The Database Backup for WordPress plugin before 2.5.1 does not properl ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0254 + RESERVED +CVE-2022-0253 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) + NOT-FOR-US: livehelperchat +CVE-2022-0252 (The GiveWP WordPress plugin before 2.17.3 does not escape the json par ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0251 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) + NOT-FOR-US: pimcore +CVE-2022-0250 + RESERVED +CVE-2022-0249 + RESERVED +CVE-2022-0248 + RESERVED +CVE-2022-0247 + RESERVED +CVE-2022-0246 + RESERVED +CVE-2022-23304 (The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplica ...) + - wpa 2:2.10-1 + [bullseye] - wpa <no-dsa> (Minor issue) + [buster] - wpa <no-dsa> (Minor issue) + [stretch] - wpa <ignored> (Minor issue) + NOTE: https://w1.fi/security/2022-1/ + NOTE: Issue exists because of an incomplete fix for CVE-2019-9495 +CVE-2022-23303 (The implementations of SAE in hostapd before 2.10 and wpa_supplicant b ...) + - wpa 2:2.10-1 + [bullseye] - wpa <no-dsa> (Minor issue) + [buster] - wpa <no-dsa> (Minor issue) + [stretch] - wpa <not-affected> (CVE-2019-9494 was not applied and is marked as ignored) + NOTE: https://w1.fi/security/2022-1/ + NOTE: Issue exists because of an incomplete fix for CVE-2019-9494 +CVE-2022-0264 (A vulnerability was found in the Linux kernel's eBPF verifier when han ...) + - linux 5.15.5-2 + [bullseye] - linux <not-affected> (Vulnerable code not present) + [buster] - linux <not-affected> (Vulnerable code not present) + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/7d3baf0afa3aa9102d6a521a8e4c41888bb79882 (5.16-rc6) +CVE-2022-0245 (Cross-Site Request Forgery (CSRF) in GitHub repository livehelperchat/ ...) + NOT-FOR-US: livehelperchat +CVE-2022-0244 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) + - gitlab <unfixed> +CVE-2022-0243 (Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.C ...) + NOT-FOR-US: Orchard CMS +CVE-2022-23302 (JMSSink in all versions of Log4j 1.x is vulnerable to deserialization ...) + {DLA-2905-1} + - apache-log4j1.2 1.2.17-11 (bug #1004482) + [bullseye] - apache-log4j1.2 <no-dsa> (Minor issue) + [buster] - apache-log4j1.2 <no-dsa> (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/3 +CVE-2022-22142 (Reflected cross-site scripting vulnerability in the checkbox of php_ma ...) + NOT-FOR-US: php_mailform +CVE-2022-21805 (Reflected cross-site scripting vulnerability in the attached file name ...) + NOT-FOR-US: php_mailform +CVE-2022-0242 (Unrestricted Upload of File with Dangerous Type in GitHub repository c ...) + NOT-FOR-US: Crater +CVE-2022-0241 + RESERVED +CVE-2022-0240 (mruby is vulnerable to NULL Pointer Dereference ...) + - mruby <unfixed> + [bullseye] - mruby <no-dsa> (Minor issue) + [buster] - mruby <no-dsa> (Minor issue) + [stretch] - mruby <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/5857eced-aad9-417d-864e-0bdf17226cbb/ + NOTE: https://github.com/mruby/mruby/commit/31fa3304049fc406a201a72293cce140f0557dca +CVE-2022-0239 (corenlp is vulnerable to Improper Restriction of XML External Entity R ...) + NOT-FOR-US: corenlp +CVE-2022-0238 (phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) ...) + - phoronix-test-suite <removed> +CVE-2022-23301 + RESERVED +CVE-2022-23300 + RESERVED +CVE-2022-23299 + RESERVED +CVE-2022-23298 + RESERVED +CVE-2022-23297 + RESERVED +CVE-2022-23296 + RESERVED +CVE-2022-23295 + RESERVED +CVE-2022-23294 + RESERVED +CVE-2022-23293 + RESERVED +CVE-2022-23292 + RESERVED +CVE-2022-23291 + RESERVED +CVE-2022-23290 + RESERVED +CVE-2022-23289 + RESERVED +CVE-2022-23288 + RESERVED +CVE-2022-23287 + RESERVED +CVE-2022-23286 + RESERVED +CVE-2022-23285 + RESERVED +CVE-2022-23284 + RESERVED +CVE-2022-23283 + RESERVED +CVE-2022-23282 + RESERVED +CVE-2022-23281 + RESERVED +CVE-2022-23280 (Microsoft Outlook for Mac Security Feature Bypass Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-23279 + RESERVED +CVE-2022-23278 + RESERVED +CVE-2022-23277 + RESERVED +CVE-2022-23276 (SQL Server for Linux Containers Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-23275 + RESERVED +CVE-2022-23274 (Microsoft Dynamics GP Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-23273 (Microsoft Dynamics GP Elevation Of Privilege Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-23272 (Microsoft Dynamics GP Elevation Of Privilege Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-23271 (Microsoft Dynamics GP Elevation Of Privilege Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-23270 + RESERVED +CVE-2022-23269 (Microsoft Dynamics GP Spoofing Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-23268 + RESERVED +CVE-2022-23267 + RESERVED +CVE-2022-23266 + RESERVED +CVE-2022-23265 + RESERVED +CVE-2022-23264 + RESERVED +CVE-2022-23263 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-23262 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-23261 (Microsoft Edge (Chromium-based) Tampering Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-23260 + RESERVED +CVE-2022-23259 + RESERVED +CVE-2022-23258 (Microsoft Edge for Android Spoofing Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-23257 + RESERVED +CVE-2022-23256 (Azure Data Explorer Spoofing Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-23255 (Microsoft OneDrive for Android Security Feature Bypass Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-23254 (Microsoft Power BI Information Disclosure Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-23253 + RESERVED +CVE-2022-23252 (Microsoft Office Information Disclosure Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-23251 + RESERVED +CVE-2022-23250 + RESERVED +CVE-2022-23249 + RESERVED +CVE-2022-23248 + RESERVED +CVE-2022-23247 + RESERVED +CVE-2022-23246 + RESERVED +CVE-2022-23245 + RESERVED +CVE-2022-23244 + RESERVED +CVE-2022-23243 + RESERVED +CVE-2022-23242 + RESERVED +CVE-2022-23241 + RESERVED +CVE-2022-23240 + RESERVED +CVE-2022-23239 + RESERVED +CVE-2022-23238 + RESERVED +CVE-2022-23237 + RESERVED +CVE-2022-23236 + RESERVED +CVE-2022-23235 + RESERVED +CVE-2022-23234 + RESERVED +CVE-2022-23233 + RESERVED +CVE-2022-23232 + RESERVED +CVE-2022-23231 + RESERVED +CVE-2022-23230 + RESERVED +CVE-2022-23229 + RESERVED +CVE-2022-23228 (Pexip Infinity before 27.0 has improper WebRTC input validation. An un ...) + NOT-FOR-US: Pexip Infinity +CVE-2022-23227 (NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to uploa ...) + NOT-FOR-US: NUUO NVRmini2 +CVE-2022-23226 + RESERVED +CVE-2022-23225 + RESERVED +CVE-2022-23224 + RESERVED +CVE-2022-23223 (The HTTP response will disclose the user password. This issue affected ...) + NOT-FOR-US: Apache ShenYu Admin +CVE-2022-23221 (H2 Console before 2.1.210 allows remote attackers to execute arbitrary ...) + {DSA-5076-1 DLA-2923-1} + - h2database 2.1.210-1 + NOTE: https://github.com/h2database/h2database/releases/tag/version-2.1.210 + NOTE: Fixed by https://github.com/h2database/h2database/commit/eb75633d0dfa86341e6ef77a861665c4a0f16ab8 + NOTE: https://github.com/h2database/h2database/issues/3360#issuecomment-1018351050 +CVE-2022-23220 (USBView 2.1 before 2.2 allows some local users (e.g., ones logged in v ...) + {DSA-5052-1} + - usbview 2.0-21-g6fe2f4f-2.1 + [stretch] - usbview <not-affected> (Vulnerable code introduced later) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/21/1 + NOTE: Introduced by: https://github.com/gregkh/usbview/commit/ddefeba3f67d6a6f394eb57352254c1c8a312671 (v2.1) + NOTE: Fixed by: https://github.com/gregkh/usbview/commit/bf374fa4e5b9a756789dfd88efa93806a395463b (v2.2) + NOTE: Hardening: https://github.com/gregkh/usbview/commit/1282782301570b3ee27f82f4f34c2c1a82bfd91a (v2.2) +CVE-2022-0237 + RESERVED +CVE-2022-0236 (The WP Import Export WordPress plugin (both free and premium versions) ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0235 (node-fetch is vulnerable to Exposure of Sensitive Information to an Un ...) + - node-fetch 2.6.1-7 + [bullseye] - node-fetch <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/ + NOTE: Fixed by: https://github.com/node-fetch/node-fetch/commit/f5d3cf5e2579cb8f4c76c291871e69696aef8f80 (v3.1.1) +CVE-2022-0234 (The WOOCS WordPress plugin before 1.3.7.5 does not sanitise and escape ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0233 (The ProfileGrid – User Profiles, Memberships, Groups and Communi ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0232 (The User Registration, Login & Landing Pages WordPress plugin is v ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0231 (livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: livehelperchat +CVE-2022-0230 + RESERVED +CVE-2022-0229 + RESERVED +CVE-2022-0228 (The Popup Builder WordPress plugin before 4.0.7 does not validate and ...) + NOT-FOR-US: WordPress plugin +CVE-2022-23222 (kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local ...) + {DSA-5050-1} + - linux 5.15.15-1 + [buster] - linux <not-affected> (Vulnerable code not present) + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/13/1 +CVE-2022-23219 (The deprecated compatibility function clnt_create in the sunrpc module ...) + - glibc 2.33-3 + [bullseye] - glibc <no-dsa> (Minor issue) + [buster] - glibc <no-dsa> (Minor issue) + [stretch] - glibc <no-dsa> (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22542 +CVE-2022-23218 (The deprecated compatibility function svcunix_create in the sunrpc mod ...) + - glibc 2.33-3 + [bullseye] - glibc <no-dsa> (Minor issue) + [buster] - glibc <no-dsa> (Minor issue) + [stretch] - glibc <no-dsa> (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28768 +CVE-2022-23217 + RESERVED +CVE-2022-23216 + RESERVED +CVE-2022-23215 + RESERVED +CVE-2022-23214 + RESERVED +CVE-2022-23213 + RESERVED +CVE-2022-23212 + RESERVED +CVE-2022-23211 + RESERVED +CVE-2022-23210 + RESERVED +CVE-2022-23209 + RESERVED +CVE-2022-23208 + RESERVED +CVE-2022-23207 + RESERVED +CVE-2022-0227 (Business Logic Errors in GitHub repository silverstripe/silverstripe-f ...) + NOT-FOR-US: Silverstripe CMS +CVE-2022-0226 (livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) ...) + NOT-FOR-US: livehelperchat +CVE-2022-0225 + RESERVED + NOT-FOR-US: Keycloak +CVE-2022-0224 (dolibarr is vulnerable to Improper Neutralization of Special Elements ...) + - dolibarr <removed> +CVE-2022-0223 + RESERVED +CVE-2022-0222 + RESERVED +CVE-2022-0221 + RESERVED +CVE-2022-0220 (The check_privacy_settings AJAX action of the WordPress GDPR WordPress ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0219 (Improper Restriction of XML External Entity Reference in GitHub reposi ...) + NOT-FOR-US: jadx +CVE-2022-0218 (The WP HTML Mail WordPress plugin is vulnerable to unauthorized access ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0216 + RESERVED +CVE-2022-0215 (The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0214 (The Popup | Custom Popup Builder WordPress plugin before 1.3.1 autoloa ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0213 (vim is vulnerable to Heap-based Buffer Overflow ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/f3afe1a5-e6f8-4579-b68a-6e5c7e39afed + NOTE: Fixed by: https://github.com/vim/vim/commit/de05bb25733c3319e18dca44e9b59c6ee389eb26 (v8.2.4074) +CVE-2022-0212 (The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise a ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0211 (The Shield Security WordPress plugin before 13.0.6 does not sanitise a ...) + NOT-FOR-US: WordPress plugin +CVE-2022-23206 (In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unpr ...) + NOT-FOR-US: Apache Traffic Control +CVE-2022-23205 + RESERVED +CVE-2022-23204 (Adobe Premiere Rush versions 2.0 and earlier are affected by an out-of ...) + NOT-FOR-US: Adobe +CVE-2022-23203 (Adobe Photoshop versions 22.5.4 (and earlier) and 23.1 (and earlier) a ...) + NOT-FOR-US: Adobe +CVE-2022-23202 (Adobe Creative Cloud Desktop version 2.7.0.13 (and earlier) is affecte ...) + NOT-FOR-US: Adobe +CVE-2022-23201 + RESERVED +CVE-2022-23200 (Adobe After Effects versions 22.1.1 (and earlier) and 18.4.3 (and earl ...) + NOT-FOR-US: Adobe +CVE-2022-23199 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-23198 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-23197 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-23196 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-23195 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-23194 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-23193 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-23192 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-23191 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-23190 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-23189 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-23188 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-23187 + RESERVED +CVE-2022-23186 (Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlie ...) + NOT-FOR-US: Adobe +CVE-2022-23185 + RESERVED +CVE-2022-23184 (In affected Octopus Server versions when the server HTTP and HTTPS bin ...) + NOT-FOR-US: Octopus Server +CVE-2022-23181 (The fix for bug CVE-2020-9484 introduced a time of check, time of use ...) + - tomcat9 <unfixed> + [bullseye] - tomcat9 <postponed> (Minor issue, fix along in future DSA) + [buster] - tomcat9 <postponed> (Minor issue, fix along in future DSA) + - tomcat8 <removed> + [stretch] - tomcat8 <postponed> (Minor issue; local race condition) + NOTE: https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 + NOTE: https://github.com/apache/tomcat/commit/1385c624b4a1e994426e810075c850edc38a700e (9.0.57) + NOTE: https://github.com/apache/tomcat/commit/97943959ba721ad5e8e8ba765a68d2b153348530 (8.5.74) + NOTE: Issue introduced by the fix for CVE-2020-9484 +CVE-2022-23180 + RESERVED +CVE-2022-23179 + RESERVED +CVE-2022-21199 (An information disclosure vulnerability exists due to the hardcoded TL ...) + NOT-FOR-US: Reolink +CVE-2022-0217 [Unauthenticated Remote Denial of Service Attack in the WebSocket interface] + RESERVED + {DSA-5047-1} + - prosody 0.11.12-1 (bug #1003696) + [stretch] - prosody <ignored> (websocket module introduced in 0.10.0; internal XML API only used on trusted data) + NOTE: https://prosody.im/security/advisory_20220113/ + NOTE: Patch: https://prosody.im/security/advisory_20220113/1.patch + NOTE: https://hg.prosody.im/0.11/raw-rev/783056b4e448 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/13/3 + NOTE: Regression: https://issues.prosody.im/1711 + NOTE: Regression fix: https://hg.prosody.im/trunk/rev/e5e0ab93d7f4 +CVE-2022-0210 (The Random Banner WordPress plugin is vulnerable to Stored Cross-Site ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0209 + RESERVED +CVE-2022-0208 (The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0207 + RESERVED + - vdsm <itp> (bug #668538) +CVE-2022-0206 (The NewStatPress WordPress plugin before 1.3.6 does not properly escap ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0205 + RESERVED +CVE-2022-0204 [Heap overflow vulnerability in the implementation of the gatt protocol] + RESERVED + - bluez <unfixed> (bug #1003712) + [bullseye] - bluez <no-dsa> (Minor issue) + [buster] - bluez <no-dsa> (Minor issue) + [stretch] - bluez <no-dsa> (Minor issue) + NOTE: https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q + NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=591c546c536b42bef696d027f64aa22434f8c3f0 (5.63) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2039807 +CVE-2022-0203 (Improper Access Control in GitHub repository crater-invoice/crater pri ...) + NOT-FOR-US: Crater +CVE-2022-0202 + RESERVED +CVE-2022-0201 (The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalin ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0200 (Themify Portfolio Post WordPress plugin before 1.1.7 does not sanitise ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0199 (The Coming soon and Maintenance mode WordPress plugin before 3.6.8 doe ...) + NOT-FOR-US: WordPress plugin +CVE-2022-23178 (An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. ...) + NOT-FOR-US: Crestron devices +CVE-2022-23177 + RESERVED +CVE-2022-23176 + RESERVED +CVE-2022-23175 + RESERVED +CVE-2022-23174 + RESERVED +CVE-2022-23173 + RESERVED +CVE-2022-23172 + RESERVED +CVE-2022-23171 + RESERVED +CVE-2022-23170 + RESERVED +CVE-2022-23169 + RESERVED +CVE-2022-23168 + RESERVED +CVE-2022-23167 + RESERVED +CVE-2022-23166 + RESERVED +CVE-2022-23165 + RESERVED +CVE-2022-23164 + RESERVED +CVE-2022-23163 + RESERVED +CVE-2022-23162 + RESERVED +CVE-2022-23161 + RESERVED +CVE-2022-23160 + RESERVED +CVE-2022-23159 + RESERVED +CVE-2022-23158 + RESERVED +CVE-2022-23157 + RESERVED +CVE-2022-23156 + RESERVED +CVE-2022-23155 + RESERVED +CVE-2022-23154 + RESERVED +CVE-2022-23153 + RESERVED +CVE-2022-23152 + RESERVED +CVE-2022-23151 + RESERVED +CVE-2022-23150 + RESERVED +CVE-2022-23149 + RESERVED +CVE-2022-23148 + RESERVED +CVE-2022-23147 + RESERVED +CVE-2022-23146 + RESERVED +CVE-2022-23145 + RESERVED +CVE-2022-23144 + RESERVED +CVE-2022-23143 + RESERVED +CVE-2022-23142 + RESERVED +CVE-2022-23141 + RESERVED +CVE-2022-23140 + RESERVED +CVE-2022-23139 + RESERVED +CVE-2022-23138 + RESERVED +CVE-2022-23137 + RESERVED +CVE-2022-23136 + RESERVED +CVE-2022-23135 + RESERVED +CVE-2022-23134 (After the initial setup process, some steps of setup.php file are reac ...) + {DLA-2914-1} + - zabbix <unfixed> + NOTE: https://support.zabbix.com/browse/ZBX-20384 + NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa0fecfbcc9794bc00206630a7424575dfc944df (5.0.19rc2) +CVE-2022-23133 (An authenticated user can create a hosts group from the configuration ...) + - zabbix <unfixed> + [stretch] - zabbix <not-affected> (Vulnerable code introduced later, and reverted with the fix) + NOTE: https://support.zabbix.com/browse/ZBX-20388 + NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/74b8716a73c324e6cdbdda1de434e7872740a908 (5.0.19rc1) + NOTE: Introduced by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/f3654d0173ea244a2319a093f7c4e27ad9086dc3 (4.4.0alpha3) +CVE-2022-23132 (During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability i ...) + - zabbix <unfixed> + [stretch] - zabbix <not-affected> (Not using RPM or DAC_OVERRIDE in Debian installs, zbx_ipc_service_init_env() not present) + NOTE: https://support.zabbix.com/browse/ZBX-20341 + NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/019fbd9b5cc9c455304f1a48460435ca474ba2ac (5.0.18) +CVE-2022-23131 (In the case of instances where the SAML SSO authentication is enabled ...) + - zabbix <unfixed> + [stretch] - zabbix <not-affected> (SAML authentication support added in 5.0) + NOTE: https://support.zabbix.com/browse/ZBX-20350 + TODO: check, possibly only affecting 5.4.0 onwards; similar code but no upstream fix in 5.0 LTS +CVE-2022-23130 (Buffer Over-read vulnerability in Mitsubishi Electric MC Works64 versi ...) + NOT-FOR-US: Mitsubishi +CVE-2022-23129 (Plaintext Storage of a Password vulnerability in Mitsubishi Electric M ...) + NOT-FOR-US: Mitsubishi +CVE-2022-23128 (Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Elect ...) + NOT-FOR-US: Mitsubishi +CVE-2022-23127 (Cross-site Scripting vulnerability in Mitsubishi Electric MC Works64 v ...) + NOT-FOR-US: Mitsubishi +CVE-2022-23126 (TeslaMate before 1.25.1 (when using the default Docker configuration) ...) + NOT-FOR-US: TeslaMate +CVE-2022-0198 (corenlp is vulnerable to Improper Restriction of XML External Entity R ...) + NOT-FOR-US: corenlp +CVE-2022-0197 (phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) ...) + - phoronix-test-suite <removed> +CVE-2022-0196 (phoronix-test-suite is vulnerable to Cross-Site Request Forgery (CSRF) ...) + - phoronix-test-suite <removed> +CVE-2022-0195 + RESERVED +CVE-2022-23125 + RESERVED +CVE-2022-23124 + RESERVED +CVE-2022-23123 + RESERVED +CVE-2022-23122 + RESERVED +CVE-2022-23121 + RESERVED +CVE-2022-23120 (A code injection vulnerability in Trend Micro Deep Security and Cloud ...) + NOT-FOR-US: Trend Micro +CVE-2022-23119 (A directory traversal vulnerability in Trend Micro Deep Security and C ...) + NOT-FOR-US: Trend Micro +CVE-2022-23118 (Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements fu ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23117 (Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionali ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23116 (Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionali ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23115 (Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch tas ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23114 (Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unenc ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23113 (Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23112 (A missing permission check in Jenkins Publish Over SSH Plugin 1.22 and ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23111 (A cross-site request forgery (CSRF) vulnerability in Jenkins Publish O ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23110 (Jenkins Publish Over SSH Plugin 1.22 and earlier does not escape the S ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23109 (Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault c ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23108 (Jenkins Badge Plugin 1.9 and earlier does not escape the description a ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23107 (Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not re ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23106 (Jenkins Configuration as Code Plugin 1.55 and earlier used a non-const ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23105 (Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-23102 (A vulnerability has been identified in SINEMA Remote Connect Server (A ...) + NOT-FOR-US: Siemens +CVE-2022-21236 (An information disclosure vulnerability exists due to a web server mis ...) + NOT-FOR-US: Reolink +CVE-2022-21217 (An out-of-bounds write vulnerability exists in the device TestEmail fu ...) + NOT-FOR-US: Reolink +CVE-2022-21134 (A firmware update vulnerability exists in the &quot;update&quo ...) + NOT-FOR-US: Reolink +CVE-2022-0194 + RESERVED +CVE-2022-0193 (The Complianz WordPress plugin before 6.0.0 does not escape the s para ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0192 + RESERVED +CVE-2022-0191 + RESERVED +CVE-2022-0190 (The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.6 is ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0189 + RESERVED +CVE-2022-0188 (The CMP WordPress plugin before 4.0.19 allows any user, even not logge ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0187 + RESERVED +CVE-2022-0186 (The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.5.3 ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0185 (A heap-based buffer overflow flaw was found in the way the legacy_pars ...) + {DSA-5050-1} + - linux 5.15.15-1 + [buster] - linux <not-affected> (Vulnerable code introduced later) + [stretch] - linux <not-affected> (Vulnerable code introduced later) + NOTE: Fixed by: https://git.kernel.org/linus/722d94847de29310e8aa03fcbdb41fc92c521756 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/7 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/25/14 + NOTE: https://www.willsroot.io/2022/01/cve-2022-0185.html +CVE-2022-0184 (Insufficiently protected credentials vulnerability in 'TEPRA' PRO SR59 ...) + NOT-FOR-US: TEPRA +CVE-2022-0183 (Missing encryption of sensitive data vulnerability in 'MIRUPASS' PW10 ...) + NOT-FOR-US: MIRUPASS +CVE-2022-23101 + RESERVED +CVE-2022-23100 + RESERVED +CVE-2022-23099 + RESERVED +CVE-2022-23098 (An issue was discovered in the DNS proxy in Connman through 1.40. The ...) + {DLA-2915-1} + - connman <unfixed> (bug #1004935) + [bullseye] - connman <no-dsa> (Minor issue) + [buster] - connman <no-dsa> (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/25/1 + NOTE: https://lore.kernel.org/connman/20220125090026.5108-1-wagi@monom.org/ + NOTE: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d8708b85c1e8fe25af7803e8a20cf20e7201d8a4 + NOTE: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=5c34313a196515c80fe78a2862ad78174b985be5 +CVE-2022-23097 (An issue was discovered in the DNS proxy in Connman through 1.40. forw ...) + {DLA-2915-1} + - connman <unfixed> (bug #1004935) + [bullseye] - connman <no-dsa> (Minor issue) + [buster] - connman <no-dsa> (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/25/1 + NOTE: https://lore.kernel.org/connman/20220125090026.5108-1-wagi@monom.org/ + NOTE: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e5a313736e13c90d19085e953a26256a198e4950 +CVE-2022-23096 (An issue was discovered in the DNS proxy in Connman through 1.40. The ...) + {DLA-2915-1} + - connman <unfixed> (bug #1004935) + [bullseye] - connman <no-dsa> (Minor issue) + [buster] - connman <no-dsa> (Minor issue) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/25/1 + NOTE: https://lore.kernel.org/connman/20220125090026.5108-1-wagi@monom.org/ + NOTE: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e5a313736e13c90d19085e953a26256a198e4950 +CVE-2022-23095 (Open Design Alliance Drawings SDK before 2022.12.1 mishandles the load ...) + NOT-FOR-US: Open Design Alliance Drawings SDK +CVE-2022-23094 (Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of ...) + {DSA-5048-1} + - libreswan 4.6-1 + [buster] - libreswan <not-affected> (Vulnerable code introduced in 4.2) + NOTE: https://github.com/libreswan/libreswan/issues/585 + NOTE: https://libreswan.org/security/CVE-2022-23094/CVE-2022-23094.txt + NOTE: https://libreswan.org/security/CVE-2022-23094/CVE-2022-23094-libreswan-4.2-4.3.patch (4.2-4.3) + NOTE: https://libreswan.org/security/CVE-2022-23094/CVE-2022-23094-libreswan-4.4-4.5.patch (4.4-4.5) +CVE-2022-23093 + RESERVED +CVE-2022-23092 + RESERVED +CVE-2022-23091 + RESERVED +CVE-2022-23090 + RESERVED +CVE-2022-23089 + RESERVED +CVE-2022-23088 + RESERVED +CVE-2022-23087 + RESERVED +CVE-2022-23086 + RESERVED +CVE-2022-23085 + RESERVED +CVE-2022-23084 + RESERVED +CVE-2022-23083 (NetMaster 12.2 Network Management for TCP/IP and NetMaster File Transf ...) + NOT-FOR-US: NetMaster +CVE-2022-23082 + RESERVED +CVE-2022-23081 + RESERVED +CVE-2022-23080 + RESERVED +CVE-2022-23079 + RESERVED +CVE-2022-23078 + RESERVED +CVE-2022-23077 + RESERVED +CVE-2022-23076 + RESERVED +CVE-2022-23075 + RESERVED +CVE-2022-23074 + RESERVED +CVE-2022-23073 + RESERVED +CVE-2022-23072 + RESERVED +CVE-2022-23071 + RESERVED +CVE-2022-23070 + RESERVED +CVE-2022-23069 + RESERVED +CVE-2022-23068 + RESERVED +CVE-2022-23067 + RESERVED +CVE-2022-23066 + RESERVED +CVE-2022-23065 + RESERVED +CVE-2022-23064 + RESERVED +CVE-2022-23063 + RESERVED +CVE-2022-23062 + RESERVED +CVE-2022-23061 + RESERVED +CVE-2022-23060 + RESERVED +CVE-2022-23059 + RESERVED +CVE-2022-23058 + RESERVED +CVE-2022-23057 + RESERVED +CVE-2022-23056 + RESERVED +CVE-2022-23055 + RESERVED +CVE-2022-23054 (Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via ...) + NOT-FOR-US: Openmct +CVE-2022-23053 (Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via ...) + NOT-FOR-US: Openmct +CVE-2022-23052 + RESERVED +CVE-2022-23051 + RESERVED +CVE-2022-23050 + RESERVED +CVE-2022-23049 (Exponent CMS 2.6.0patch2 allows an authenticated user to inject persis ...) + NOT-FOR-US: Exponent CMS +CVE-2022-23048 (Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload ...) + NOT-FOR-US: Exponent CMS +CVE-2022-23047 (Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject ...) + NOT-FOR-US: Exponent CMS +CVE-2022-23046 (PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL senten ...) + NOT-FOR-US: PhpIPAM +CVE-2022-23045 (PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent ...) + NOT-FOR-US: PhpIPAM +CVE-2022-23044 + RESERVED +CVE-2022-23043 + RESERVED +CVE-2022-23042 + RESERVED +CVE-2022-23041 + RESERVED +CVE-2022-23040 + RESERVED +CVE-2022-23039 + RESERVED +CVE-2022-23038 + RESERVED +CVE-2022-23037 + RESERVED +CVE-2022-23036 + RESERVED +CVE-2022-23035 (Insufficient cleanup of passed-through device IRQs The management of I ...) + - xen 4.16.0+51-g0941d6cb-1 + [bullseye] - xen <postponed> (Fix along with next DSA round) + [buster] - xen <end-of-life> (DSA 4677-1) + [stretch] - xen <end-of-life> (DSA 4602-1) + NOTE: https://xenbits.xen.org/xsa/advisory-395.html +CVE-2022-23034 (A PV guest could DoS Xen while unmapping a grant To address XSA-380, r ...) + - xen 4.16.0+51-g0941d6cb-1 + [bullseye] - xen <postponed> (Fix along with next DSA round) + [buster] - xen <end-of-life> (DSA 4677-1) + [stretch] - xen <end-of-life> (DSA 4602-1) + NOTE: https://xenbits.xen.org/xsa/advisory-394.html +CVE-2022-23033 (arm: guest_physmap_remove_page not removing the p2m mappings The funct ...) + - xen 4.16.0+51-g0941d6cb-1 + [bullseye] - xen <postponed> (Fix along with next DSA round) + [buster] - xen <not-affected> (Vulnerable code introduced later) + [stretch] - xen <not-affected> (Vulnerable code introduced later) + NOTE: https://xenbits.xen.org/xsa/advisory-393.html +CVE-2022-23032 (In all versions before 7.2.1.4, when proxy settings are configured in ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23031 (On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15 ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23030 (On version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23029 (On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x b ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23028 (On BIG-IP AFM version 16.x before 16.1.0, 15.1.x before 15.1.5, 14.1.x ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23027 (On BIG-IP versions 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, 13.1. ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23026 (On BIG-IP ASM & Advanced WAF version 16.1.x before 16.1.2, 15.1.x ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23025 (On BIG-IP version 16.1.x before 16.1.1, 15.1.x before 15.1.4, 14.1.x b ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23024 (On BIG-IP AFM version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1 ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23023 (On BIG-IP version 16.1.x before 16.1.2.1, 15.1.x before 15.1.5, 14.1.x ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23022 (On BIG-IP version 16.1.x before 16.1.2, when an HTTP profile is config ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23021 (On BIG-IP version 16.1.x before 16.1.2, when any of the following conf ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23020 (On BIG-IP version 16.1.x before 16.1.2, when the 'Respond on Error' se ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23019 (On BIG-IP version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23018 (On BIG-IP AFM version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14 ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23017 (On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x b ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23016 (On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG- ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23015 (On BIG-IP versions 16.x before 16.1.0, 15.1.x before 15.1.4.1, and 14. ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23014 (On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG- ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23013 (On BIG-IP DNS & GTM version 16.x before 16.1.0, 15.1.x before 15.1 ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23012 (On BIG-IP versions 15.1.x before 15.1.4.1 and 14.1.x before 14.1.4.5, ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23011 (On certain hardware BIG-IP platforms, in version 15.1.x before 15.1.4 ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23010 (On BIG-IP versions 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23009 (On BIG-IQ Centralized Management 8.x before 8.1.0, an authenticated ad ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23008 (On NGINX Controller API Management versions 3.18.0-3.19.0, an authenti ...) + NOT-FOR-US: F5 BIG-IP +CVE-2022-23007 + RESERVED +CVE-2022-23006 + RESERVED +CVE-2022-23005 + RESERVED +CVE-2022-23004 + RESERVED +CVE-2022-23003 + RESERVED +CVE-2022-23002 + RESERVED +CVE-2022-23001 + RESERVED +CVE-2022-23000 + RESERVED +CVE-2022-22999 + RESERVED +CVE-2022-22998 + RESERVED +CVE-2022-22997 + RESERVED +CVE-2022-22996 + RESERVED +CVE-2022-22995 + RESERVED +CVE-2022-22994 (A remote code execution vulnerability was discovered on Western Digita ...) + NOT-FOR-US: Western Digital +CVE-2022-22993 (A limited SSRF vulnerability was discovered on Western Digital My Clou ...) + NOT-FOR-US: Western Digital +CVE-2022-22992 (A command injection remote code execution vulnerability was discovered ...) + NOT-FOR-US: Western Digital +CVE-2022-22991 (A malicious user on the same LAN could use DNS spoofing followed by a ...) + NOT-FOR-US: Western Digital / My Cloud OS 5 Firmware +CVE-2022-22990 (A limited authentication bypass vulnerability was discovered that coul ...) + NOT-FOR-US: Western Digital / My Cloud OS 5 Firmware +CVE-2022-22989 (My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vul ...) + NOT-FOR-US: Western Digital / My Cloud OS 5 Firmware +CVE-2022-22988 (File and directory permissions have been corrected to prevent unintend ...) + NOT-FOR-US: Western Digital +CVE-2022-21234 + RESERVED +CVE-2022-21210 + RESERVED +CVE-2022-21145 + RESERVED +CVE-2022-0182 (Stored cross-site scripting vulnerability in Quiz And Survey Master ve ...) + NOT-FOR-US: Quiz And Survey Master +CVE-2022-0181 (Reflected cross-site scripting vulnerability in Quiz And Survey Master ...) + NOT-FOR-US: Quiz And Survey Master +CVE-2022-0180 (Cross-site request forgery (CSRF) vulnerability in Quiz And Survey Mas ...) + NOT-FOR-US: Quiz And Survey Master +CVE-2022-0179 (snipe-it is vulnerable to Improper Access Control ...) + NOT-FOR-US: snipe-it +CVE-2022-0178 (snipe-it is vulnerable to Improper Access Control ...) + NOT-FOR-US: snipe-it +CVE-2022-0177 + REJECTED +CVE-2022-22983 + RESERVED +CVE-2022-22982 + RESERVED +CVE-2022-22981 + RESERVED +CVE-2022-22980 + RESERVED +CVE-2022-22979 + RESERVED +CVE-2022-22978 + RESERVED +CVE-2022-22977 + RESERVED +CVE-2022-22976 + RESERVED +CVE-2022-22975 + RESERVED +CVE-2022-22974 + RESERVED +CVE-2022-22973 + RESERVED +CVE-2022-22972 + RESERVED +CVE-2022-22971 + RESERVED +CVE-2022-22970 + RESERVED +CVE-2022-22969 + RESERVED +CVE-2022-22968 + RESERVED +CVE-2022-22967 + RESERVED +CVE-2022-22966 + RESERVED +CVE-2022-22965 + RESERVED +CVE-2022-22964 + RESERVED +CVE-2022-22963 + RESERVED +CVE-2022-22962 + RESERVED +CVE-2022-22961 + RESERVED +CVE-2022-22960 + RESERVED +CVE-2022-22959 + RESERVED +CVE-2022-22958 + RESERVED +CVE-2022-22957 + RESERVED +CVE-2022-22956 + RESERVED +CVE-2022-22955 + RESERVED +CVE-2022-22954 + RESERVED +CVE-2022-22953 + RESERVED +CVE-2022-22952 + RESERVED +CVE-2022-22951 + RESERVED +CVE-2022-22950 + RESERVED +CVE-2022-22949 + RESERVED +CVE-2022-22948 + RESERVED +CVE-2022-22947 + RESERVED +CVE-2022-22946 + RESERVED +CVE-2022-22945 (VMware NSX Edge contains a CLI shell injection vulnerability. A malici ...) + NOT-FOR-US: VMware +CVE-2022-22944 + RESERVED +CVE-2022-22943 + RESERVED +CVE-2022-22942 [drm/vmwgfx: Fix stale file descriptors on failed usercopy] + RESERVED + - linux 5.15.15-2 + [stretch] - linux <not-affected> (Vulnerable code not present) + NOTE: https://www.openwall.com/lists/oss-security/2022/01/27/4 + NOTE: https://www.openwall.com/lists/oss-security/2022/02/03/1 + NOTE: Fixed by: https://git.kernel.org/linus/a0f90c8815706981c483a652a6aefca51a5e191c +CVE-2022-22941 + RESERVED +CVE-2022-22940 + RESERVED +CVE-2022-22939 (VMware Cloud Foundation contains an information disclosure vulnerabili ...) + NOT-FOR-US: VMware +CVE-2022-22938 (VMware Workstation (16.x prior to 16.2.2) and Horizon Client for Windo ...) + NOT-FOR-US: VMware +CVE-2022-22937 + RESERVED +CVE-2022-22936 + RESERVED +CVE-2022-22935 + RESERVED +CVE-2022-22934 + RESERVED +CVE-2022-22933 + RESERVED +CVE-2022-22932 (Apache Karaf obr:* commands and run goal on the karaf-maven-plugin hav ...) + - apache-karaf <itp> (bug #881297) +CVE-2022-22931 (Fix of CVE-2021-40525 do not prepend delimiters upon valid directory v ...) + NOT-FOR-US: Apache James +CVE-2022-22930 (A remote code execution (RCE) vulnerability in the Template Management ...) + NOT-FOR-US: MCMS +CVE-2022-22929 (MCMS v5.2.4 was discovered to have an arbitrary file upload vulnerabil ...) + NOT-FOR-US: MCMS +CVE-2022-22928 (MCMS v5.2.4 was discovered to have a hardcoded shiro-key, allowing att ...) + NOT-FOR-US: MCMS +CVE-2022-22927 + RESERVED +CVE-2022-22926 + RESERVED +CVE-2022-22925 + RESERVED +CVE-2022-22924 + RESERVED +CVE-2022-22923 + RESERVED +CVE-2022-22922 (TP-Link TL-WA850RE Wi-Fi Range Extender before v6_200923 was discovere ...) + NOT-FOR-US: TP-Link +CVE-2022-22921 + RESERVED +CVE-2022-22920 + RESERVED +CVE-2022-22919 (Adenza AxiomSL ControllerView through 10.8.1 allows redirection for SS ...) + NOT-FOR-US: Adenza AxiomSL ControllerView +CVE-2022-22918 + RESERVED +CVE-2022-22917 + RESERVED +CVE-2022-22916 (O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vu ...) + NOT-FOR-US: O2OA +CVE-2022-22915 + RESERVED +CVE-2022-22914 (An incorrect access control issue in the component FileManager of Ovid ...) + NOT-FOR-US: Ovidentia CMS +CVE-2022-22913 + RESERVED +CVE-2022-22912 (Prototype pollution vulnerability via .parse() in Plist before v3.0.4 ...) + TODO: check +CVE-2022-22911 + RESERVED +CVE-2022-22910 + RESERVED +CVE-2022-22909 + RESERVED +CVE-2022-22908 + RESERVED +CVE-2022-22907 + RESERVED +CVE-2022-22906 + RESERVED +CVE-2022-22905 + RESERVED +CVE-2022-22904 + RESERVED +CVE-2022-22903 + RESERVED +CVE-2022-22902 + RESERVED +CVE-2022-22901 (There is an Assertion in 'context_p->next_scanner_info_p->type = ...) + TODO: check +CVE-2022-22900 + RESERVED +CVE-2022-22899 (Core FTP / SFTP Server v2 Build 725 was discovered to allow unauthenti ...) + NOT-FOR-US: Core FTP / SFTP Server +CVE-2022-22898 + RESERVED +CVE-2022-22897 + RESERVED +CVE-2022-22896 + RESERVED +CVE-2022-22895 (Jerryscript 3.0.0 was discovered to contain a heap-buffer-overflow via ...) + - iotjs <unfixed> (bug #1004298) + [bullseye] - iotjs <no-dsa> (Minor issue) + [buster] - iotjs <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4850 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4882 +CVE-2022-22894 (Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_ ...) + - iotjs <unfixed> (bug #1004298) + [bullseye] - iotjs <no-dsa> (Minor issue) + [buster] - iotjs <no-dsa> (Minor issue) + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4890 + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4899 +CVE-2022-22893 (Jerryscript 3.0.0 was discovered to contain a stack overflow via vm_lo ...) + - iotjs <unfixed> (bug #1004298) + [bullseye] - iotjs <no-dsa> (Minor issue) + [buster] - iotjs <no-dsa> (Minor issue) + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4901 + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4945 +CVE-2022-22892 (There is an Assertion 'ecma_is_value_undefined (value) || ecma_is_valu ...) + - iotjs <unfixed> (bug #1004298) + [bullseye] - iotjs <no-dsa> (Minor issue) + [buster] - iotjs <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4872 + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4878 +CVE-2022-22891 (Jerryscript 3.0.0 was discovered to contain a SEGV vulnerability via e ...) + - iotjs <unfixed> (bug #1004298) + [bullseye] - iotjs <no-dsa> (Minor issue) + [buster] - iotjs <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4871 + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4885 +CVE-2022-22890 (There is an Assertion 'arguments_type != SCANNER_ARGUMENTS_PRESENT &am ...) + - iotjs <unfixed> (bug #1004298) + [bullseye] - iotjs <no-dsa> (Minor issue) + [buster] - iotjs <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4849 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4847 +CVE-2022-22889 + RESERVED +CVE-2022-22888 (Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_ ...) + - iotjs <unfixed> (bug #1004298) + [bullseye] - iotjs <no-dsa> (Minor issue) + [buster] - iotjs <not-affected> (Vulnerable code introduced later) + NOTE: https://github.com/jerryscript-project/jerryscript/pull/4877 + NOTE: https://github.com/jerryscript-project/jerryscript/issues/4848 +CVE-2022-22887 + RESERVED +CVE-2022-22886 + RESERVED +CVE-2022-22885 (Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL cert ...) + NOT-FOR-US: Hutool +CVE-2022-22884 + RESERVED +CVE-2022-22883 + RESERVED +CVE-2022-22882 + RESERVED +CVE-2022-22881 (Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerabilit ...) + NOT-FOR-US: Jeecg-boot +CVE-2022-22880 (Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerabilit ...) + NOT-FOR-US: Jeecg-boot +CVE-2022-22879 + RESERVED +CVE-2022-22878 + RESERVED +CVE-2022-22877 + RESERVED +CVE-2022-22876 + RESERVED +CVE-2022-22875 + RESERVED +CVE-2022-22874 + RESERVED +CVE-2022-22873 + RESERVED +CVE-2022-22872 + RESERVED +CVE-2022-22871 + RESERVED +CVE-2022-22870 + RESERVED +CVE-2022-22869 + RESERVED +CVE-2022-22868 (Gibbon CMS v22.0.01 was discovered to contain a cross-site scripting ( ...) + NOT-FOR-US: Gibbon CMS +CVE-2022-22867 + RESERVED +CVE-2022-22866 + RESERVED +CVE-2022-22865 + RESERVED +CVE-2022-22864 + RESERVED +CVE-2022-22863 + RESERVED +CVE-2022-22862 + RESERVED +CVE-2022-22861 + RESERVED +CVE-2022-22860 + RESERVED +CVE-2022-22859 + RESERVED +CVE-2022-22858 + RESERVED +CVE-2022-22857 + RESERVED +CVE-2022-22856 + RESERVED +CVE-2022-22855 + RESERVED +CVE-2022-22854 (An access control issue in hprms/admin/?page=user/list of Hospital Pat ...) + NOT-FOR-US: Hospital Patient Record Management System +CVE-2022-22853 (A stored cross-site scripting (XSS) vulnerability in Hospital Patient ...) + NOT-FOR-US: Hospital Patient Record Management System +CVE-2022-22852 (A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodt ...) + NOT-FOR-US: Sourcecodtester +CVE-2022-22851 (A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodt ...) + NOT-FOR-US: Sourcecodtester +CVE-2022-22850 (A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodt ...) + NOT-FOR-US: Sourcecodtester +CVE-2022-22849 + RESERVED +CVE-2022-22149 + RESERVED +CVE-2022-0176 (The PowerPack Lite for Beaver Builder WordPress plugin before 1.2.9.3 ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0175 [memory initialization issue in vrend_resource_alloc_buffer() can lead to info leak] + RESERVED + - virglrenderer <unfixed> + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2039003 + NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654 + NOTE: Code refactored in https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/7899e057327848300b18d8f03aa3789e00ed0221 (0.9.0) + NOTE: Fixed by: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c + TODO: check if issue is present before refactoring in 0.9.0 +CVE-2022-0174 (dolibarr is vulnerable to Business Logic Errors ...) + - dolibarr <removed> +CVE-2022-0173 (radare2 is vulnerable to Out-of-bounds Read ...) + - radare2 <unfixed> + NOTE: https://huntr.dev/bounties/727d8600-88bc-4dde-8dea-ee3d192600e5 + NOTE: https://github.com/radareorg/radare2/commit/37897226a1a31f982bfefdc4aeefc2e50355c73c +CVE-2022-0172 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) + - gitlab <unfixed> +CVE-2022-0171 + RESERVED +CVE-2022-0170 (peertube is vulnerable to Improper Access Control ...) + - peertube <itp> (bug #950821) +CVE-2022-0169 + RESERVED +CVE-2022-0168 + RESERVED +CVE-2022-0167 + RESERVED +CVE-2022-0166 (A privilege escalation vulnerability in the McAfee Agent prior to 5.7. ...) + NOT-FOR-US: McAfee +CVE-2022-0165 + RESERVED +CVE-2022-0164 (The Coming soon and Maintenance mode WordPress plugin before 3.6.8 doe ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0163 + RESERVED +CVE-2022-0162 (The vulnerability exists in TP-Link TL-WR841N V11 3.16.9 Build 160325 ...) + NOT-FOR-US: TP-Link +CVE-2022-0161 + RESERVED +CVE-2022-0160 + RESERVED +CVE-2022-0159 (orchardcore is vulnerable to Improper Neutralization of Input During W ...) + NOT-FOR-US: orchardcore +CVE-2022-0158 (vim is vulnerable to Heap-based Buffer Overflow ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/ac5d7005-07c6-4a0a-b251-ba9cdbf6738b/ + NOTE: https://github.com/vim/vim/commit/5f25c3855071bd7e26255c68bf458b1b5cf92f39 (v8.2.4049) +CVE-2022-0157 (phoronix-test-suite is vulnerable to Improper Neutralization of Input ...) + - phoronix-test-suite <removed> +CVE-2022-22848 + RESERVED +CVE-2022-22847 (Formpipe Lasernet before 9.13.3 allows file inclusion in Client Web Se ...) + NOT-FOR-US: Formpipe Lasernet +CVE-2022-22846 (The dnslib package through 0.9.16 for Python does not verify that the ...) + - python-dnslib 0.9.18-1 + [bullseye] - python-dnslib <no-dsa> (Minor issue) + [buster] - python-dnslib <no-dsa> (Minor issue) + NOTE: https://github.com/paulc/dnslib/issues/30 + NOTE: https://github.com/paulc/dnslib/commit/76e8677699ed098387d502c57980f58da642aeba +CVE-2022-22845 (QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167 ...) + NOT-FOR-US: QXIP SIPCAPTURE homer-app for HOMER +CVE-2022-22844 (LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c i ...) + - tiff 4.3.0-3 + [bullseye] - tiff <no-dsa> (Minor issue) + [buster] - tiff <no-dsa> (Minor issue) + [stretch] - tiff <postponed> (Minor issue; read overflow in CLI utility) + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/355 + NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/287 + NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/-/commit/03047a26952a82daaa0792957ce211e0aa51bc64 +CVE-2022-22843 + RESERVED +CVE-2022-22842 + RESERVED +CVE-2022-22841 + RESERVED +CVE-2022-22840 + RESERVED +CVE-2022-22839 + RESERVED +CVE-2022-22838 + RESERVED +CVE-2022-22837 + RESERVED +CVE-2022-22836 (CoreFTP Server before 727 allows directory traversal (for file creatio ...) + NOT-FOR-US: CoreFTP +CVE-2022-22835 + RESERVED +CVE-2022-22834 + RESERVED +CVE-2022-22833 (An issue was discovered in Servisnet Tessa 0.0.2. An attacker can obta ...) + NOT-FOR-US: Servisnet Tessa +CVE-2022-22832 (An issue was discovered in Servisnet Tessa 0.0.2. Authorization data i ...) + NOT-FOR-US: Servisnet Tessa +CVE-2022-22831 (An issue was discovered in Servisnet Tessa 0.0.2. An attacker can add ...) + NOT-FOR-US: Servisnet Tessa +CVE-2022-22830 + RESERVED +CVE-2022-22829 + RESERVED +CVE-2022-22828 (An insecure direct object reference for the file-download URL in Synam ...) + NOT-FOR-US: Synametrics +CVE-2022-0156 (vim is vulnerable to Use After Free ...) + - vim <unfixed> + [bullseye] - vim <no-dsa> (Minor issue) + [buster] - vim <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/47dded34-3767-4725-8c7c-9dcb68c70b36 + NOTE: https://github.com/vim/vim/commit/9f1a39a5d1cd7989ada2d1cb32f97d84360e050f (v8.2.4040) +CVE-2022-22827 (storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an in ...) + {DSA-5073-1 DLA-2904-1} + - expat 2.4.3-1 (bug #1003474) + NOTE: https://github.com/libexpat/libexpat/pull/539 + NOTE: https://github.com/libexpat/libexpat/commit/9f93e8036e842329863bf20395b8fb8f73834d9e (R_2_4_3) +CVE-2022-22826 (nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 ha ...) + {DSA-5073-1 DLA-2904-1} + - expat 2.4.3-1 (bug #1003474) + NOTE: https://github.com/libexpat/libexpat/pull/539 + NOTE: https://github.com/libexpat/libexpat/commit/9f93e8036e842329863bf20395b8fb8f73834d9e (R_2_4_3) +CVE-2022-22825 (lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integ ...) + {DSA-5073-1 DLA-2904-1} + - expat 2.4.3-1 (bug #1003474) + NOTE: https://github.com/libexpat/libexpat/pull/539 + NOTE: https://github.com/libexpat/libexpat/commit/9f93e8036e842329863bf20395b8fb8f73834d9e (R_2_4_3) +CVE-2022-22824 (defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has ...) + {DSA-5073-1 DLA-2904-1} + - expat 2.4.3-1 (bug #1003474) + NOTE: https://github.com/libexpat/libexpat/pull/539 + NOTE: https://github.com/libexpat/libexpat/commit/9f93e8036e842329863bf20395b8fb8f73834d9e (R_2_4_3) +CVE-2022-22823 (build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an ...) + {DSA-5073-1 DLA-2904-1} + - expat 2.4.3-1 (bug #1003474) + NOTE: https://github.com/libexpat/libexpat/pull/539 + NOTE: https://github.com/libexpat/libexpat/commit/9f93e8036e842329863bf20395b8fb8f73834d9e (R_2_4_3) +CVE-2022-22822 (addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an i ...) + {DSA-5073-1 DLA-2904-1} + - expat 2.4.3-1 (bug #1003474) + NOTE: https://github.com/libexpat/libexpat/pull/539 + NOTE: https://github.com/libexpat/libexpat/commit/9f93e8036e842329863bf20395b8fb8f73834d9e (R_2_4_3) +CVE-2022-22821 (NVIDIA NeMo before 1.6.0 contains a vulnerability in ASR WebApp, in wh ...) + NOT-FOR-US: NVIDIA NeMo +CVE-2022-22820 (Due to the lack of media file checks before rendering, it was possible ...) + NOT-FOR-US: LINE +CVE-2022-22819 + RESERVED +CVE-2022-22818 (The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3 ...) + {DLA-2906-1} + - python-django 2:3.2.12-1 (bug #1004752) + [bullseye] - python-django <no-dsa> (Minor issue) + [buster] - python-django <no-dsa> (Minor issue) + NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ + NOTE: https://github.com/django/django/commit/394517f07886495efcf79f95c7ee402a9437bd68 (main) + NOTE: https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5 (4.0.2) + NOTE: https://github.com/django/django/commit/1a1e8278c46418bde24c86a65443b0674bae65e2 (3.2.12) + NOTE: https://github.com/django/django/commit/c27a7eb9f40b64990398978152e62b6ff839c2e6 (2.2.27) +CVE-2022-22817 (PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitra ...) + {DSA-5053-1 DLA-2893-1} + - pillow 9.0.0-1 + NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#restrict-builtins-available-to-imagemath-eval + NOTE: https://github.com/python-pillow/Pillow/commit/8531b01d6cdf0b70f256f93092caa2a5d91afc11 (9.0.0) + NOTE: Fillowup in 9.0.1: https://github.com/python-pillow/Pillow/commit/c930be0758ac02cf15a2b8d5409d50d443550581 +CVE-2022-22816 (path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read d ...) + {DSA-5053-1 DLA-2893-1} + - pillow 9.0.0-1 + NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling + NOTE: https://github.com/python-pillow/Pillow/commit/c48271ab354db49cdbd740bc45e13be4f0f7993c (9.0.0) +CVE-2022-22815 (path_getbbox in path.c in Pillow before 9.0.0 improperly initializes I ...) + {DSA-5053-1 DLA-2893-1} + - pillow 9.0.0-1 + NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling + NOTE: https://github.com/python-pillow/Pillow/commit/1e092419b6806495c683043ab3feb6ce264f3b9c (9.0.0) +CVE-2022-22814 + RESERVED +CVE-2022-0155 (follow-redirects is vulnerable to Exposure of Private Personal Informa ...) + - node-follow-redirects 1.14.7+~1.13.1-1 + [bullseye] - node-follow-redirects <no-dsa> (Minor issue) + [buster] - node-follow-redirects <ignored> (Minor issue, too intrusive to backport) + NOTE: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406 + NOTE: https://github.com/follow-redirects/follow-redirects/issues/183 + NOTE: https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22 (v1.14.7) +CVE-2022-22813 (A CWE-798: Use of Hard-coded Credentials vulnerability exists. If an a ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22812 (A CWE-79: Improper Neutralization of Input During Web Page Generation ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22811 (A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists that ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22810 (A CWE-307: Improper Restriction of Excessive Authentication Attempts v ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22809 (A CWE-306: Missing Authentication for Critical Function vulnerability ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22808 (A CWE-942: Permissive Cross-domain Policy with Untrusted Domains vulne ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22807 (A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulner ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22806 + RESERVED +CVE-2022-22805 + RESERVED +CVE-2022-22804 (A CWE-79: Improper Neutralization of Input During Web Page Generation ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22803 + RESERVED +CVE-2022-22802 + RESERVED +CVE-2022-22801 + RESERVED +CVE-2022-22800 + RESERVED +CVE-2022-22799 + RESERVED +CVE-2022-22798 + RESERVED +CVE-2022-22797 + RESERVED +CVE-2022-22796 + RESERVED +CVE-2022-22795 + RESERVED +CVE-2022-22794 + RESERVED +CVE-2022-22793 + RESERVED +CVE-2022-22792 (MobiSoft - MobiPlus User Take Over and Improper Handling of url Parame ...) + NOT-FOR-US: MobiSoft +CVE-2022-22791 (SYNEL - eharmony Authenticated Blind & Stored XSS. Inject JS code ...) + NOT-FOR-US: SYNEL +CVE-2022-22790 (SYNEL - eharmony Directory Traversal. Directory Traversal - is an atta ...) + NOT-FOR-US: SYNEL +CVE-2022-22789 (Charactell - FormStorm Enterprise Account takeover – An attacker ...) + NOT-FOR-US: Charactell - FormStorm Enterprise +CVE-2022-22788 + RESERVED +CVE-2022-22787 + RESERVED +CVE-2022-22786 + RESERVED +CVE-2022-22785 + RESERVED +CVE-2022-22784 + RESERVED +CVE-2022-22783 + RESERVED +CVE-2022-22782 + RESERVED +CVE-2022-22781 + RESERVED +CVE-2022-22780 (The Zoom Client for Meetings chat functionality was susceptible to Zip ...) + NOT-FOR-US: Zoom +CVE-2022-22779 (The Keybase Clients for macOS and Windows before version 5.9.0 fails t ...) + NOT-FOR-US: Keybase on MacOS & Windows +CVE-2022-22778 + RESERVED +CVE-2022-22777 + RESERVED +CVE-2022-22776 + RESERVED +CVE-2022-22775 + RESERVED +CVE-2022-22774 + RESERVED +CVE-2022-22773 + RESERVED +CVE-2022-22772 + RESERVED +CVE-2022-22771 + RESERVED +CVE-2022-22770 (The Web Server component of TIBCO Software Inc.'s TIBCO AuditSafe cont ...) + NOT-FOR-US: TIBCO +CVE-2022-22769 (The Web server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX ...) + NOT-FOR-US: TIBCO +CVE-2022-22768 + RESERVED +CVE-2022-22767 + RESERVED +CVE-2022-22766 (Hardcoded credentials are used in specific BD Pyxis products. If explo ...) + NOT-FOR-US: BD Pyxis +CVE-2022-22765 (BD Viper LT system, versions 2.0 and later, contains hardcoded credent ...) + NOT-FOR-US: BD Viper LT system +CVE-2022-22764 + RESERVED + {DSA-5074-1 DSA-5069-1 DLA-2921-1 DLA-2916-1} + - firefox 97.0-1 + - firefox-esr 91.6.0esr-1 + - thunderbird 1:91.6.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-04/#CVE-2022-22764 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-05/#CVE-2022-22764 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-06/#CVE-2022-22764 +CVE-2022-22763 + RESERVED + {DSA-5074-1 DSA-5069-1 DLA-2921-1 DLA-2916-1} + - firefox-esr 91.6.0esr-1 + - thunderbird 1:91.6.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-05/#CVE-2022-22763 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-06/#CVE-2022-22763 +CVE-2022-22762 + RESERVED + - firefox <not-affected> (Only affects Android) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-04/#CVE-2022-22762 +CVE-2022-22761 + RESERVED + {DSA-5074-1 DSA-5069-1 DLA-2921-1 DLA-2916-1} + - firefox 97.0-1 + - firefox-esr 91.6.0esr-1 + - thunderbird 1:91.6.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-04/#CVE-2022-22761 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-05/#CVE-2022-22761 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-06/#CVE-2022-22761 +CVE-2022-22760 + RESERVED + {DSA-5074-1 DSA-5069-1 DLA-2921-1 DLA-2916-1} + - firefox 97.0-1 + - firefox-esr 91.6.0esr-1 + - thunderbird 1:91.6.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-04/#CVE-2022-22760 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-05/#CVE-2022-22760 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-06/#CVE-2022-22760 +CVE-2022-22759 + RESERVED + {DSA-5074-1 DSA-5069-1 DLA-2921-1 DLA-2916-1} + - firefox 97.0-1 + - firefox-esr 91.6.0esr-1 + - thunderbird 1:91.6.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-04/#CVE-2022-22759 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-05/#CVE-2022-22759 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-06/#CVE-2022-22759 +CVE-2022-22758 + RESERVED + - firefox <not-affected> (Only affects Android) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-04/#CVE-2022-22758 +CVE-2022-22757 + RESERVED + - firefox <unfixed> + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-04/#CVE-2022-22757 + TODO: check if WebDriver enabled, if not demote severity to unimportant +CVE-2022-22756 + RESERVED + {DSA-5074-1 DSA-5069-1 DLA-2921-1 DLA-2916-1} + - firefox 97.0-1 + - firefox-esr 91.6.0esr-1 + - thunderbird 1:91.6.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-04/#CVE-2022-22756 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-05/#CVE-2022-22756 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-06/#CVE-2022-22756 +CVE-2022-22755 + RESERVED + - firefox 97.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-04/#CVE-2022-22755 +CVE-2022-22754 + RESERVED + {DSA-5074-1 DSA-5069-1 DLA-2921-1 DLA-2916-1} + - firefox 97.0-1 + - firefox-esr 91.6.0esr-1 + - thunderbird 1:91.6.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-04/#CVE-2022-22754 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-05/#CVE-2022-22754 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-06/#CVE-2022-22754 +CVE-2022-22753 + RESERVED + - firefox <not-affected> (Only affects Windows) + - firefox-esr <not-affected> (Only affects Windows) + - thunderbird <not-affected> (Only affects Windows) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-04/#CVE-2022-22753 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-05/#CVE-2022-22753 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-06/#CVE-2022-22753 +CVE-2022-22752 + RESERVED + - firefox 96.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22752 +CVE-2022-22751 + RESERVED + {DSA-5045-1 DSA-5044-1 DLA-2881-1 DLA-2880-1} + - firefox 96.0-1 + - firefox-esr 91.5.0esr-1 + - thunderbird 1:91.5.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22751 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22751 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22751 +CVE-2022-22750 + RESERVED + - firefox <not-affected> (Only affects Windows and MacOS) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22750 +CVE-2022-22749 + RESERVED + - firefox <not-affected> (Only affects Android) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22749 +CVE-2022-22748 + RESERVED + {DSA-5045-1 DSA-5044-1 DLA-2881-1 DLA-2880-1} + - firefox 96.0-1 + - firefox-esr 91.5.0esr-1 + - thunderbird 1:91.5.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22748 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22748 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22748 +CVE-2022-22747 + RESERVED + {DSA-5062-1 DSA-5045-1 DSA-5044-1 DLA-2898-1 DLA-2881-1 DLA-2880-1} + - nss 2:3.73-1 + - firefox 96.0-1 + - firefox-esr 91.5.0esr-1 + - thunderbird 1:91.5.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22747 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22747 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22747 + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1735028 + NOTE: https://hg.mozilla.org/projects/nss/rev/7ff99e71f3e37faed12bc3cc90a3eed27e3418d0 +CVE-2022-22746 + RESERVED + - firefox <not-affected> (Only affects Windows) + - firefox-esr <not-affected> (Only affects Windows) + - thunderbird <not-affected> (Only affects Windows) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22746 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22746 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22746 +CVE-2022-22745 + RESERVED + {DSA-5045-1 DSA-5044-1 DLA-2881-1 DLA-2880-1} + - firefox 96.0-1 + - firefox-esr 91.5.0esr-1 + - thunderbird 1:91.5.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22745 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22745 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22745 +CVE-2022-22744 + RESERVED + - firefox <not-affected> (Only affects Windows) + - firefox-esr <not-affected> (Only affects Windows) + - thunderbird <not-affected> (Only affects Windows) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22744 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22744 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22744 +CVE-2022-22743 + RESERVED + {DSA-5045-1 DSA-5044-1 DLA-2881-1 DLA-2880-1} + - firefox 96.0-1 + - firefox-esr 91.5.0esr-1 + - thunderbird 1:91.5.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22743 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22743 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22743 +CVE-2022-22742 + RESERVED + {DSA-5045-1 DSA-5044-1 DLA-2881-1 DLA-2880-1} + - firefox 96.0-1 + - firefox-esr 91.5.0esr-1 + - thunderbird 1:91.5.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22742 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22742 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22742 +CVE-2022-22741 + RESERVED + {DSA-5045-1 DSA-5044-1 DLA-2881-1 DLA-2880-1} + - firefox 96.0-1 + - firefox-esr 91.5.0esr-1 + - thunderbird 1:91.5.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22741 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22741 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22741 +CVE-2022-22740 + RESERVED + {DSA-5045-1 DSA-5044-1 DLA-2881-1 DLA-2880-1} + - firefox 96.0-1 + - firefox-esr 91.5.0esr-1 + - thunderbird 1:91.5.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22740 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22740 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22740 +CVE-2022-22739 + RESERVED + {DSA-5045-1 DSA-5044-1 DLA-2881-1 DLA-2880-1} + - firefox 96.0-1 + - firefox-esr 91.5.0esr-1 + - thunderbird 1:91.5.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22739 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22739 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22739 +CVE-2022-22738 + RESERVED + {DSA-5045-1 DSA-5044-1 DLA-2881-1 DLA-2880-1} + - firefox 96.0-1 + - firefox-esr 91.5.0esr-1 + - thunderbird 1:91.5.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22738 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22738 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22738 +CVE-2022-22737 + RESERVED + {DSA-5045-1 DSA-5044-1 DLA-2881-1 DLA-2880-1} + - firefox 96.0-1 + - firefox-esr 91.5.0esr-1 + - thunderbird 1:91.5.0-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22737 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-02/#CVE-2022-22737 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/#CVE-2022-22737 +CVE-2022-22736 + RESERVED + - firefox <not-affected> (Only affects Windows) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/#CVE-2022-22736 +CVE-2022-22735 + RESERVED +CVE-2022-22734 + RESERVED +CVE-2022-22733 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + NOT-FOR-US: Apache ShardingSphere ElasticJob-UI +CVE-2022-0154 (An issue has been discovered in GitLab affecting all versions starting ...) + - gitlab <unfixed> +CVE-2022-0153 + RESERVED +CVE-2022-0152 (An issue has been discovered in GitLab affecting all versions starting ...) + - gitlab <unfixed> +CVE-2022-0151 (An issue has been discovered in GitLab affecting all versions starting ...) + - gitlab <unfixed> +CVE-2022-0150 + RESERVED +CVE-2022-0149 (The WooCommerce Stored Exporter WordPress plugin before 2.7.1 was affe ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0148 (The All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0147 + RESERVED +CVE-2022-0146 + RESERVED +CVE-2022-0145 + RESERVED +CVE-2022-22732 + RESERVED +CVE-2022-22731 + RESERVED +CVE-2022-0144 (shelljs is vulnerable to Improper Privilege Management ...) + - node-shelljs 0.8.5+~cs0.8.10-1 + [bullseye] - node-shelljs <no-dsa> (Minor issue) + [buster] - node-shelljs <no-dsa> (Minor issue) + [stretch] - node-shelljs <end-of-life> (Nodejs in stretch not covered by security support) + NOTE: https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/ + NOTE: https://github.com/shelljs/shelljs/issues/1058 + NOTE: https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c (v0.8.5) +CVE-2022-0143 + RESERVED +CVE-2022-0142 + RESERVED +CVE-2022-0141 + RESERVED +CVE-2022-0140 + RESERVED +CVE-2022-22728 + RESERVED +CVE-2022-22727 (A CWE-20: Improper Input Validation vulnerability exists that could al ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22726 (A CWE-20: Improper Input Validation vulnerability exists that could al ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22725 (A CWE-120: Buffer Copy without Checking Size of Input vulnerability ex ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22724 (A CWE-400: Uncontrolled Resource Consumption vulnerability exists that ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22723 (A CWE-120: Buffer Copy without Checking Size of Input vulnerability ex ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22722 (A CWE-798: Use of Hard-coded Credentials vulnerability exists that cou ...) + NOT-FOR-US: Schneider Electric +CVE-2022-22721 + RESERVED +CVE-2022-22720 + RESERVED +CVE-2022-22719 + RESERVED +CVE-2022-22718 (Windows Print Spooler Elevation of Privilege Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-22717 (Windows Print Spooler Elevation of Privilege Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-22716 (Microsoft Excel Information Disclosure Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-22715 (Named Pipe File System Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-22714 + RESERVED +CVE-2022-22713 + RESERVED +CVE-2022-22712 (Windows Hyper-V Denial of Service Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-22711 + RESERVED +CVE-2022-22710 (Windows Common Log File System Driver Denial of Service Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-22709 (VP9 Video Extensions Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21806 + RESERVED +CVE-2022-0139 (Use After Free in GitHub repository radareorg/radare2 prior to 5.6.0. ...) + - radare2 <unfixed> + NOTE: https://huntr.dev/bounties/3dcb6f40-45cd-403b-929f-db123fde32c0/ + NOTE: https://github.com/radareorg/radare2/commit/37897226a1a31f982bfefdc4aeefc2e50355c73c (5.6.0) +CVE-2022-0138 (MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior ...) + NOT-FOR-US: Airspan Networks +CVE-2022-0137 + RESERVED +CVE-2022-0136 + RESERVED +CVE-2022-0135 [out-of-bounds write in read_transfer_data()] + RESERVED + - virglrenderer <undetermined> + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2037790 + NOTE: https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge_requests/654 + NOTE: Fixed by: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/95e581fd181b213c2ed7cdc63f2abc03eaaa77ec + TODO: Check introducing information for issue +CVE-2022-0134 (The AnyComment WordPress plugin before 0.2.18 does not have CSRF check ...) + NOT-FOR-US: WordPress plugin +CVE-2022-0133 (peertube is vulnerable to Improper Access Control ...) + - peertube <itp> (bug #950821) +CVE-2022-0132 (peertube is vulnerable to Server-Side Request Forgery (SSRF) ...) + - peertube <itp> (bug #950821) +CVE-2022-0131 (Jimoty App for Android versions prior to 3.7.42 uses a hard-coded API ...) + NOT-FOR-US: Jimoty App for Android +CVE-2022-22708 + RESERVED +CVE-2022-22707 (In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded functi ...) + {DSA-5040-1} + - lighttpd 1.4.64-1 + [stretch] - lighttpd <not-affected> (Vulnerable code not present; the issue was introduced in later versions) + NOTE: https://redmine.lighttpd.net/issues/3134 + NOTE: https://github.com/lighttpd/lighttpd1.4/commit/8c62a890e23f5853b1a562b03fe3e1bccc6e7664 +CVE-2022-22706 + RESERVED +CVE-2022-22705 + RESERVED +CVE-2022-22704 (The zabbix-agent2 package before 5.4.9-r1 for Alpine Linux sometimes a ...) + NOT-FOR-US: zabbix-agent2 package for Alpine +CVE-2022-22703 (In Stormshield SSO Agent 2.x before 2.1.1 and 3.x before 3.0.2, the cl ...) + NOT-FOR-US: Stormshield SSO Agent +CVE-2022-22702 (PartKeepr versions up to v1.4.0, in the functionality to upload attach ...) + NOT-FOR-US: PartKeepr +CVE-2022-22701 (PartKeepr versions up to v1.4.0, loads attachments using a URL while c ...) + NOT-FOR-US: PartKeepr +CVE-2022-22700 + RESERVED +CVE-2022-22699 + RESERVED +CVE-2022-22698 + RESERVED +CVE-2022-22697 + RESERVED +CVE-2022-22696 + RESERVED +CVE-2022-22695 + RESERVED +CVE-2022-22694 + RESERVED +CVE-2022-22693 + RESERVED +CVE-2022-22692 + RESERVED +CVE-2022-22691 (The password reset component deployed within Umbraco uses the hostname ...) + NOT-FOR-US: Umbraco CMS +CVE-2022-22690 (Within the Umbraco CMS, a configuration element named "UmbracoApplicat ...) + NOT-FOR-US: Umbraco CMS +CVE-2022-22689 (CA Harvest Software Change Manager versions 13.0.3, 13.0.4, 14.0.0, an ...) + NOT-FOR-US: CA Harvest Software Change Manager +CVE-2022-22688 + RESERVED +CVE-2022-22687 + RESERVED +CVE-2022-22686 + RESERVED +CVE-2022-22685 + RESERVED +CVE-2022-22684 + RESERVED +CVE-2022-22683 + RESERVED +CVE-2022-22682 + RESERVED +CVE-2022-22681 + RESERVED +CVE-2022-22680 (Exposure of sensitive information to an unauthorized actor vulnerabili ...) + NOT-FOR-US: Synology +CVE-2022-22679 (Improper limitation of a pathname to a restricted directory ('Path Tra ...) + NOT-FOR-US: Synology +CVE-2022-22150 (A memory corruption vulnerability exists in the JavaScript engine of F ...) + NOT-FOR-US: Foxit +CVE-2022-0130 (Tenable.sc versions 5.14.0 through 5.19.1 were found to contain a remo ...) + NOT-FOR-US: Tenable +CVE-2022-22678 + RESERVED +CVE-2022-0129 (Uncontrolled search path element vulnerability in McAfee TechCheck pri ...) + NOT-FOR-US: McAfee +CVE-2022-0128 (vim is vulnerable to Out-of-bounds Read ...) + - vim <unfixed> + [bullseye] - vim <not-affected> (Vulnerable code introduced later) + [buster] - vim <not-affected> (Vulnerable code introduced later) + [stretch] - vim <not-affected> (Vulnerable code introduced later) + NOTE: https://huntr.dev/bounties/63f51299-008a-4112-b85b-1e904aadd4ba + NOTE: Introduced by: https://github.com/vim/vim/commit/bdc0f1c6986e5d64f647e0924a4de795b47c549a (v8.2.2806) + NOTE: Fixed by: https://github.com/vim/vim/commit/d3a117814d6acbf0dca3eff1a7626843b9b3734a (v8.2.4009) +CVE-2022-0127 + RESERVED +CVE-2022-0126 + RESERVED +CVE-2022-0125 (An issue has been discovered in GitLab affecting all versions starting ...) + - gitlab <unfixed> +CVE-2022-0124 (An issue has been discovered affecting GitLab versions prior to 14.4.5 ...) + - gitlab <unfixed> +CVE-2022-0123 + RESERVED +CVE-2022-22677 + RESERVED +CVE-2022-22676 + RESERVED +CVE-2022-22675 + RESERVED +CVE-2022-22674 + RESERVED +CVE-2022-22673 + RESERVED +CVE-2022-22672 + RESERVED +CVE-2022-22671 + RESERVED +CVE-2022-22670 + RESERVED +CVE-2022-22669 + RESERVED +CVE-2022-22668 + RESERVED +CVE-2022-22667 + RESERVED +CVE-2022-22666 + RESERVED +CVE-2022-22665 + RESERVED +CVE-2022-22664 + RESERVED +CVE-2022-22663 + RESERVED +CVE-2022-22662 + RESERVED +CVE-2022-22661 + RESERVED +CVE-2022-22660 + RESERVED +CVE-2022-22659 + RESERVED +CVE-2022-22658 + RESERVED +CVE-2022-22657 + RESERVED +CVE-2022-22656 + RESERVED +CVE-2022-22655 + RESERVED +CVE-2022-22654 + RESERVED +CVE-2022-22653 + RESERVED +CVE-2022-22652 + RESERVED +CVE-2022-22651 + RESERVED +CVE-2022-22650 + RESERVED +CVE-2022-22649 + RESERVED +CVE-2022-22648 + RESERVED +CVE-2022-22647 + RESERVED +CVE-2022-22646 + RESERVED +CVE-2022-22645 + RESERVED +CVE-2022-22644 + RESERVED +CVE-2022-22643 + RESERVED +CVE-2022-22642 + RESERVED +CVE-2022-22641 + RESERVED +CVE-2022-22640 + RESERVED +CVE-2022-22639 + RESERVED +CVE-2022-22638 + RESERVED +CVE-2022-22637 + RESERVED +CVE-2022-22636 + RESERVED +CVE-2022-22635 + RESERVED +CVE-2022-22634 + RESERVED +CVE-2022-22633 + RESERVED +CVE-2022-22632 + RESERVED +CVE-2022-22631 + RESERVED +CVE-2022-22630 + RESERVED +CVE-2022-22629 + RESERVED +CVE-2022-22628 + RESERVED +CVE-2022-22627 + RESERVED +CVE-2022-22626 + RESERVED +CVE-2022-22625 + RESERVED +CVE-2022-22624 + RESERVED +CVE-2022-22623 + RESERVED +CVE-2022-22622 + RESERVED +CVE-2022-22621 + RESERVED +CVE-2022-22620 [A use after free issue was addressed with improved memory management] + RESERVED + {DSA-5084-1 DSA-5083-1} + - webkit2gtk 2.34.6-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.6-1 + NOTE: https://webkitgtk.org/security/WSA-2022-0003.html +CVE-2022-22619 + RESERVED +CVE-2022-22618 + RESERVED +CVE-2022-22617 + RESERVED +CVE-2022-22616 + RESERVED +CVE-2022-22615 + RESERVED +CVE-2022-22614 + RESERVED +CVE-2022-22613 + RESERVED +CVE-2022-22612 + RESERVED +CVE-2022-22611 + RESERVED +CVE-2022-22610 + RESERVED +CVE-2022-22609 + RESERVED +CVE-2022-22608 + RESERVED +CVE-2022-22607 + RESERVED +CVE-2022-22606 + RESERVED +CVE-2022-22605 + RESERVED +CVE-2022-22604 + RESERVED +CVE-2022-22603 + RESERVED +CVE-2022-22602 + RESERVED +CVE-2022-22601 + RESERVED +CVE-2022-22600 + RESERVED +CVE-2022-22599 + RESERVED +CVE-2022-22598 + RESERVED +CVE-2022-22597 + RESERVED +CVE-2022-22596 + RESERVED +CVE-2022-22595 + RESERVED +CVE-2022-22594 [A cross-origin issue in the IndexDB API was addressed with improved input validation] + RESERVED + {DSA-5061-1 DSA-5060-1} + - webkit2gtk 2.34.4-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.4-1 + NOTE: https://webkitgtk.org/security/WSA-2022-0001.html +CVE-2022-22593 + RESERVED +CVE-2022-22591 + RESERVED +CVE-2022-22589 [A validation issue was addressed with improved input sanitization] + RESERVED + {DSA-5084-1 DSA-5083-1} + - webkit2gtk 2.34.5-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.5-1 + NOTE: https://webkitgtk.org/security/WSA-2022-0002.html +CVE-2022-22588 + RESERVED +CVE-2022-22587 + RESERVED +CVE-2022-22586 + RESERVED +CVE-2022-22585 + RESERVED +CVE-2022-22584 + RESERVED +CVE-2022-22583 + RESERVED +CVE-2022-22582 + RESERVED +CVE-2022-22581 + RESERVED +CVE-2022-22580 + RESERVED +CVE-2022-22579 + RESERVED +CVE-2022-22578 + RESERVED +CVE-2022-22577 + RESERVED +CVE-2022-22576 + RESERVED +CVE-2022-22575 + RESERVED +CVE-2022-22574 + RESERVED +CVE-2022-22573 + RESERVED +CVE-2022-22572 + RESERVED +CVE-2022-22571 + RESERVED +CVE-2022-22570 + RESERVED +CVE-2022-22569 + RESERVED +CVE-2022-22568 + RESERVED +CVE-2022-0122 (forge is vulnerable to URL Redirection to Untrusted Site ...) + NOT-FOR-US: forge +CVE-2022-0121 (hoppscotch is vulnerable to Exposure of Sensitive Information to an Un ...) + NOT-FOR-US: hoppscotch +CVE-2022-22567 (Select Dell Client Commercial and Consumer platforms are vulnerable to ...) + NOT-FOR-US: Dell +CVE-2022-22566 (Select Dell Client Commercial and Consumer platforms contain a pre-boo ...) + NOT-FOR-US: Dell +CVE-2022-22565 + RESERVED +CVE-2022-22564 + RESERVED +CVE-2022-22563 + RESERVED +CVE-2022-22562 + RESERVED +CVE-2022-22561 + RESERVED +CVE-2022-22560 + RESERVED +CVE-2022-22559 + RESERVED +CVE-2022-22558 + RESERVED +CVE-2022-22557 + RESERVED +CVE-2022-22556 + RESERVED +CVE-2022-22555 + RESERVED +CVE-2022-22554 (Dell EMC System Update, version 1.9.2 and prior, contain an Unprotecte ...) + NOT-FOR-US: EMC +CVE-2022-22553 (Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction o ...) + NOT-FOR-US: EMC +CVE-2022-22552 (Dell EMC AppSync versions 3.9 to 4.3 contain a clickjacking vulnerabil ...) + NOT-FOR-US: EMC +CVE-2022-22551 (DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensi ...) + NOT-FOR-US: EMC +CVE-2022-22550 + RESERVED +CVE-2022-22549 + RESERVED +CVE-2022-22548 + RESERVED +CVE-2022-22547 + RESERVED +CVE-2022-22546 (Due to improper HTML encoding in input control summary, an authorized ...) + NOT-FOR-US: SAP +CVE-2022-22545 (A high privileged user who has access to transaction SM59 can read con ...) + NOT-FOR-US: SAP +CVE-2022-22544 (Solution Manager (Diagnostics Root Cause Analysis Tools) - version 720 ...) + NOT-FOR-US: SAP +CVE-2022-22543 (SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform ( ...) + NOT-FOR-US: SAP +CVE-2022-22542 (S/4HANA Supplier Factsheet exposes the private address and bank detail ...) + NOT-FOR-US: SAP +CVE-2022-22541 + RESERVED +CVE-2022-22540 (SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731 ...) + NOT-FOR-US: SAP +CVE-2022-22539 (When a user opens a manipulated JPEG file format (.jpg, 2d.x3d) receiv ...) + NOT-FOR-US: SAP +CVE-2022-22538 (When a user opens a manipulated Adobe Illustrator file format (.ai, ai ...) + NOT-FOR-US: SAP +CVE-2022-22537 (When a user opens a manipulated Tagged Image File Format (.tiff, 2d.x3 ...) + NOT-FOR-US: SAP +CVE-2022-22536 (SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Serve ...) + NOT-FOR-US: SAP +CVE-2022-22535 (SAP ERP HCM Portugal - versions 600, 604, 608, does not perform necess ...) + NOT-FOR-US: SAP +CVE-2022-22534 (Due to insufficient encoding of user input, SAP NetWeaver allows an un ...) + NOT-FOR-US: SAP +CVE-2022-22533 (Due to improper error handling in SAP NetWeaver Application Server Jav ...) + NOT-FOR-US: SAP +CVE-2022-22532 (In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7. ...) + NOT-FOR-US: SAP +CVE-2022-22531 (The F0743 Create Single Payment application of SAP S/4HANA - versions ...) + NOT-FOR-US: SAP +CVE-2022-22530 (The F0743 Create Single Payment application of SAP S/4HANA - versions ...) + NOT-FOR-US: SAP +CVE-2022-22529 (SAP Enterprise Threat Detection (ETD) - version 2.0, does not sufficie ...) + NOT-FOR-US: SAP +CVE-2022-22528 (SAP Adaptive Server Enterprise (ASE) - version 16.0, installation make ...) + NOT-FOR-US: SAP +CVE-2022-22527 + RESERVED +CVE-2022-0120 (Inappropriate implementation in Passwords in Google Chrome prior to 97 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0119 + RESERVED +CVE-2022-0118 (Inappropriate implementation in WebShare in Google Chrome prior to 97. ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0117 (Policy bypass in Blink in Google Chrome prior to 97.0.4692.71 allowed ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0116 (Inappropriate implementation in Compositing in Google Chrome prior to ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0115 (Uninitialized use in File API in Google Chrome prior to 97.0.4692.71 a ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0114 (Out of bounds memory access in Blink Serial API in Google Chrome prior ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0113 (Inappropriate implementation in Blink in Google Chrome prior to 97.0.4 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0112 (Incorrect security UI in Browser UI in Google Chrome prior to 97.0.469 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0111 (Inappropriate implementation in Navigation in Google Chrome prior to 9 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0110 (Incorrect security UI in Autofill in Google Chrome prior to 97.0.4692. ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0109 (Inappropriate implementation in Autofill in Google Chrome prior to 97. ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0108 (Inappropriate implementation in Navigation in Google Chrome prior to 9 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0107 (Use after free in File Manager API in Google Chrome on Chrome OS prior ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0106 (Use after free in Autofill in Google Chrome prior to 97.0.4692.71 allo ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0105 (Use after free in PDF Accessibility in Google Chrome prior to 97.0.469 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0104 (Heap buffer overflow in ANGLE in Google Chrome prior to 97.0.4692.71 a ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0103 (Use after free in SwiftShader in Google Chrome prior to 97.0.4692.71 a ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0102 (Type confusion in V8 in Google Chrome prior to 97.0.4692.71 allowed a ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0101 (Heap buffer overflow in Bookmarks in Google Chrome prior to 97.0.4692. ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0100 (Heap buffer overflow in Media streams API in Google Chrome prior to 97 ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0099 (Use after free in Sign-in in Google Chrome prior to 97.0.4692.71 allow ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0098 (Use after free in Screen Capture in Google Chrome on Chrome OS prior t ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0097 (Inappropriate implementation in DevTools in Google Chrome prior to 97. ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0096 (Use after free in Storage in Google Chrome prior to 97.0.4692.71 allow ...) + {DSA-5046-1} + - chromium 97.0.4692.71-0.1 + [buster] - chromium <end-of-life> (see DSA 5046) + [stretch] - chromium <end-of-life> (see DSA 4562) +CVE-2022-0095 + RESERVED +CVE-2022-0094 + RESERVED +CVE-2022-0093 (An issue has been discovered affecting GitLab versions prior to 14.4.5 ...) + - gitlab <unfixed> +CVE-2022-0092 + RESERVED +CVE-2022-0091 + RESERVED +CVE-2022-0090 (An issue has been discovered affecting GitLab versions prior to 14.4.5 ...) + - gitlab <unfixed> +CVE-2022-0089 + RESERVED +CVE-2022-0088 + RESERVED +CVE-2022-22526 + RESERVED +CVE-2022-22525 + RESERVED +CVE-2022-22524 + RESERVED +CVE-2022-22523 + RESERVED +CVE-2022-22522 + RESERVED +CVE-2022-22521 + RESERVED +CVE-2022-22520 + RESERVED +CVE-2022-22519 + RESERVED +CVE-2022-22518 + RESERVED +CVE-2022-22517 + RESERVED +CVE-2022-22516 + RESERVED +CVE-2022-22515 + RESERVED +CVE-2022-22514 + RESERVED +CVE-2022-22513 + RESERVED +CVE-2022-22512 + RESERVED +CVE-2022-22511 + RESERVED +CVE-2022-22510 (Codesys Profinet in version V4.2.0.0 is prone to null pointer derefere ...) + NOT-FOR-US: Codesys +CVE-2022-22509 (In Phoenix Contact FL SWITCH Series 2xxx in version 3.00 an incorrect ...) + NOT-FOR-US: Phoenix Contact FL SWITCH Series +CVE-2022-22508 + RESERVED +CVE-2022-22507 + RESERVED +CVE-2022-22506 + RESERVED +CVE-2022-22505 + RESERVED +CVE-2022-22504 + RESERVED +CVE-2022-22503 + RESERVED +CVE-2022-22502 + RESERVED +CVE-2022-22501 + RESERVED +CVE-2022-22500 + RESERVED +CVE-2022-22499 + RESERVED +CVE-2022-22498 + RESERVED +CVE-2022-22497 + RESERVED +CVE-2022-22496 + RESERVED +CVE-2022-22495 + RESERVED +CVE-2022-22494 + RESERVED +CVE-2022-22493 + RESERVED +CVE-2022-22492 + RESERVED +CVE-2022-22491 + RESERVED +CVE-2022-22490 + RESERVED +CVE-2022-22489 + RESERVED +CVE-2022-22488 + RESERVED +CVE-2022-22487 + RESERVED +CVE-2022-22486 + RESERVED +CVE-2022-22485 + RESERVED +CVE-2022-22484 + RESERVED +CVE-2022-22483 + RESERVED +CVE-2022-22482 + RESERVED +CVE-2022-22481 + RESERVED +CVE-2022-22480 + RESERVED +CVE-2022-22479 + RESERVED +CVE-2022-22478 + RESERVED +CVE-2022-22477 + RESERVED +CVE-2022-22476 + RESERVED +CVE-2022-22475 + RESERVED +CVE-2022-22474 + RESERVED +CVE-2022-22473 + RESERVED +CVE-2022-22472 + RESERVED +CVE-2022-22471 + RESERVED +CVE-2022-22470 + RESERVED +CVE-2022-22469 + RESERVED +CVE-2022-22468 + RESERVED +CVE-2022-22467 + RESERVED +CVE-2022-22466 + RESERVED +CVE-2022-22465 + RESERVED +CVE-2022-22464 + RESERVED +CVE-2022-22463 + RESERVED +CVE-2022-22462 + RESERVED +CVE-2022-22461 + RESERVED +CVE-2022-22460 + RESERVED +CVE-2022-22459 + RESERVED +CVE-2022-22458 + RESERVED +CVE-2022-22457 + RESERVED +CVE-2022-22456 + RESERVED +CVE-2022-22455 + RESERVED +CVE-2022-22454 + RESERVED +CVE-2022-22453 + RESERVED +CVE-2022-22452 + RESERVED +CVE-2022-22451 + RESERVED +CVE-2022-22450 + RESERVED +CVE-2022-22449 + RESERVED +CVE-2022-22448 + RESERVED +CVE-2022-22447 + RESERVED +CVE-2022-22446 + RESERVED +CVE-2022-22445 + RESERVED +CVE-2022-22444 + RESERVED +CVE-2022-22443 + RESERVED +CVE-2022-22442 + RESERVED +CVE-2022-22441 + RESERVED +CVE-2022-22440 + RESERVED +CVE-2022-22439 + RESERVED +CVE-2022-22438 + RESERVED +CVE-2022-22437 + RESERVED +CVE-2022-22436 + RESERVED +CVE-2022-22435 + RESERVED +CVE-2022-22434 + RESERVED +CVE-2022-22433 + RESERVED +CVE-2022-22432 + RESERVED +CVE-2022-22431 + RESERVED +CVE-2022-22430 + RESERVED +CVE-2022-22429 + RESERVED +CVE-2022-22428 + RESERVED +CVE-2022-22427 + RESERVED +CVE-2022-22426 + RESERVED +CVE-2022-22425 + RESERVED +CVE-2022-22424 + RESERVED +CVE-2022-22423 + RESERVED +CVE-2022-22422 + RESERVED +CVE-2022-22421 + RESERVED +CVE-2022-22420 + RESERVED +CVE-2022-22419 + RESERVED +CVE-2022-22418 + RESERVED +CVE-2022-22417 + RESERVED +CVE-2022-22416 + RESERVED +CVE-2022-22415 + RESERVED +CVE-2022-22414 + RESERVED +CVE-2022-22413 + RESERVED +CVE-2022-22412 + RESERVED +CVE-2022-22411 + RESERVED +CVE-2022-22410 + RESERVED +CVE-2022-22409 + RESERVED +CVE-2022-22408 + RESERVED +CVE-2022-22407 + RESERVED +CVE-2022-22406 + RESERVED +CVE-2022-22405 + RESERVED +CVE-2022-22404 + RESERVED +CVE-2022-22403 + RESERVED +CVE-2022-22402 + RESERVED +CVE-2022-22401 + RESERVED +CVE-2022-22400 + RESERVED +CVE-2022-22399 + RESERVED +CVE-2022-22398 + RESERVED +CVE-2022-22397 + RESERVED +CVE-2022-22396 + RESERVED +CVE-2022-22395 + RESERVED +CVE-2022-22394 + RESERVED +CVE-2022-22393 + RESERVED +CVE-2022-22392 + RESERVED +CVE-2022-22391 + RESERVED +CVE-2022-22390 + RESERVED +CVE-2022-22389 + RESERVED +CVE-2022-22388 + RESERVED +CVE-2022-22387 + RESERVED +CVE-2022-22386 + RESERVED +CVE-2022-22385 + RESERVED +CVE-2022-22384 + RESERVED +CVE-2022-22383 + RESERVED +CVE-2022-22382 + RESERVED +CVE-2022-22381 + RESERVED +CVE-2022-22380 + RESERVED +CVE-2022-22379 + RESERVED +CVE-2022-22378 + RESERVED +CVE-2022-22377 + RESERVED +CVE-2022-22376 + RESERVED +CVE-2022-22375 + RESERVED +CVE-2022-22374 + RESERVED +CVE-2022-22373 + RESERVED +CVE-2022-22372 + RESERVED +CVE-2022-22371 + RESERVED +CVE-2022-22370 + RESERVED +CVE-2022-22369 + RESERVED +CVE-2022-22368 + RESERVED +CVE-2022-22367 + RESERVED +CVE-2022-22366 + RESERVED +CVE-2022-22365 + RESERVED +CVE-2022-22364 + RESERVED +CVE-2022-22363 + RESERVED +CVE-2022-22362 + RESERVED +CVE-2022-22361 + RESERVED +CVE-2022-22360 + RESERVED +CVE-2022-22359 + RESERVED +CVE-2022-22358 + RESERVED +CVE-2022-22357 + RESERVED +CVE-2022-22356 + RESERVED +CVE-2022-22355 + RESERVED +CVE-2022-22354 + RESERVED +CVE-2022-22353 + RESERVED +CVE-2022-22352 + RESERVED +CVE-2022-22351 + RESERVED +CVE-2022-22350 + RESERVED +CVE-2022-22349 + RESERVED +CVE-2022-22348 + RESERVED +CVE-2022-22347 + RESERVED +CVE-2022-22346 + RESERVED +CVE-2022-22345 + RESERVED +CVE-2022-22344 + RESERVED +CVE-2022-22343 + RESERVED +CVE-2022-22342 + RESERVED +CVE-2022-22341 + RESERVED +CVE-2022-22340 + RESERVED +CVE-2022-22339 + RESERVED +CVE-2022-22338 + RESERVED +CVE-2022-22337 + RESERVED +CVE-2022-22336 + RESERVED +CVE-2022-22335 + RESERVED +CVE-2022-22334 + RESERVED +CVE-2022-22333 + RESERVED +CVE-2022-22332 + RESERVED +CVE-2022-22331 + RESERVED +CVE-2022-22330 + RESERVED +CVE-2022-22329 + RESERVED +CVE-2022-22328 + RESERVED +CVE-2022-22327 + RESERVED +CVE-2022-22326 + RESERVED +CVE-2022-22325 + RESERVED +CVE-2022-22324 + RESERVED +CVE-2022-22323 + RESERVED +CVE-2022-22322 + RESERVED +CVE-2022-22321 + RESERVED +CVE-2022-22320 + RESERVED +CVE-2022-22319 + RESERVED +CVE-2022-22318 + RESERVED +CVE-2022-22317 + RESERVED +CVE-2022-22316 + RESERVED +CVE-2022-22315 + RESERVED +CVE-2022-22314 + RESERVED +CVE-2022-22313 + RESERVED +CVE-2022-22312 + RESERVED +CVE-2022-22311 + RESERVED +CVE-2022-22310 (IBM WebSphere Application Server Liberty 21.0.0.10 through 21.0.0.12 c ...) + NOT-FOR-US: IBM +CVE-2022-22309 + RESERVED +CVE-2022-22308 (IBM Planning Analytics 2.0 is vulnerable to a Remote File Include (RFI ...) + TODO: check +CVE-2022-22307 + RESERVED +CVE-2022-0087 (keystone is vulnerable to Improper Neutralization of Input During Web ...) + NOT-FOR-US: KeystoneJS +CVE-2022-22306 + RESERVED +CVE-2022-22305 + RESERVED +CVE-2022-22304 + RESERVED +CVE-2022-22303 + RESERVED +CVE-2022-22302 + RESERVED +CVE-2022-22301 + RESERVED +CVE-2022-22300 + RESERVED +CVE-2022-22299 + RESERVED +CVE-2022-22298 + RESERVED +CVE-2022-22297 + RESERVED +CVE-2022-22296 (Sourcecodester Hospital's Patient Records Management System 1.0 is vul ...) + NOT-FOR-US: Sourcecodester +CVE-2022-22295 (Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability ...) + NOT-FOR-US: Metinfo +CVE-2022-22294 (A SQL injection vulnerability exists in ZFAKA<=1.43 which an attack ...) + NOT-FOR-US: zfaka +CVE-2022-0086 (uppy is vulnerable to Server-Side Request Forgery (SSRF) ...) + NOT-FOR-US: Node uppy +CVE-2022-0085 + RESERVED +CVE-2022-0084 + RESERVED +CVE-2022-0083 (livehelperchat is vulnerable to Generation of Error Message Containing ...) + NOT-FOR-US: livehelperchat +CVE-2022-0082 + RESERVED +CVE-2022-22293 (admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstra ...) + - dolibarr <removed> +CVE-2022-0081 + RESERVED +CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...) + - mruby 3.0.0-3 + [bullseye] - mruby <no-dsa> (Minor issue) + [buster] - mruby <no-dsa> (Minor issue) + [stretch] - mruby <no-dsa> (Minor issue) + NOTE: https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/ + NOTE: https://github.com/mruby/mruby/commit/28ccc664e5dcd3f9d55173e9afde77c4705a9ab6 +CVE-2022-0079 (showdoc is vulnerable to Generation of Error Message Containing Sensit ...) + NOT-FOR-US: ShowDoc +CVE-2022-0078 + RESERVED +CVE-2022-22292 (Unprotected dynamic receiver in Telecom prior to SMR Feb-2022 Release ...) + NOT-FOR-US: Samsung +CVE-2022-22291 (Logging of excessive data vulnerability in telephony prior to SMR Feb- ...) + NOT-FOR-US: Samsung +CVE-2022-22290 (Incorrect download source UI in Downloads in Samsung Internet prior to ...) + NOT-FOR-US: Samsung +CVE-2022-22289 (Improper access control vulnerability in S Assistant prior to version ...) + NOT-FOR-US: Samsung +CVE-2022-22288 (Improper authorization vulnerability in Galaxy Store prior to 4.5.36.5 ...) + NOT-FOR-US: Samsung +CVE-2022-22287 (Abitrary file access vulnerability in Samsung Email prior to 6.1.60.16 ...) + NOT-FOR-US: Samsung +CVE-2022-22286 (A vulnerability using PendingIntent in Bixby Routines prior to version ...) + NOT-FOR-US: Samsung +CVE-2022-22285 (A vulnerability using PendingIntent in Reminder prior to version 12.2. ...) + NOT-FOR-US: Samsung +CVE-2022-22284 (Improper authentication vulnerability in Samsung Internet prior to 16. ...) + NOT-FOR-US: Samsung +CVE-2022-22283 (Improper session management vulnerability in Samsung Health prior to 6 ...) + NOT-FOR-US: Samsung +CVE-2022-22282 + RESERVED +CVE-2022-22281 + RESERVED +CVE-2022-22280 + RESERVED +CVE-2022-22279 + RESERVED +CVE-2022-22278 + RESERVED +CVE-2022-22277 + RESERVED +CVE-2022-22276 + RESERVED +CVE-2022-22275 + RESERVED +CVE-2022-22274 + RESERVED +CVE-2022-22273 + RESERVED +CVE-2022-22272 (Improper authorization in TelephonyManager prior to SMR Jan-2022 Relea ...) + NOT-FOR-US: Samsung +CVE-2022-22271 (A missing input validation before memory copy in TIMA trustlet prior t ...) + NOT-FOR-US: Samsung +CVE-2022-22270 (An implicit Intent hijacking vulnerability in Dialer prior to SMR Jan- ...) + NOT-FOR-US: Samsung +CVE-2022-22269 (Keeping sensitive data in unprotected BluetoothSettingsProvider prior ...) + NOT-FOR-US: Samsung +CVE-2022-22268 (Incorrect implementation of Knox Guard prior to SMR Jan-2022 Release 1 ...) + NOT-FOR-US: Samsung +CVE-2022-22267 (Implicit Intent hijacking vulnerability in ActivityMetricsLogger prior ...) + NOT-FOR-US: Samsung +CVE-2022-22266 ((Applicable to China models only) Unprotected WifiEvaluationService in ...) + NOT-FOR-US: Samsung +CVE-2022-22265 (An improper check or handling of exceptional conditions in NPU driver ...) + NOT-FOR-US: Samsung +CVE-2022-22264 (Improper sanitization of incoming intent in Dressroom prior to SMR Jan ...) + NOT-FOR-US: Samsung +CVE-2022-22263 (Unprotected dynamic receiver in SecSettings prior to SMR Jan-2022 Rele ...) + NOT-FOR-US: Samsung +CVE-2022-22262 + RESERVED +CVE-2022-0077 + RESERVED +CVE-2022-0076 + RESERVED +CVE-2022-0075 + RESERVED +CVE-2022-0074 + RESERVED +CVE-2022-0073 + RESERVED +CVE-2022-0072 + RESERVED +CVE-2022-0071 + RESERVED +CVE-2022-0070 + RESERVED +CVE-2022-0069 + RESERVED +CVE-2022-0068 + RESERVED +CVE-2022-0067 + RESERVED +CVE-2022-0066 + RESERVED +CVE-2022-0065 + RESERVED +CVE-2022-0064 + RESERVED +CVE-2022-0063 + RESERVED +CVE-2022-0062 + RESERVED +CVE-2022-0061 + RESERVED +CVE-2022-0060 + RESERVED +CVE-2022-0059 + RESERVED +CVE-2022-0058 + RESERVED +CVE-2022-0057 + RESERVED +CVE-2022-0056 + RESERVED +CVE-2022-0055 + RESERVED +CVE-2022-0054 + RESERVED +CVE-2022-0053 + RESERVED +CVE-2022-0052 + RESERVED +CVE-2022-0051 + RESERVED +CVE-2022-0050 + RESERVED +CVE-2022-0049 + RESERVED +CVE-2022-0048 + RESERVED +CVE-2022-0047 + RESERVED +CVE-2022-0046 + RESERVED +CVE-2022-0045 + RESERVED +CVE-2022-0044 + RESERVED +CVE-2022-0043 + RESERVED +CVE-2022-0042 + RESERVED +CVE-2022-0041 + RESERVED +CVE-2022-0040 + RESERVED +CVE-2022-0039 + RESERVED +CVE-2022-0038 + RESERVED +CVE-2022-0037 + RESERVED +CVE-2022-0036 + RESERVED +CVE-2022-0035 + RESERVED +CVE-2022-0034 + RESERVED +CVE-2022-0033 + RESERVED +CVE-2022-0032 + RESERVED +CVE-2022-0031 + RESERVED +CVE-2022-0030 + RESERVED +CVE-2022-0029 + RESERVED +CVE-2022-0028 + RESERVED +CVE-2022-0027 + RESERVED +CVE-2022-0026 + RESERVED +CVE-2022-0025 + RESERVED +CVE-2022-0024 + RESERVED +CVE-2022-0023 + RESERVED +CVE-2022-0022 + RESERVED +CVE-2022-0021 (An information exposure through log file vulnerability exists in the P ...) + NOT-FOR-US: Palo Alto Networks +CVE-2022-0020 (A stored cross-site scripting (XSS) vulnerability in Palo Alto Network ...) + NOT-FOR-US: Palo Alto Networks +CVE-2022-0019 (An insufficiently protected credentials vulnerability exists in the Pa ...) + NOT-FOR-US: Palo Alto Networks +CVE-2022-0018 (An information exposure vulnerability exists in the Palo Alto Networks ...) + NOT-FOR-US: Palo Alto Networks +CVE-2022-0017 (An improper link resolution before file access ('link following') vuln ...) + NOT-FOR-US: Palo Alto Networks +CVE-2022-0016 (An improper handling of exceptional conditions vulnerability exists wi ...) + NOT-FOR-US: Palo Alto Networks +CVE-2022-0015 (A local privilege escalation (PE) vulnerability exists in the Palo Alt ...) + NOT-FOR-US: Palo Alto Networks +CVE-2022-0014 (An untrusted search path vulnerability exists in the Palo Alto Network ...) + NOT-FOR-US: Palo Alto Networks +CVE-2022-0013 (A file information exposure vulnerability exists in the Palo Alto Netw ...) + NOT-FOR-US: Palo Alto Networks +CVE-2022-0012 (An improper link resolution before file access vulnerability exists in ...) + NOT-FOR-US: Palo Alto Networks +CVE-2022-0011 (PAN-OS software provides options to exclude specific websites from URL ...) + NOT-FOR-US: Palo Alto Networks +CVE-2022-22261 + RESERVED +CVE-2022-22260 + RESERVED +CVE-2022-22259 + RESERVED +CVE-2022-22258 + RESERVED +CVE-2022-22257 + RESERVED +CVE-2022-22256 + RESERVED +CVE-2022-22255 + RESERVED +CVE-2022-22254 + RESERVED +CVE-2022-22253 + RESERVED +CVE-2022-22252 + RESERVED +CVE-2022-22251 + RESERVED +CVE-2022-22250 + RESERVED +CVE-2022-22249 + RESERVED +CVE-2022-22248 + RESERVED +CVE-2022-22247 + RESERVED +CVE-2022-22246 + RESERVED +CVE-2022-22245 + RESERVED +CVE-2022-22244 + RESERVED +CVE-2022-22243 + RESERVED +CVE-2022-22242 + RESERVED +CVE-2022-22241 + RESERVED +CVE-2022-22240 + RESERVED +CVE-2022-22239 + RESERVED +CVE-2022-22238 + RESERVED +CVE-2022-22237 + RESERVED +CVE-2022-22236 + RESERVED +CVE-2022-22235 + RESERVED +CVE-2022-22234 + RESERVED +CVE-2022-22233 + RESERVED +CVE-2022-22232 + RESERVED +CVE-2022-22231 + RESERVED +CVE-2022-22230 + RESERVED +CVE-2022-22229 + RESERVED +CVE-2022-22228 + RESERVED +CVE-2022-22227 + RESERVED +CVE-2022-22226 + RESERVED +CVE-2022-22225 + RESERVED +CVE-2022-22224 + RESERVED +CVE-2022-22223 + RESERVED +CVE-2022-22222 + RESERVED +CVE-2022-22221 + RESERVED +CVE-2022-22220 + RESERVED +CVE-2022-22219 + RESERVED +CVE-2022-22218 + RESERVED +CVE-2022-22217 + RESERVED +CVE-2022-22216 + RESERVED +CVE-2022-22215 + RESERVED +CVE-2022-22214 + RESERVED +CVE-2022-22213 + RESERVED +CVE-2022-22212 + RESERVED +CVE-2022-22211 + RESERVED +CVE-2022-22210 + RESERVED +CVE-2022-22209 + RESERVED +CVE-2022-22208 + RESERVED +CVE-2022-22207 + RESERVED +CVE-2022-22206 + RESERVED +CVE-2022-22205 + RESERVED +CVE-2022-22204 + RESERVED +CVE-2022-22203 + RESERVED +CVE-2022-22202 + RESERVED +CVE-2022-22201 + RESERVED +CVE-2022-22200 + RESERVED +CVE-2022-22199 + RESERVED +CVE-2022-22198 + RESERVED +CVE-2022-22197 + RESERVED +CVE-2022-22196 + RESERVED +CVE-2022-22195 + RESERVED +CVE-2022-22194 + RESERVED +CVE-2022-22193 + RESERVED +CVE-2022-22192 + RESERVED +CVE-2022-22191 + RESERVED +CVE-2022-22190 + RESERVED +CVE-2022-22189 + RESERVED +CVE-2022-22188 + RESERVED +CVE-2022-22187 + RESERVED +CVE-2022-22186 + RESERVED +CVE-2022-22185 + RESERVED +CVE-2022-22184 + RESERVED +CVE-2022-22183 + RESERVED +CVE-2022-22182 + RESERVED +CVE-2022-22181 + RESERVED +CVE-2022-22180 (An Improper Check for Unusual or Exceptional Conditions vulnerability ...) + NOT-FOR-US: Juniper +CVE-2022-22179 (A Improper Validation of Specified Index, Position, or Offset in Input ...) + NOT-FOR-US: Juniper +CVE-2022-22178 (A Stack-based Buffer Overflow vulnerability in the flow processing dae ...) + NOT-FOR-US: Juniper +CVE-2022-22177 (A release of illegal memory vulnerability in the snmpd daemon of Junip ...) + NOT-FOR-US: Juniper +CVE-2022-22176 (An Improper Validation of Syntactic Correctness of Input vulnerability ...) + NOT-FOR-US: Juniper +CVE-2022-22175 (An Improper Locking vulnerability in the SIP ALG of Juniper Networks J ...) + NOT-FOR-US: Juniper +CVE-2022-22174 (A vulnerability in the processing of inbound IPv6 packets in Juniper N ...) + NOT-FOR-US: Juniper +CVE-2022-22173 (A Missing Release of Memory after Effective Lifetime vulnerability in ...) + NOT-FOR-US: Juniper +CVE-2022-22172 (A Missing Release of Memory after Effective Lifetime vulnerability in ...) + NOT-FOR-US: Juniper +CVE-2022-22171 (An Improper Check for Unusual or Exceptional Conditions vulnerability ...) + NOT-FOR-US: Juniper +CVE-2022-22170 (A Missing Release of Resource after Effective Lifetime vulnerability i ...) + NOT-FOR-US: Juniper +CVE-2022-22169 (An Improper Initialization vulnerability in the routing protocol daemo ...) + NOT-FOR-US: Juniper +CVE-2022-22168 (An Improper Validation of Specified Type of Input vulnerability in the ...) + NOT-FOR-US: Juniper +CVE-2022-22167 (A traffic classification vulnerability in Juniper Networks Junos OS on ...) + NOT-FOR-US: Juniper +CVE-2022-22166 (An Improper Validation of Specified Quantity in Input vulnerability in ...) + NOT-FOR-US: Juniper +CVE-2022-22165 + RESERVED +CVE-2022-22164 (An Improper Initialization vulnerability in Juniper Networks Junos OS ...) + NOT-FOR-US: Juniper +CVE-2022-22163 (An Improper Input Validation vulnerability in the Juniper DHCP daemon ...) + NOT-FOR-US: Juniper +CVE-2022-22162 (A Generation of Error Message Containing Sensitive Information vulnera ...) + NOT-FOR-US: Juniper +CVE-2022-22161 (An Uncontrolled Resource Consumption vulnerability in the kernel of Ju ...) + NOT-FOR-US: Juniper +CVE-2022-22160 (An Unchecked Error Condition vulnerability in the subscriber managemen ...) + NOT-FOR-US: Juniper +CVE-2022-22159 (A vulnerability in the NETISR network queue functionality of Juniper N ...) + NOT-FOR-US: Juniper +CVE-2022-22158 + RESERVED +CVE-2022-22157 (A traffic classification vulnerability in Juniper Networks Junos OS on ...) + NOT-FOR-US: Juniper +CVE-2022-22156 (An Improper Certificate Validation weakness in the Juniper Networks Ju ...) + NOT-FOR-US: Juniper +CVE-2022-22155 (An Uncontrolled Resource Consumption vulnerability in the handling of ...) + NOT-FOR-US: Juniper +CVE-2022-22154 (In a Junos Fusion scenario an External Control of Critical State Data ...) + NOT-FOR-US: Juniper +CVE-2022-22153 (An Insufficient Algorithmic Complexity combined with an Allocation of ...) + NOT-FOR-US: Juniper +CVE-2022-22152 (A Protection Mechanism Failure vulnerability in the REST API of Junipe ...) + NOT-FOR-US: Juniper +CVE-2022-21800 (MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior ...) + NOT-FOR-US: Airspan Networks +CVE-2022-21215 (This vulnerability could allow an attacker to force the server to crea ...) + NOT-FOR-US: Airspan Networks +CVE-2022-21196 (MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior ...) + NOT-FOR-US: Airspan Networks +CVE-2022-21155 + RESERVED +CVE-2022-21137 (Omron CX-One Versions 4.60 and prior are vulnerable to a stack-based b ...) + NOT-FOR-US: Omron CX-One +CVE-2022-22136 + RESERVED +CVE-2022-22135 + RESERVED +CVE-2022-22134 + RESERVED +CVE-2022-22133 + RESERVED +CVE-2022-22132 + RESERVED +CVE-2022-22131 + RESERVED +CVE-2022-22130 + RESERVED +CVE-2022-22129 + RESERVED +CVE-2022-22128 + RESERVED +CVE-2022-22127 + RESERVED +CVE-2022-22126 (Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via ...) + NOT-FOR-US: Openmct +CVE-2022-22125 (In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored ...) + NOT-FOR-US: Halo +CVE-2022-22124 (In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored ...) + NOT-FOR-US: Halo +CVE-2022-22123 (In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored ...) + NOT-FOR-US: Halo +CVE-2022-22122 + REJECTED +CVE-2022-22121 (In NocoDB, versions 0.81.0 through 0.83.8 are affected by CSV Injectio ...) + NOT-FOR-US: NocoDB +CVE-2022-22120 (In NocoDB, versions 0.9 to 0.83.8 are vulnerable to Observable Discrep ...) + NOT-FOR-US: NocoDB +CVE-2022-22119 + RESERVED +CVE-2022-22118 + RESERVED +CVE-2022-22117 (In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted f ...) + NOT-FOR-US: Directus +CVE-2022-22116 (In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to st ...) + NOT-FOR-US: Directus +CVE-2022-22115 (In Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Si ...) + NOT-FOR-US: Teedy +CVE-2022-22114 (In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross ...) + NOT-FOR-US: Teedy +CVE-2022-22113 (In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable ...) + NOT-FOR-US: DayByDay CRM +CVE-2022-22112 (In DayByDay CRM, versions 1.1 through 2.2.1 (latest) suffer from an ap ...) + NOT-FOR-US: DayByDay CRM +CVE-2022-22111 (In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. ...) + NOT-FOR-US: DayByDay CRM +CVE-2022-22110 (In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requ ...) + NOT-FOR-US: DayByDay CRM +CVE-2022-22109 (In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scri ...) + NOT-FOR-US: DayByDay CRM +CVE-2022-22108 (In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missin ...) + NOT-FOR-US: DayByDay CRM +CVE-2022-22107 (In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missin ...) + NOT-FOR-US: DayByDay CRM +CVE-2022-22106 + RESERVED +CVE-2022-22105 + RESERVED +CVE-2022-22104 + RESERVED +CVE-2022-22103 + RESERVED +CVE-2022-22102 + RESERVED +CVE-2022-22101 + RESERVED +CVE-2022-22100 + RESERVED +CVE-2022-22099 + RESERVED +CVE-2022-22098 + RESERVED +CVE-2022-22097 + RESERVED +CVE-2022-22096 + RESERVED +CVE-2022-22095 + RESERVED +CVE-2022-22094 + RESERVED +CVE-2022-22093 + RESERVED +CVE-2022-22092 + RESERVED +CVE-2022-22091 + RESERVED +CVE-2022-22090 + RESERVED +CVE-2022-22089 + RESERVED +CVE-2022-22088 + RESERVED +CVE-2022-22087 + RESERVED +CVE-2022-22086 + RESERVED +CVE-2022-22085 + RESERVED +CVE-2022-22084 + RESERVED +CVE-2022-22083 + RESERVED +CVE-2022-22082 + RESERVED +CVE-2022-22081 + RESERVED +CVE-2022-22080 + RESERVED +CVE-2022-22079 + RESERVED +CVE-2022-22078 + RESERVED +CVE-2022-22077 + RESERVED +CVE-2022-22076 + RESERVED +CVE-2022-22075 + RESERVED +CVE-2022-22074 + RESERVED +CVE-2022-22073 + RESERVED +CVE-2022-22072 + RESERVED +CVE-2022-22071 + RESERVED +CVE-2022-22070 + RESERVED +CVE-2022-22069 + RESERVED +CVE-2022-22068 + RESERVED +CVE-2022-22067 + RESERVED +CVE-2022-22066 + RESERVED +CVE-2022-22065 + RESERVED +CVE-2022-22064 + RESERVED +CVE-2022-22063 + RESERVED +CVE-2022-22062 + RESERVED +CVE-2022-22061 + RESERVED +CVE-2022-22060 + RESERVED +CVE-2022-22059 + RESERVED +CVE-2022-22058 + RESERVED +CVE-2022-22057 + RESERVED +CVE-2022-22056 (The Le-yan dental management system contains a hard-coded credentials ...) + NOT-FOR-US: Le-yan dental management system +CVE-2022-22055 (The Le-yan dental management system contains an SQL-injection vulnerab ...) + NOT-FOR-US: Le-yan dental management system +CVE-2022-22054 (ASUS RT-AX56U’s login function contains a path traversal vulnera ...) + NOT-FOR-US: ASUS +CVE-2022-22053 + RESERVED +CVE-2022-22052 + RESERVED +CVE-2022-22051 + RESERVED +CVE-2022-22050 + RESERVED +CVE-2022-22049 + RESERVED +CVE-2022-22048 + RESERVED +CVE-2022-22047 + RESERVED +CVE-2022-22046 + RESERVED +CVE-2022-22045 + RESERVED +CVE-2022-22044 + RESERVED +CVE-2022-22043 + RESERVED +CVE-2022-22042 + RESERVED +CVE-2022-22041 + RESERVED +CVE-2022-22040 + RESERVED +CVE-2022-22039 + RESERVED +CVE-2022-22038 + RESERVED +CVE-2022-22037 + RESERVED +CVE-2022-22036 + RESERVED +CVE-2022-22035 + RESERVED +CVE-2022-22034 + RESERVED +CVE-2022-22033 + RESERVED +CVE-2022-22032 + RESERVED +CVE-2022-22031 + RESERVED +CVE-2022-22030 + RESERVED +CVE-2022-22029 + RESERVED +CVE-2022-22028 + RESERVED +CVE-2022-22027 + RESERVED +CVE-2022-22026 + RESERVED +CVE-2022-22025 + RESERVED +CVE-2022-22024 + RESERVED +CVE-2022-22023 + RESERVED +CVE-2022-22022 + RESERVED +CVE-2022-22021 + RESERVED +CVE-2022-22020 + RESERVED +CVE-2022-22019 + RESERVED +CVE-2022-22018 + RESERVED +CVE-2022-22017 + RESERVED +CVE-2022-22016 + RESERVED +CVE-2022-22015 + RESERVED +CVE-2022-22014 + RESERVED +CVE-2022-22013 + RESERVED +CVE-2022-22012 + RESERVED +CVE-2022-22011 + RESERVED +CVE-2022-22010 + RESERVED +CVE-2022-22009 + RESERVED +CVE-2022-22008 + RESERVED +CVE-2022-22007 + RESERVED +CVE-2022-22006 + RESERVED +CVE-2022-22005 (Microsoft SharePoint Server Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-22004 (Microsoft Office ClickToRun Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-22003 (Microsoft Office Graphics Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-22002 (Windows User Account Profile Picture Denial of Service Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-22001 (Windows Remote Access Connection Manager Elevation of Privilege Vulner ...) + NOT-FOR-US: Microsoft +CVE-2022-22000 (Windows Common Log File System Driver Elevation of Privilege Vulnerabi ...) + NOT-FOR-US: Microsoft +CVE-2022-21999 (Windows Print Spooler Elevation of Privilege Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-21998 (Windows Common Log File System Driver Information Disclosure Vulnerabi ...) + NOT-FOR-US: Microsoft +CVE-2022-21997 (Windows Print Spooler Elevation of Privilege Vulnerability. This CVE I ...) + NOT-FOR-US: Microsoft +CVE-2022-21996 (Win32k Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21995 (Windows Hyper-V Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21994 (Windows DWM Core Library Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21993 (Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vuln ...) + NOT-FOR-US: Microsoft +CVE-2022-21992 (Windows Mobile Device Management Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21991 (Visual Studio Code Remote Development Extension Remote Code Execution ...) + NOT-FOR-US: Microsoft +CVE-2022-21990 + RESERVED +CVE-2022-21989 (Windows Kernel Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21988 (Microsoft Office Visio Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21987 (Microsoft SharePoint Server Spoofing Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21986 (.NET Denial of Service Vulnerability. ...) + NOT-FOR-US: Microsoft .NET +CVE-2022-21985 (Windows Remote Access Connection Manager Information Disclosure Vulner ...) + NOT-FOR-US: Microsoft +CVE-2022-21984 (Windows DNS Server Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21983 + RESERVED +CVE-2022-21982 + RESERVED +CVE-2022-21981 (Windows Common Log File System Driver Elevation of Privilege Vulnerabi ...) + NOT-FOR-US: Microsoft +CVE-2022-21980 + RESERVED +CVE-2022-21979 + RESERVED +CVE-2022-21978 + RESERVED +CVE-2022-21977 + RESERVED +CVE-2022-21976 + RESERVED +CVE-2022-21975 + RESERVED +CVE-2022-21974 (Roaming Security Rights Management Services Remote Code Execution Vuln ...) + NOT-FOR-US: Microsoft +CVE-2022-21973 + RESERVED +CVE-2022-21972 + RESERVED +CVE-2022-21971 (Windows Runtime Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21970 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21969 (Microsoft Exchange Server Remote Code Execution Vulnerability. This CV ...) + NOT-FOR-US: Microsoft +CVE-2022-21968 (Microsoft SharePoint Server Security Feature BypassVulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21967 + RESERVED +CVE-2022-21966 + RESERVED +CVE-2022-21965 (Microsoft Teams Denial of Service Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21964 (Remote Desktop Licensing Diagnoser Information Disclosure Vulnerabilit ...) + NOT-FOR-US: Microsoft +CVE-2022-21963 (Windows Resilient File System (ReFS) Remote Code Execution Vulnerabili ...) + NOT-FOR-US: Microsoft +CVE-2022-21962 (Windows Resilient File System (ReFS) Remote Code Execution Vulnerabili ...) + NOT-FOR-US: Microsoft +CVE-2022-21961 (Windows Resilient File System (ReFS) Remote Code Execution Vulnerabili ...) + NOT-FOR-US: Microsoft +CVE-2022-21960 (Windows Resilient File System (ReFS) Remote Code Execution Vulnerabili ...) + NOT-FOR-US: Microsoft +CVE-2022-21959 (Windows Resilient File System (ReFS) Remote Code Execution Vulnerabili ...) + NOT-FOR-US: Microsoft +CVE-2022-21958 (Windows Resilient File System (ReFS) Remote Code Execution Vulnerabili ...) + NOT-FOR-US: Microsoft +CVE-2022-21957 (Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerabili ...) + NOT-FOR-US: Microsoft +CVE-2022-21956 + RESERVED +CVE-2022-21955 + RESERVED +CVE-2022-21954 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21953 + RESERVED +CVE-2022-21952 + RESERVED +CVE-2022-21951 + RESERVED +CVE-2022-21950 + RESERVED +CVE-2022-21949 + RESERVED +CVE-2022-21948 + RESERVED +CVE-2022-21947 + RESERVED +CVE-2022-21946 + RESERVED +CVE-2022-21945 + RESERVED +CVE-2022-21944 (A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd ...) + NOT-FOR-US: SUSE packaging issue in watchman +CVE-2022-21943 + RESERVED +CVE-2022-21942 + RESERVED +CVE-2022-21941 + RESERVED +CVE-2022-21940 + RESERVED +CVE-2022-21939 + RESERVED +CVE-2022-21938 + RESERVED +CVE-2022-21937 + RESERVED +CVE-2022-21936 + RESERVED +CVE-2022-21935 + RESERVED +CVE-2022-21934 + RESERVED +CVE-2022-21933 (ASUS VivoMini/Mini PC device has an improper input validation vulnerab ...) + NOT-FOR-US: ASUS +CVE-2022-21932 (Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulner ...) + NOT-FOR-US: Microsoft +CVE-2022-21931 (Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. T ...) + NOT-FOR-US: Microsoft +CVE-2022-21930 (Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. T ...) + NOT-FOR-US: Microsoft +CVE-2022-21929 (Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. T ...) + NOT-FOR-US: Microsoft +CVE-2022-21928 (Windows Resilient File System (ReFS) Remote Code Execution Vulnerabili ...) + NOT-FOR-US: Microsoft +CVE-2022-21927 (HEVC Video Extensions Remote Code Execution Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-21926 (HEVC Video Extensions Remote Code Execution Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-21925 (Windows BackupKey Remote Protocol Security Feature Bypass Vulnerabilit ...) + NOT-FOR-US: Microsoft +CVE-2022-21924 (Workstation Service Remote Protocol Security Feature Bypass Vulnerabil ...) + NOT-FOR-US: Microsoft +CVE-2022-21923 + RESERVED +CVE-2022-21922 (Remote Procedure Call Runtime Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21921 (Windows Defender Credential Guard Security Feature Bypass Vulnerabilit ...) + NOT-FOR-US: Microsoft +CVE-2022-21920 (Windows Kerberos Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21919 (Windows User Profile Service Elevation of Privilege Vulnerability. Thi ...) + NOT-FOR-US: Microsoft +CVE-2022-21918 (DirectX Graphics Kernel File Denial of Service Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21917 (HEVC Video Extensions Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21916 (Windows Common Log File System Driver Elevation of Privilege Vulnerabi ...) + NOT-FOR-US: Microsoft +CVE-2022-21915 (Windows GDI+ Information Disclosure Vulnerability. This CVE ID is uniq ...) + NOT-FOR-US: Microsoft +CVE-2022-21914 (Windows Remote Access Connection Manager Elevation of Privilege Vulner ...) + NOT-FOR-US: Microsoft +CVE-2022-21913 (Local Security Authority (Domain Policy) Remote Protocol Security Feat ...) + NOT-FOR-US: Microsoft +CVE-2022-21912 (DirectX Graphics Kernel Remote Code Execution Vulnerability. This CVE ...) + NOT-FOR-US: Microsoft +CVE-2022-21911 (.NET Framework Denial of Service Vulnerability. ...) + NOT-FOR-US: Microsoft .NET +CVE-2022-21910 (Microsoft Cluster Port Driver Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21909 + RESERVED +CVE-2022-21908 (Windows Installer Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21907 (HTTP Protocol Stack Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21906 (Windows Defender Application Control Security Feature Bypass Vulnerabi ...) + NOT-FOR-US: Microsoft +CVE-2022-21905 (Windows Hyper-V Security Feature Bypass Vulnerability. This CVE ID is ...) + NOT-FOR-US: Microsoft +CVE-2022-21904 (Windows GDI Information Disclosure Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21903 (Windows GDI Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21902 (Windows DWM Core Library Elevation of Privilege Vulnerability. This CV ...) + NOT-FOR-US: Microsoft +CVE-2022-21901 (Windows Hyper-V Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21900 (Windows Hyper-V Security Feature Bypass Vulnerability. This CVE ID is ...) + NOT-FOR-US: Microsoft +CVE-2022-21899 (Windows Extensible Firmware Interface Security Feature Bypass Vulnerab ...) + NOT-FOR-US: Microsoft +CVE-2022-21898 (DirectX Graphics Kernel Remote Code Execution Vulnerability. This CVE ...) + NOT-FOR-US: Microsoft +CVE-2022-21897 (Windows Common Log File System Driver Elevation of Privilege Vulnerabi ...) + NOT-FOR-US: Microsoft +CVE-2022-21896 (Windows DWM Core Library Elevation of Privilege Vulnerability. This CV ...) + NOT-FOR-US: Microsoft +CVE-2022-21895 (Windows User Profile Service Elevation of Privilege Vulnerability. Thi ...) + NOT-FOR-US: Microsoft +CVE-2022-21894 (Secure Boot Security Feature Bypass Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21893 (Remote Desktop Protocol Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21892 (Windows Resilient File System (ReFS) Remote Code Execution Vulnerabili ...) + NOT-FOR-US: Microsoft +CVE-2022-21891 (Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21890 (Windows IKE Extension Denial of Service Vulnerability. This CVE ID is ...) + NOT-FOR-US: Microsoft +CVE-2022-21889 (Windows IKE Extension Denial of Service Vulnerability. This CVE ID is ...) + NOT-FOR-US: Microsoft +CVE-2022-21888 (Windows Modern Execution Server Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21887 (Win32k Elevation of Privilege Vulnerability. This CVE ID is unique fro ...) + NOT-FOR-US: Microsoft +CVE-2022-21886 + RESERVED +CVE-2022-21885 (Windows Remote Access Connection Manager Elevation of Privilege Vulner ...) + NOT-FOR-US: Microsoft +CVE-2022-21884 (Local Security Authority Subsystem Service Elevation of Privilege Vuln ...) + NOT-FOR-US: Microsoft +CVE-2022-21883 (Windows IKE Extension Denial of Service Vulnerability. This CVE ID is ...) + NOT-FOR-US: Microsoft +CVE-2022-21882 (Win32k Elevation of Privilege Vulnerability. This CVE ID is unique fro ...) + NOT-FOR-US: Microsoft +CVE-2022-21881 (Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is un ...) + NOT-FOR-US: Microsoft +CVE-2022-21880 (Windows GDI+ Information Disclosure Vulnerability. This CVE ID is uniq ...) + NOT-FOR-US: Microsoft +CVE-2022-21879 (Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is un ...) + NOT-FOR-US: Microsoft +CVE-2022-21878 (Windows Geolocation Service Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21877 (Storage Spaces Controller Information Disclosure Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21876 (Win32k Information Disclosure Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21875 (Windows Storage Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21874 (Windows Security Center API Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21873 (Tile Data Repository Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21872 (Windows Event Tracing Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21871 (Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Priv ...) + NOT-FOR-US: Microsoft +CVE-2022-21870 (Tablet Windows User Interface Application Core Elevation of Privilege ...) + NOT-FOR-US: Microsoft +CVE-2022-21869 (Clipboard User Service Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21868 (Windows Devices Human Interface Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21867 (Windows Push Notifications Apps Elevation Of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21866 (Windows System Launcher Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21865 (Connected Devices Platform Service Elevation of Privilege Vulnerabilit ...) + NOT-FOR-US: Microsoft +CVE-2022-21864 (Windows UI Immersive Server API Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21863 (Windows StateRepository API Server file Elevation of Privilege Vulnera ...) + NOT-FOR-US: Microsoft +CVE-2022-21862 (Windows Application Model Core API Elevation of Privilege Vulnerabilit ...) + NOT-FOR-US: Microsoft +CVE-2022-21861 (Task Flow Data Engine Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21860 (Windows AppContracts API Server Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21859 (Windows Accounts Control Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21858 (Windows Bind Filter Driver Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21857 (Active Directory Domain Services Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21856 + RESERVED +CVE-2022-21855 (Microsoft Exchange Server Remote Code Execution Vulnerability. This CV ...) + NOT-FOR-US: Microsoft +CVE-2022-21854 + RESERVED +CVE-2022-21853 + RESERVED +CVE-2022-21852 (Windows DWM Core Library Elevation of Privilege Vulnerability. This CV ...) + NOT-FOR-US: Microsoft +CVE-2022-21851 (Remote Desktop Client Remote Code Execution Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-21850 (Remote Desktop Client Remote Code Execution Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-21849 (Windows IKE Extension Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21848 (Windows IKE Extension Denial of Service Vulnerability. This CVE ID is ...) + NOT-FOR-US: Microsoft +CVE-2022-21847 (Windows Hyper-V Denial of Service Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21846 (Microsoft Exchange Server Remote Code Execution Vulnerability. This CV ...) + NOT-FOR-US: Microsoft +CVE-2022-21845 + RESERVED +CVE-2022-21844 (HEVC Video Extensions Remote Code Execution Vulnerability. This CVE ID ...) + NOT-FOR-US: Microsoft +CVE-2022-21843 (Windows IKE Extension Denial of Service Vulnerability. This CVE ID is ...) + NOT-FOR-US: Microsoft +CVE-2022-21842 (Microsoft Word Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21841 (Microsoft Excel Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21840 (Microsoft Office Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21839 (Windows Event Tracing Discretionary Access Control List Denial of Serv ...) + NOT-FOR-US: Microsoft +CVE-2022-21838 (Windows Cleanup Manager Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21837 (Microsoft SharePoint Server Remote Code Execution Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21836 (Windows Certificate Spoofing Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21835 (Microsoft Cryptographic Services Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-21834 (Windows User-mode Driver Framework Reflector Driver Elevation of Privi ...) + NOT-FOR-US: Microsoft +CVE-2022-21833 (Virtual Machine IDE Drive Elevation of Privilege Vulnerability. ...) + NOT-FOR-US: Microsoft +CVE-2022-0010 + RESERVED +CVE-2022-21832 + RESERVED +CVE-2022-21831 + RESERVED +CVE-2022-21830 + RESERVED +CVE-2022-21829 + RESERVED +CVE-2022-21828 + RESERVED +CVE-2022-21827 + RESERVED +CVE-2022-21826 + RESERVED +CVE-2022-21825 (An Improper Access Control vulnerability exists in Citrix Workspace Ap ...) + NOT-FOR-US: Citrix +CVE-2022-21823 (A insecure storage of sensitive information vulnerability exists in Iv ...) + NOT-FOR-US: Ivanti +CVE-2022-21822 + RESERVED +CVE-2022-21821 + RESERVED +CVE-2022-21820 + RESERVED +CVE-2022-21819 + RESERVED +CVE-2022-21818 (NVIDIA License System contains a vulnerability in the installation scr ...) + NOT-FOR-US: NVIDIA License System +CVE-2022-21817 (NVIDIA Omniverse Launcher contains a Cross-Origin Resource Sharing (CO ...) + NOT-FOR-US: NVIDIA +CVE-2022-21816 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...) + NOT-FOR-US: NVIDIA vGPU software +CVE-2022-21815 (NVIDIA GPU Display Driver for Windows contains a vulnerability in the ...) + NOT-FOR-US: NVIDIA GPU Display Driver for Windows +CVE-2022-21814 (NVIDIA GPU Display Driver for Linux contains a vulnerability in the ke ...) + - nvidia-graphics-drivers 470.103.01-1 (bug #1004847) + [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1004848) + [buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore) + [stretch] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore) + - nvidia-graphics-drivers-legacy-390xx <unfixed> (bug #1004849) + [bullseye] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-470 470.103.01-1 (bug #1004853) + - nvidia-graphics-drivers-tesla-460 <unfixed> (bug #1004852) + [bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-450 450.172.01-1 (bug #1004851) + [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1004850) + [bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported) +CVE-2022-21813 (NVIDIA GPU Display Driver for Linux contains a vulnerability in the ke ...) + - nvidia-graphics-drivers 470.103.01-1 (bug #1004847) + [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1004848) + [buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore) + [stretch] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore) + - nvidia-graphics-drivers-legacy-390xx <unfixed> (bug #1004849) + [bullseye] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-470 470.103.01-1 (bug #1004853) + - nvidia-graphics-drivers-tesla-460 <unfixed> (bug #1004852) + [bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-450 450.172.01-1 (bug #1004851) + [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported) + - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1004850) + [bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported) +CVE-2022-21812 + RESERVED +CVE-2022-21804 + RESERVED +CVE-2022-21794 + RESERVED +CVE-2022-21793 + RESERVED +CVE-2022-21239 + RESERVED +CVE-2022-21229 + RESERVED +CVE-2022-21226 (Out-of-bounds read in the Intel(R) Trace Analyzer and Collector before ...) + NOT-FOR-US: Intel +CVE-2022-21206 + RESERVED +CVE-2022-21188 + RESERVED +CVE-2022-21185 + RESERVED +CVE-2022-21175 + RESERVED +CVE-2022-21171 + RESERVED +CVE-2022-21163 + RESERVED +CVE-2022-21162 + RESERVED +CVE-2022-21161 + RESERVED +CVE-2022-21156 (Access of uninitialized pointer in the Intel(R) Trace Analyzer and Col ...) + NOT-FOR-US: Intel +CVE-2022-21152 + RESERVED +CVE-2022-21150 + RESERVED +CVE-2022-21148 + RESERVED +CVE-2022-21135 + RESERVED +CVE-2022-21824 [Prototype pollution via console.table properties] + RESERVED + - nodejs <unfixed> (bug #1004177) + [stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support) + NOTE: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#prototype-pollution-via-console-table-properties-low-cve-2022-21824 + NOTE: https://github.com/nodejs/node/commit/be69403528da99bf3df9e1dc47186f18ba59cb5e (v12.x) +CVE-2022-21240 + RESERVED +CVE-2022-21237 + RESERVED +CVE-2022-21218 (Uncaught exception in the Intel(R) Trace Analyzer and Collector before ...) + NOT-FOR-US: Intel +CVE-2022-21212 + RESERVED +CVE-2022-21197 + RESERVED +CVE-2022-21172 + RESERVED +CVE-2022-21160 + RESERVED +CVE-2022-21140 + RESERVED +CVE-2022-21139 + RESERVED +CVE-2022-21133 (Out-of-bounds read in the Intel(R) Trace Analyzer and Collector before ...) + NOT-FOR-US: Intel +CVE-2022-21792 + RESERVED +CVE-2022-21791 + RESERVED +CVE-2022-21790 + RESERVED +CVE-2022-21789 + RESERVED +CVE-2022-21788 + RESERVED +CVE-2022-21787 + RESERVED +CVE-2022-21786 + RESERVED +CVE-2022-21785 + RESERVED +CVE-2022-21784 + RESERVED +CVE-2022-21783 + RESERVED +CVE-2022-21782 + RESERVED +CVE-2022-21781 + RESERVED +CVE-2022-21780 + RESERVED +CVE-2022-21779 + RESERVED +CVE-2022-21778 + RESERVED +CVE-2022-21777 + RESERVED +CVE-2022-21776 + RESERVED +CVE-2022-21775 + RESERVED +CVE-2022-21774 + RESERVED +CVE-2022-21773 + RESERVED +CVE-2022-21772 + RESERVED +CVE-2022-21771 + RESERVED +CVE-2022-21770 + RESERVED +CVE-2022-21769 + RESERVED +CVE-2022-21768 + RESERVED +CVE-2022-21767 + RESERVED +CVE-2022-21766 + RESERVED +CVE-2022-21765 + RESERVED +CVE-2022-21764 + RESERVED +CVE-2022-21763 + RESERVED +CVE-2022-21762 + RESERVED +CVE-2022-21761 + RESERVED +CVE-2022-21760 + RESERVED +CVE-2022-21759 + RESERVED +CVE-2022-21758 + RESERVED +CVE-2022-21757 + RESERVED +CVE-2022-21756 + RESERVED +CVE-2022-21755 + RESERVED +CVE-2022-21754 + RESERVED +CVE-2022-21753 + RESERVED +CVE-2022-21752 + RESERVED +CVE-2022-21751 + RESERVED +CVE-2022-21750 + RESERVED +CVE-2022-21749 + RESERVED +CVE-2022-21748 + RESERVED +CVE-2022-21747 + RESERVED +CVE-2022-21746 + RESERVED +CVE-2022-21745 + RESERVED +CVE-2022-21744 + RESERVED +CVE-2022-21743 + RESERVED +CVE-2022-0009 + RESERVED +CVE-2022-0008 + RESERVED +CVE-2022-0007 + RESERVED +CVE-2022-0006 + RESERVED +CVE-2022-21742 + RESERVED +CVE-2022-21741 (Tensorflow is an Open Source Machine Learning Framework. ### Impact An ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21740 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21739 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21738 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21737 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21736 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21735 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21734 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21733 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21732 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21731 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21730 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21729 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21728 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21727 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21726 (Tensorflow is an Open Source Machine Learning Framework. The implement ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21725 (Tensorflow is an Open Source Machine Learning Framework. The estimator ...) + - tensorflow <itp> (bug #804612) +CVE-2022-21724 (pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was foun ...) + - libpgjava 42.3.2-1 + NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4 + NOTE: https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813 (REL42.3.2) +CVE-2022-21723 (PJSIP is a free and open source multimedia communication library writt ...) + - asterisk <unfixed> + - pjproject <removed> + - ring <unfixed> + [stretch] - ring <not-affected> (Vulnerable code not present) + NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm + NOTE: https://github.com/pjsip/pjproject/commit/077b465c33f0aec05a49cd2ca456f9a1b112e896 +CVE-2022-21722 (PJSIP is a free and open source multimedia communication library writt ...) + - asterisk <unfixed> + - pjproject <removed> + - ring <unfixed> + NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36 + NOTE: https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a +CVE-2022-21721 (Next.js is a React framework. Starting with version 12.0.0 and prior t ...) + TODO: check +CVE-2022-21720 (GLPI is a free asset and IT management software package. Prior to vers ...) + - glpi <removed> (unimportant) + NOTE: Only supported behind an authenticated HTTP zone +CVE-2022-21719 (GLPI is a free asset and IT management software package. All GLPI vers ...) + - glpi <removed> (unimportant) + NOTE: Only supported behind an authenticated HTTP zone +CVE-2022-21718 + RESERVED +CVE-2022-21717 + RESERVED +CVE-2022-21716 + RESERVED +CVE-2022-21715 (CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web fr ...) + - codeigniter <itp> (bug #471583) +CVE-2022-21714 + RESERVED +CVE-2022-21713 (Grafana is an open-source platform for monitoring and observability. A ...) + - grafana <removed> +CVE-2022-21712 (twisted is an event-driven networking engine written in Python. In aff ...) + {DLA-2927-1} + - twisted 22.1.0-1 + [bullseye] - twisted <no-dsa> (Minor issue) + [buster] - twisted <no-dsa> (Minor issue) + NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx + NOTE: https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2 (twisted-22.1.0rc1) +CVE-2022-21711 (elfspirit is an ELF static analysis and injection framework that parse ...) + NOT-FOR-US: elfspirit +CVE-2022-21710 (ShortDescription is a MediaWiki extension that provides local short de ...) + NOT-FOR-US: ShortDescription MediaWiki extension +CVE-2022-21709 + RESERVED +CVE-2022-21708 (graphql-go is a GraphQL server with a focus on ease of use. In version ...) + - golang-github-graph-gophers-graphql-go 1.3.0-1 + NOTE: https://github.com/graph-gophers/graphql-go/commit/eae31ca73eb3473c544710955d1dbebc22605bfe (v1.3.0) + NOTE: https://github.com/graph-gophers/graphql-go/security/advisories/GHSA-mh3m-8c74-74xh + NOTE: https://github.com/graph-gophers/graphql-go/pull/492 +CVE-2022-21707 (wasmCloud Host Runtime is a server process that securely hosts and pro ...) + NOT-FOR-US: wasmCloud Host Runtime +CVE-2022-21706 + RESERVED +CVE-2022-21705 + RESERVED +CVE-2022-21704 (log4js-node is a port of log4js to node.js. In affected versions defau ...) + - node-log4js 6.4.1+~cs8.3.5-1 + [bullseye] - node-log4js <no-dsa> (Minor issue) + [buster] - node-log4js <no-dsa> (Minor issue) + [stretch] - node-log4js <end-of-life> (Nodejs in stretch not covered by security support) + NOTE: https://github.com/log4js-node/log4js-node/pull/1141 (v6.4.1) + NOTE: https://github.com/log4js-node/streamroller/pull/87 + NOTE: https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q + NOTE: https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640 +CVE-2022-21703 (Grafana is an open-source platform for monitoring and observability. A ...) + - grafana <removed> +CVE-2022-21702 (Grafana is an open-source platform for monitoring and observability. I ...) + - grafana <removed> +CVE-2022-21701 (Istio is an open platform to connect, manage, and secure microservices ...) + NOT-FOR-US: Istio +CVE-2022-21700 (Micronaut is a JVM-based, full stack Java framework designed for build ...) + NOT-FOR-US: Micronaut +CVE-2022-21699 (IPython (Interactive Python) is a command shell for interactive comput ...) + {DSA-5065-1 DLA-2896-1} + - ipython 7.31.1-1 (bug #1004122) + NOTE: https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x + NOTE: Fixed by: https://github.com/ipython/ipython/commit/1ec91ebf328bdf3450130de4b4604c79dc1e19d9 + NOTE: Testcase: https://github.com/ipython/ipython/commit/56665dfcf7df8690da46aab1278df8e47b14fe3b + NOTE: https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699 +CVE-2022-21698 (client_golang is the instrumentation library for Go applications in Pr ...) + - golang-github-prometheus-client-golang <unfixed> + NOTE: https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p + NOTE: https://github.com/prometheus/client_golang/pull/962 + NOTE: https://github.com/prometheus/client_golang/pull/987 +CVE-2022-21697 (Jupyter Server Proxy is a Jupyter notebook server extension to proxy w ...) + TODO: check +CVE-2022-21696 (OnionShare is an open source tool that lets you securely and anonymous ...) + - onionshare <unfixed> + NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-68vr-8f46-vc9f +CVE-2022-21695 (OnionShare is an open source tool that lets you securely and anonymous ...) + - onionshare <unfixed> + NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-99p8-9p2c-49j4 +CVE-2022-21694 (OnionShare is an open source tool that lets you securely and anonymous ...) + - onionshare <unfixed> + NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h + NOTE: https://github.com/onionshare/onionshare/issues/1389 +CVE-2022-21693 (OnionShare is an open source tool that lets you securely and anonymous ...) + - onionshare <unfixed> + NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6 +CVE-2022-21692 (OnionShare is an open source tool that lets you securely and anonymous ...) + - onionshare <unfixed> + NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v +CVE-2022-21691 (OnionShare is an open source tool that lets you securely and anonymous ...) + - onionshare <unfixed> + NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-w9m4-7w72-r766 +CVE-2022-21690 (OnionShare is an open source tool that lets you securely and anonymous ...) + - onionshare <unfixed> + NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-ch22-x2v3-v6vq +CVE-2022-21689 (OnionShare is an open source tool that lets you securely and anonymous ...) + - onionshare <unfixed> + NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc +CVE-2022-21688 (OnionShare is an open source tool that lets you securely and anonymous ...) + - onionshare <unfixed> + NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v +CVE-2022-21687 (gh-ost is a triggerless online schema migration solution for MySQL. Ve ...) + NOT-FOR-US: GitHub Online Schema +CVE-2022-21686 (PrestaShop is an Open Source e-commerce platform. Starting with versio ...) + NOT-FOR-US: PrestaShop +CVE-2022-21685 (Frontier is Substrate's Ethereum compatibility layer. Prior to commit ...) + TODO: check +CVE-2022-21684 (Discourse is an open source discussion platform. Versions prior to 2.7 ...) + NOT-FOR-US: Discourse +CVE-2022-21683 (Wagtail is a Django based content management system focused on flexibi ...) + NOT-FOR-US: Wagtail +CVE-2022-21682 (Flatpak is a Linux application sandboxing and distribution framework. ...) + {DSA-5049-1} + - flatpak 1.12.3-1 + [buster] - flatpak <ignored> (Intrusive and risky to backport) + [stretch] - flatpak <ignored> (Intrusive and risky to backport) + NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx + NOTE: https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a + NOTE: Documentation: https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa + NOTE: 1.12.4 added further changes to avoid regressions for some workflows +CVE-2022-21681 (Marked is a markdown parser and compiler. Prior to version 4.0.10, the ...) + - node-marked 4.0.12+ds+~4.0.1-1 + [bullseye] - node-marked <no-dsa> (Minor issue) + [buster] - node-marked <no-dsa> (Minor issue) + [stretch] - node-marked <end-of-life> (Nodejs in stretch not covered by security support) + NOTE: https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj + NOTE: https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5 + NOTE: https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0 (4.0.10) + NOTE: https://github.com/markedjs/marked/releases/tag/v4.0.10 +CVE-2022-21680 (Marked is a markdown parser and compiler. Prior to version 4.0.10, the ...) + - node-marked 4.0.12+ds+~4.0.1-1 + [bullseye] - node-marked <no-dsa> (Minor issue) + [buster] - node-marked <no-dsa> (Minor issue) + [stretch] - node-marked <end-of-life> (Nodejs in stretch not covered by security support) + NOTE: https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0 (4.0.10) + NOTE: https://github.com/markedjs/marked/releases/tag/v4.0.10 + NOTE: https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf +CVE-2022-21679 (Istio is an open platform to connect, manage, and secure microservices ...) + NOT-FOR-US: Istio +CVE-2022-21678 (Discourse is an open source discussion platform. Prior to version 2.8. ...) + NOT-FOR-US: Discourse +CVE-2022-21677 (Discourse is an open source discussion platform. Discourse groups can ...) + NOT-FOR-US: Discourse +CVE-2022-21676 (Engine.IO is the implementation of transport-based cross-browser/cross ...) + NOT-FOR-US: Engine.IO +CVE-2022-21675 (Bytecode Viewer (BCV) is a Java/Android reverse engineering suite. Ver ...) + NOT-FOR-US: Bytecode Viewer +CVE-2022-21674 + RESERVED +CVE-2022-21673 (Grafana is an open-source platform for monitoring and observability. I ...) + - grafana <removed> +CVE-2022-21672 (make-ca is a utility to deliver and manage a complete PKI configuratio ...) + TODO: check +CVE-2022-21671 (@replit/crosis is a JavaScript client that speaks Replit's container p ...) + NOT-FOR-US: crosis +CVE-2022-21670 (markdown-it is a Markdown parser. Prior to version 1.3.2, special patt ...) + - node-markdown-it 10.0.0+dfsg-6 + [bullseye] - node-markdown-it <no-dsa> (Minor issue) + NOTE: https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c + NOTE: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101 (12.3.2) +CVE-2022-21669 (PuddingBot is a group management bot. In version 0.0.6-b933652 and pri ...) + NOT-FOR-US: PuddingBot +CVE-2022-21668 (pipenv is a Python development workflow tool. Starting with version 20 ...) + - pipenv <not-affected> (Vulnerable code not uploaded) + NOTE: https://github.com/pypa/pipenv/security/advisories/GHSA-qc9x-gjcv-465w + NOTE: https://github.com/pypa/pipenv/releases/tag/v2022.1.8 + NOTE: https://github.com/pypa/pipenv/pull/4899 (v2022.1.8) + NOTE: Introduced by: https://github.com/pypa/pipenv/commit/742988169333ba14a4b2b6f527a604d6f0bc9e09 (v2018.10.9) + NOTE: Fixed by: https://github.com/pypa/pipenv/commit/167909839a95ef5aa379fe12d4564b2b829cc175 (v2022.1.8) +CVE-2022-21667 (soketi is an open-source WebSockets server. There is an unhandled case ...) + NOT-FOR-US: soketi +CVE-2022-21666 (Useful Simple Open-Source CMS (USOC) is a content management system (C ...) + NOT-FOR-US: Useful Simple Open-Source CMS (USOC) +CVE-2022-21665 + RESERVED +CVE-2022-21664 (WordPress is a free and open-source content management system written ...) + {DSA-5039-1 DLA-2884-1} + - wordpress 5.8.3+dfsg1-1 (bug #1003243) + NOTE: https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/ + NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86 + NOTE: https://github.com/WordPress/wordpress-develop/commit/c09ccfbc547d75b392dbccc1ef0b4442ccd3c957 +CVE-2022-21663 (WordPress is a free and open-source content management system written ...) + {DSA-5039-1 DLA-2884-1} + - wordpress 5.8.3+dfsg1-1 (bug #1003243) + NOTE: https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/ + NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h + NOTE: https://hackerone.com/reports/541469 +CVE-2022-21662 (WordPress is a free and open-source content management system written ...) + {DSA-5039-1 DLA-2884-1} + - wordpress 5.8.3+dfsg1-1 (bug #1003243) + NOTE: https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/ + NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w + NOTE: https://hackerone.com/reports/425342 +CVE-2022-21661 (WordPress is a free and open-source content management system written ...) + {DSA-5039-1 DLA-2884-1} + - wordpress 5.8.3+dfsg1-1 (bug #1003243) + NOTE: https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/ + NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84 + NOTE: https://github.com/WordPress/wordpress-develop/commit/17efac8c8ec64555eff5cf51a3eff81e06317214 + NOTE: https://hackerone.com/reports/1378209 + NOTE: https://www.zerodayinitiative.com/blog/2022/1/18/cve-2021-21661-exposing-database-info-via-wordpress-sql-injection +CVE-2022-21660 (Gin-vue-admin is a backstage management system based on vue and gin. I ...) + NOT-FOR-US: Gin-vue-admin +CVE-2022-21659 (Flask-AppBuilder is an application development framework, built on top ...) + - flask-appbuilder <itp> (bug #998029) + NOTE: https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f + NOTE: https://github.com/dpgaspar/Flask-AppBuilder/pull/1775 + NOTE: https://github.com/dpgaspar/Flask-AppBuilder/commit/e2b744c258ff62ece9d5ac7172c3b4644ff4c2fe (3.4.4) +CVE-2022-21658 (Rust is a multi-paradigm, general-purpose programming language designe ...) + - rustc <unfixed> + [bullseye] - rustc <no-dsa> (Minor issue) + [buster] - rustc <no-dsa> (Minor issue) + [stretch] - rustc <no-dsa> (Minor issue) + NOTE: https://github.com/rust-lang/wg-security-response/tree/master/patches/CVE-2022-21658 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/20/1 +CVE-2022-21657 + RESERVED +CVE-2022-21656 + RESERVED +CVE-2022-21655 + RESERVED +CVE-2022-21654 + RESERVED +CVE-2022-21653 (Jawn is an open source JSON parser. Extenders of the `org.typelevel.ja ...) + - jawn <not-affected> (Vulnerable code not uploaded) + NOTE: https://github.com/typelevel/jawn/pull/390 + NOTE: https://github.com/typelevel/jawn/commit/e5ddb114ed5d45ee0a605da06a280207bf9f9f58 (1.3.2) + NOTE: https://github.com/typelevel/jawn/commit/0707e2569f43ff6195f90cc0dfc2d0ca79b51dd1 (1.3.2) +CVE-2022-21652 (Shopware is an open source e-commerce software platform. In affected v ...) + NOT-FOR-US: Shopware +CVE-2022-21651 (Shopware is an open source e-commerce software platform. An open redir ...) + NOT-FOR-US: Shopware +CVE-2022-21650 (Convos is an open source multi-user chat that runs in a web browser. Y ...) + NOT-FOR-US: Convos +CVE-2022-21649 (Convos is an open source multi-user chat that runs in a web browser. C ...) + NOT-FOR-US: Convos +CVE-2022-21648 (Latte is an open source template engine for PHP. Versions since 2.8.0 ...) + - php-nette <removed> + [stretch] - php-nette <not-affected> (Sandbox first appeared in Latte 2.8.0 so older versions are not affected.) + NOTE: https://github.com/nette/latte/security/advisories/GHSA-36m2-8rhx-f36j + NOTE: https://github.com/nette/latte/commit/9e1b4f7d70f7a9c3fa6753ffa7d7e450a3d4abb0 +CVE-2022-21647 (CodeIgniter is an open source PHP full-stack web framework. Deserializ ...) + - codeigniter <itp> (bug #471583) +CVE-2022-21646 (SpiceDB is a database system for managing security-critical applicatio ...) + TODO: check +CVE-2022-21645 + RESERVED +CVE-2022-21644 (USOC is an open source CMS with a focus on simplicity. In affected ver ...) + NOT-FOR-US: USOC +CVE-2022-21643 (USOC is an open source CMS with a focus on simplicity. In affected ver ...) + NOT-FOR-US: USOC +CVE-2022-21642 (Discourse is an open source platform for community discussion. In affe ...) + NOT-FOR-US: Discourse CVE-2022-21641 RESERVED CVE-2022-21640 @@ -784,342 +11277,391 @@ CVE-2022-21405 RESERVED CVE-2022-21404 RESERVED -CVE-2022-21403 - RESERVED -CVE-2022-21402 - RESERVED -CVE-2022-21401 - RESERVED -CVE-2022-21400 - RESERVED -CVE-2022-21399 - RESERVED -CVE-2022-21398 - RESERVED -CVE-2022-21397 - RESERVED -CVE-2022-21396 - RESERVED -CVE-2022-21395 - RESERVED -CVE-2022-21394 - RESERVED -CVE-2022-21393 - RESERVED -CVE-2022-21392 - RESERVED -CVE-2022-21391 - RESERVED -CVE-2022-21390 - RESERVED -CVE-2022-21389 - RESERVED -CVE-2022-21388 - RESERVED -CVE-2022-21387 - RESERVED -CVE-2022-21386 - RESERVED +CVE-2022-21403 (Vulnerability in the Oracle Communications Operations Monitor product ...) + NOT-FOR-US: Oracle +CVE-2022-21402 (Vulnerability in the Oracle Communications Operations Monitor product ...) + NOT-FOR-US: Oracle +CVE-2022-21401 (Vulnerability in the Oracle Communications Operations Monitor product ...) + NOT-FOR-US: Oracle +CVE-2022-21400 (Vulnerability in the Oracle Communications Operations Monitor product ...) + NOT-FOR-US: Oracle +CVE-2022-21399 (Vulnerability in the Oracle Communications Operations Monitor product ...) + NOT-FOR-US: Oracle +CVE-2022-21398 (Vulnerability in the Oracle Communications Operations Monitor product ...) + NOT-FOR-US: Oracle +CVE-2022-21397 (Vulnerability in the Oracle Communications Operations Monitor product ...) + NOT-FOR-US: Oracle +CVE-2022-21396 (Vulnerability in the Oracle Communications Operations Monitor product ...) + NOT-FOR-US: Oracle +CVE-2022-21395 (Vulnerability in the Oracle Communications Operations Monitor product ...) + NOT-FOR-US: Oracle +CVE-2022-21394 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) + - virtualbox 6.1.32-dfsg-1 +CVE-2022-21393 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...) + NOT-FOR-US: Oracle +CVE-2022-21392 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) + NOT-FOR-US: Oracle +CVE-2022-21391 (Vulnerability in the Oracle Communications Billing and Revenue Managem ...) + NOT-FOR-US: Oracle +CVE-2022-21390 (Vulnerability in the Oracle Communications Billing and Revenue Managem ...) + NOT-FOR-US: Oracle +CVE-2022-21389 (Vulnerability in the Oracle Communications Billing and Revenue Managem ...) + NOT-FOR-US: Oracle +CVE-2022-21388 (Vulnerability in the Oracle Communications Pricing Design Center produ ...) + NOT-FOR-US: Oracle +CVE-2022-21387 (Vulnerability in the Oracle Commerce Platform product of Oracle Commer ...) + NOT-FOR-US: Oracle +CVE-2022-21386 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle CVE-2022-21385 RESERVED CVE-2022-21384 RESERVED -CVE-2022-21383 - RESERVED -CVE-2022-21382 - RESERVED -CVE-2022-21381 - RESERVED -CVE-2022-21380 - RESERVED -CVE-2022-21379 - RESERVED -CVE-2022-21378 - RESERVED -CVE-2022-21377 - RESERVED -CVE-2022-21376 - RESERVED -CVE-2022-21375 - RESERVED -CVE-2022-21374 - RESERVED -CVE-2022-21373 - RESERVED -CVE-2022-21372 - RESERVED -CVE-2022-21371 - RESERVED -CVE-2022-21370 - RESERVED -CVE-2022-21369 - RESERVED -CVE-2022-21368 - RESERVED -CVE-2022-21367 - RESERVED -CVE-2022-21366 - RESERVED -CVE-2022-21365 - RESERVED -CVE-2022-21364 - RESERVED -CVE-2022-21363 - RESERVED -CVE-2022-21362 - RESERVED -CVE-2022-21361 - RESERVED -CVE-2022-21360 - RESERVED -CVE-2022-21359 - RESERVED -CVE-2022-21358 - RESERVED -CVE-2022-21357 - RESERVED -CVE-2022-21356 - RESERVED -CVE-2022-21355 - RESERVED -CVE-2022-21354 - RESERVED -CVE-2022-21353 - RESERVED -CVE-2022-21352 - RESERVED -CVE-2022-21351 - RESERVED -CVE-2022-21350 - RESERVED -CVE-2022-21349 - RESERVED -CVE-2022-21348 - RESERVED -CVE-2022-21347 - RESERVED -CVE-2022-21346 - RESERVED -CVE-2022-21345 - RESERVED -CVE-2022-21344 - RESERVED +CVE-2022-21383 (Vulnerability in the Oracle Enterprise Session Border Controller produ ...) + NOT-FOR-US: Oracle +CVE-2022-21382 (Vulnerability in the Oracle Enterprise Session Border Controller produ ...) + NOT-FOR-US: Oracle +CVE-2022-21381 (Vulnerability in the Oracle Enterprise Session Border Controller produ ...) + NOT-FOR-US: Oracle +CVE-2022-21380 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21379 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21378 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21377 (Vulnerability in the Primavera Portfolio Management product of Oracle ...) + NOT-FOR-US: Oracle +CVE-2022-21376 (Vulnerability in the Primavera Portfolio Management product of Oracle ...) + NOT-FOR-US: Oracle +CVE-2022-21375 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) + NOT-FOR-US: Oracle +CVE-2022-21374 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21373 (Vulnerability in the Oracle Partner Management product of Oracle E-Bus ...) + NOT-FOR-US: Oracle +CVE-2022-21372 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21371 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21370 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21369 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) + NOT-FOR-US: Oracle +CVE-2022-21368 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21367 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-5.7 <removed> + - mysql-8.0 <unfixed> +CVE-2022-21366 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1} + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21365 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1 DLA-2917-1} + - openjdk-8 <unfixed> + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21364 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) + NOT-FOR-US: Oracle +CVE-2022-21363 (Vulnerability in the MySQL Connectors product of Oracle MySQL (compone ...) + - mysql-8.0 <unfixed> +CVE-2022-21362 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21361 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21360 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1 DLA-2917-1} + - openjdk-8 <unfixed> + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21359 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) + NOT-FOR-US: Oracle +CVE-2022-21358 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21357 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21356 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21355 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21354 (Vulnerability in the Oracle iStore product of Oracle E-Business Suite ...) + NOT-FOR-US: Oracle +CVE-2022-21353 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21352 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21351 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21350 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21349 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DLA-2917-1} + - openjdk-8 <unfixed> +CVE-2022-21348 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21347 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21346 (Vulnerability in the Oracle BI Publisher product of Oracle Fusion Midd ...) + NOT-FOR-US: Oracle +CVE-2022-21345 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) + NOT-FOR-US: Oracle +CVE-2022-21344 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-5.7 <removed> + - mysql-8.0 <unfixed> CVE-2022-21343 RESERVED -CVE-2022-21342 - RESERVED -CVE-2022-21341 - RESERVED -CVE-2022-21340 - RESERVED -CVE-2022-21339 - RESERVED -CVE-2022-21338 - RESERVED -CVE-2022-21337 - RESERVED -CVE-2022-21336 - RESERVED -CVE-2022-21335 - RESERVED -CVE-2022-21334 - RESERVED -CVE-2022-21333 - RESERVED -CVE-2022-21332 - RESERVED -CVE-2022-21331 - RESERVED -CVE-2022-21330 - RESERVED -CVE-2022-21329 - RESERVED -CVE-2022-21328 - RESERVED -CVE-2022-21327 - RESERVED -CVE-2022-21326 - RESERVED -CVE-2022-21325 - RESERVED -CVE-2022-21324 - RESERVED -CVE-2022-21323 - RESERVED -CVE-2022-21322 - RESERVED -CVE-2022-21321 - RESERVED -CVE-2022-21320 - RESERVED -CVE-2022-21319 - RESERVED -CVE-2022-21318 - RESERVED -CVE-2022-21317 - RESERVED -CVE-2022-21316 - RESERVED -CVE-2022-21315 - RESERVED -CVE-2022-21314 - RESERVED -CVE-2022-21313 - RESERVED -CVE-2022-21312 - RESERVED -CVE-2022-21311 - RESERVED -CVE-2022-21310 - RESERVED -CVE-2022-21309 - RESERVED -CVE-2022-21308 - RESERVED -CVE-2022-21307 - RESERVED -CVE-2022-21306 - RESERVED -CVE-2022-21305 - RESERVED -CVE-2022-21304 - RESERVED -CVE-2022-21303 - RESERVED -CVE-2022-21302 - RESERVED -CVE-2022-21301 - RESERVED -CVE-2022-21300 - RESERVED -CVE-2022-21299 - RESERVED -CVE-2022-21298 - RESERVED -CVE-2022-21297 - RESERVED -CVE-2022-21296 - RESERVED -CVE-2022-21295 - RESERVED -CVE-2022-21294 - RESERVED -CVE-2022-21293 - RESERVED -CVE-2022-21292 - RESERVED -CVE-2022-21291 - RESERVED -CVE-2022-21290 - RESERVED -CVE-2022-21289 - RESERVED -CVE-2022-21288 - RESERVED -CVE-2022-21287 - RESERVED -CVE-2022-21286 - RESERVED -CVE-2022-21285 - RESERVED -CVE-2022-21284 - RESERVED -CVE-2022-21283 - RESERVED -CVE-2022-21282 - RESERVED -CVE-2022-21281 - RESERVED -CVE-2022-21280 - RESERVED -CVE-2022-21279 - RESERVED -CVE-2022-21278 - RESERVED -CVE-2022-21277 - RESERVED -CVE-2022-21276 - RESERVED -CVE-2022-21275 - RESERVED -CVE-2022-21274 - RESERVED -CVE-2022-21273 - RESERVED -CVE-2022-21272 - RESERVED -CVE-2022-21271 - RESERVED -CVE-2022-21270 - RESERVED -CVE-2022-21269 - RESERVED -CVE-2022-21268 - RESERVED -CVE-2022-21267 - RESERVED -CVE-2022-21266 - RESERVED -CVE-2022-21265 - RESERVED -CVE-2022-21264 - RESERVED -CVE-2022-21263 - RESERVED -CVE-2022-21262 - RESERVED -CVE-2022-21261 - RESERVED -CVE-2022-21260 - RESERVED -CVE-2022-21259 - RESERVED -CVE-2022-21258 - RESERVED -CVE-2022-21257 - RESERVED -CVE-2022-21256 - RESERVED -CVE-2022-21255 - RESERVED -CVE-2022-21254 - RESERVED -CVE-2022-21253 - RESERVED -CVE-2022-21252 - RESERVED -CVE-2022-21251 - RESERVED -CVE-2022-21250 - RESERVED -CVE-2022-21249 - RESERVED -CVE-2022-21248 - RESERVED -CVE-2022-21247 - RESERVED -CVE-2022-21246 - RESERVED -CVE-2022-21245 - RESERVED -CVE-2022-21244 - RESERVED -CVE-2022-21243 - RESERVED -CVE-2022-21242 - RESERVED +CVE-2022-21342 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21341 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1 DLA-2917-1} + - openjdk-8 <unfixed> + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21340 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1 DLA-2917-1} + - openjdk-8 <unfixed> + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21339 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21338 (Vulnerability in the Oracle Communications Convergence product of Orac ...) + NOT-FOR-US: Oracle +CVE-2022-21337 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21336 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21335 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21334 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21333 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21332 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21331 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21330 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21329 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21328 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21327 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21326 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21325 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21324 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21323 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21322 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21321 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21320 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21319 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21318 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21317 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21316 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21315 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21314 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21313 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21312 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21311 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21310 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21309 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21308 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21307 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21306 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21305 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1 DLA-2917-1} + - openjdk-8 <unfixed> + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21304 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-5.7 <removed> + - mysql-8.0 <unfixed> +CVE-2022-21303 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-5.7 <removed> + - mysql-8.0 <unfixed> +CVE-2022-21302 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21301 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21300 (Vulnerability in the PeopleSoft Enterprise CS SA Integration Pack prod ...) + NOT-FOR-US: Oracle +CVE-2022-21299 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1 DLA-2917-1} + - openjdk-8 <unfixed> + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21298 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) + NOT-FOR-US: Oracle +CVE-2022-21297 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21296 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1 DLA-2917-1} + - openjdk-8 <unfixed> + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21295 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) + - virtualbox <not-affected> (Windows-specific) +CVE-2022-21294 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1 DLA-2917-1} + - openjdk-8 <unfixed> + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21293 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1 DLA-2917-1} + - openjdk-8 <unfixed> + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21292 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21291 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1} + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21290 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21289 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21288 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21287 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21286 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21285 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21284 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21283 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1 DLA-2917-1} + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21282 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1 DLA-2917-1} + - openjdk-8 <unfixed> + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21281 (Vulnerability in the Primavera Portfolio Management product of Oracle ...) + NOT-FOR-US: Oracle +CVE-2022-21280 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21279 (Vulnerability in the MySQL Cluster product of Oracle MySQL (component: ...) + NOT-FOR-US: MySQL Cluster +CVE-2022-21278 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21277 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1} + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21276 (Vulnerability in the Oracle Communications Billing and Revenue Managem ...) + NOT-FOR-US: Oracle +CVE-2022-21275 (Vulnerability in the Oracle Communications Billing and Revenue Managem ...) + NOT-FOR-US: Oracle +CVE-2022-21274 (Vulnerability in the Oracle Sourcing product of Oracle E-Business Suit ...) + NOT-FOR-US: Oracle +CVE-2022-21273 (Vulnerability in the Oracle Project Costing product of Oracle E-Busine ...) + NOT-FOR-US: Oracle +CVE-2022-21272 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) + NOT-FOR-US: Oracle +CVE-2022-21271 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + - openjdk-8 <not-affected> (Seems specific to Oracle Java) + - openjdk-11 <not-affected> (Seems specific to Oracle Java) +CVE-2022-21270 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-5.7 <removed> + - mysql-8.0 <unfixed> +CVE-2022-21269 (Vulnerability in the Primavera Portfolio Management product of Oracle ...) + NOT-FOR-US: Oracle +CVE-2022-21268 (Vulnerability in the Oracle Communications Billing and Revenue Managem ...) + NOT-FOR-US: Oracle +CVE-2022-21267 (Vulnerability in the Oracle Communications Billing and Revenue Managem ...) + NOT-FOR-US: Oracle +CVE-2022-21266 (Vulnerability in the Oracle Communications Billing and Revenue Managem ...) + NOT-FOR-US: Oracle +CVE-2022-21265 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21264 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21263 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) + NOT-FOR-US: Oracle +CVE-2022-21262 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21261 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21260 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21259 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21258 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21257 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21256 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21255 (Vulnerability in the Oracle Configurator product of Oracle E-Business ...) + NOT-FOR-US: Oracle +CVE-2022-21254 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21253 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21252 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) + NOT-FOR-US: Oracle +CVE-2022-21251 (Vulnerability in the Oracle Installed Base product of Oracle E-Busines ...) + NOT-FOR-US: Oracle +CVE-2022-21250 (Vulnerability in the Oracle Trade Management product of Oracle E-Busin ...) + NOT-FOR-US: Oracle +CVE-2022-21249 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-8.0 <unfixed> +CVE-2022-21248 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) + {DSA-5058-1 DSA-5057-1 DLA-2917-1} + - openjdk-8 <unfixed> + - openjdk-11 11.0.14+9-1 + - openjdk-17 17.0.2+8-1 +CVE-2022-21247 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) + NOT-FOR-US: Oracle +CVE-2022-21246 (Vulnerability in the Oracle Communications Operations Monitor product ...) + NOT-FOR-US: Oracle +CVE-2022-21245 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mysql-5.7 <removed> + - mysql-8.0 <unfixed> +CVE-2022-21244 (Vulnerability in the Primavera Portfolio Management product of Oracle ...) + NOT-FOR-US: Oracle +CVE-2022-21243 (Vulnerability in the Primavera Portfolio Management product of Oracle ...) + NOT-FOR-US: Oracle +CVE-2022-21242 (Vulnerability in the Primavera Portfolio Management product of Oracle ...) + NOT-FOR-US: Oracle CVE-2022-21216 RESERVED -CVE-2022-21204 - RESERVED +CVE-2022-21204 (Improper permissions for Intel(R) Quartus(R) Prime Pro Edition before ...) + NOT-FOR-US: Intel CVE-2022-21200 RESERVED -CVE-2022-21174 - RESERVED -CVE-2022-21157 - RESERVED -CVE-2022-21153 - RESERVED +CVE-2022-21174 (Improper access control in a third-party component of Intel(R) Quartus ...) + NOT-FOR-US: Intel +CVE-2022-21157 (Improper access control in the Intel(R) Smart Campus Android applicati ...) + NOT-FOR-US: Intel +CVE-2022-21153 (Improper access control in the Intel(R) Capital Global Summit Android ...) + NOT-FOR-US: Intel CVE-2022-21151 RESERVED CVE-2022-21138 @@ -1128,14 +11670,14 @@ CVE-2022-21136 RESERVED CVE-2022-21131 RESERVED -CVE-2022-21220 - RESERVED +CVE-2022-21220 (Improper restriction of XML external entity for Intel(R) Quartus(R) Pr ...) + NOT-FOR-US: Intel CVE-2022-21207 RESERVED -CVE-2022-21205 - RESERVED -CVE-2022-21203 - RESERVED +CVE-2022-21205 (Improper restriction of XML external entity reference in DSP Builder P ...) + NOT-FOR-US: Intel +CVE-2022-21203 (Improper permissions in the SafeNet Sentinel driver for Intel(R) Quart ...) + NOT-FOR-US: Intel CVE-2022-21181 RESERVED CVE-2022-21180 @@ -1890,10 +12432,10 @@ CVE-2022-20752 RESERVED CVE-2022-20751 RESERVED -CVE-2022-20750 - RESERVED -CVE-2022-20749 - RESERVED +CVE-2022-20750 (A vulnerability in the checkpoint manager implementation of Cisco Redu ...) + NOT-FOR-US: Cisco +CVE-2022-20749 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers CVE-2022-20748 RESERVED CVE-2022-20747 @@ -1914,8 +12456,8 @@ CVE-2022-20740 RESERVED CVE-2022-20739 RESERVED -CVE-2022-20738 - RESERVED +CVE-2022-20738 (A vulnerability in the Cisco Umbrella Secure Web Gateway service could ...) + NOT-FOR-US: Cisco CVE-2022-20737 RESERVED CVE-2022-20736 @@ -1966,36 +12508,41 @@ CVE-2022-20714 RESERVED CVE-2022-20713 RESERVED -CVE-2022-20712 - RESERVED -CVE-2022-20711 - RESERVED -CVE-2022-20710 - RESERVED -CVE-2022-20709 - RESERVED -CVE-2022-20708 - RESERVED -CVE-2022-20707 - RESERVED -CVE-2022-20706 - RESERVED -CVE-2022-20705 - RESERVED -CVE-2022-20704 - RESERVED -CVE-2022-20703 - RESERVED -CVE-2022-20702 - RESERVED -CVE-2022-20701 - RESERVED -CVE-2022-20700 - RESERVED -CVE-2022-20699 - RESERVED -CVE-2022-20698 - RESERVED +CVE-2022-20712 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20711 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20710 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20709 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20708 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20707 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20706 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20705 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20704 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20703 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20702 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20701 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20700 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20699 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, ...) + NOT-FOR-US: Cisco Small Business RV Series Routers +CVE-2022-20698 (A vulnerability in the OOXML parsing module in Clam AntiVirus (ClamAV) ...) + - clamav 0.103.5+dfsg-1 + [bullseye] - clamav <no-dsa> (clamav is updated via -updates) + [buster] - clamav <no-dsa> (clamav is updated via -updates) + [stretch] - clamav <postponed> (Minor issue; clean crash; follow stable updates) + NOTE: https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html + NOTE: https://github.com/Cisco-Talos/clamav/commit/9a6bb57f89721db637f4ddb5b233c1c4e23d223a (0.103.5) CVE-2022-20697 RESERVED CVE-2022-20696 @@ -2030,8 +12577,8 @@ CVE-2022-20682 RESERVED CVE-2022-20681 RESERVED -CVE-2022-20680 - RESERVED +CVE-2022-20680 (A vulnerability in the web-based management interface of Cisco Prime S ...) + NOT-FOR-US: Cisco CVE-2022-20679 RESERVED CVE-2022-20678 @@ -2070,12 +12617,12 @@ CVE-2022-20662 RESERVED CVE-2022-20661 RESERVED -CVE-2022-20660 - RESERVED -CVE-2022-20659 - RESERVED -CVE-2022-20658 - RESERVED +CVE-2022-20660 (A vulnerability in the information storage architecture of several Cis ...) + NOT-FOR-US: Cisco +CVE-2022-20659 (A vulnerability in the web-based management interface of Cisco Prime I ...) + NOT-FOR-US: Cisco +CVE-2022-20658 (A vulnerability in the web-based management interface of Cisco Unified ...) + NOT-FOR-US: Cisco CVE-2022-20657 RESERVED CVE-2022-20656 @@ -2084,8 +12631,8 @@ CVE-2022-20655 RESERVED CVE-2022-20654 RESERVED -CVE-2022-20653 - RESERVED +CVE-2022-20653 (A vulnerability in the DNS-based Authentication of Named Entities (DAN ...) + NOT-FOR-US: Cisco CVE-2022-20652 RESERVED CVE-2022-20651 @@ -2096,32 +12643,32 @@ CVE-2022-20649 RESERVED CVE-2022-20648 RESERVED -CVE-2022-20647 - RESERVED -CVE-2022-20646 - RESERVED -CVE-2022-20645 - RESERVED -CVE-2022-20644 - RESERVED -CVE-2022-20643 - RESERVED -CVE-2022-20642 - RESERVED -CVE-2022-20641 - RESERVED -CVE-2022-20640 - RESERVED -CVE-2022-20639 - RESERVED -CVE-2022-20638 - RESERVED -CVE-2022-20637 - RESERVED -CVE-2022-20636 - RESERVED -CVE-2022-20635 - RESERVED +CVE-2022-20647 (Multiple vulnerabilities in the web-based management interface of Cisc ...) + NOT-FOR-US: Cisco +CVE-2022-20646 (Multiple vulnerabilities in the web-based management interface of Cisc ...) + NOT-FOR-US: Cisco +CVE-2022-20645 (Multiple vulnerabilities in the web-based management interface of Cisc ...) + NOT-FOR-US: Cisco +CVE-2022-20644 (Multiple vulnerabilities in the web-based management interface of Cisc ...) + NOT-FOR-US: Cisco +CVE-2022-20643 (Multiple vulnerabilities in the web-based management interface of Cisc ...) + NOT-FOR-US: Cisco +CVE-2022-20642 (Multiple vulnerabilities in the web-based management interface of Cisc ...) + NOT-FOR-US: Cisco +CVE-2022-20641 (Multiple vulnerabilities in the web-based management interface of Cisc ...) + NOT-FOR-US: Cisco +CVE-2022-20640 (Multiple vulnerabilities in the web-based management interface of Cisc ...) + NOT-FOR-US: Cisco +CVE-2022-20639 (Multiple vulnerabilities in the web-based management interface of Cisc ...) + NOT-FOR-US: Cisco +CVE-2022-20638 (Multiple vulnerabilities in the web-based management interface of Cisc ...) + NOT-FOR-US: Cisco +CVE-2022-20637 (Multiple vulnerabilities in the web-based management interface of Cisc ...) + NOT-FOR-US: Cisco +CVE-2022-20636 (Multiple vulnerabilities in the web-based management interface of Cisc ...) + NOT-FOR-US: Cisco +CVE-2022-20635 (Multiple vulnerabilities in the web-based management interface of Cisc ...) + NOT-FOR-US: Cisco CVE-2022-20634 RESERVED CVE-2022-20633 @@ -2130,8 +12677,8 @@ CVE-2022-20632 RESERVED CVE-2022-20631 RESERVED -CVE-2022-20630 - RESERVED +CVE-2022-20630 (A vulnerability in the audit log of Cisco DNA Center could allow an au ...) + NOT-FOR-US: Cisco CVE-2022-20629 RESERVED CVE-2022-20628 @@ -2148,26 +12695,26 @@ CVE-2022-20623 RESERVED CVE-2022-20622 RESERVED -CVE-2022-20621 - RESERVED -CVE-2022-20620 - RESERVED -CVE-2022-20619 - RESERVED -CVE-2022-20618 - RESERVED -CVE-2022-20617 - RESERVED -CVE-2022-20616 - RESERVED -CVE-2022-20615 - RESERVED -CVE-2022-20614 - RESERVED -CVE-2022-20613 - RESERVED -CVE-2022-20612 - RESERVED +CVE-2022-20621 (Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencr ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-20620 (Missing permission checks in Jenkins SSH Agent Plugin 1.23 and earlier ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-20619 (A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-20618 (A missing permission check in Jenkins Bitbucket Branch Source Plugin 7 ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-20617 (Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the n ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-20616 (Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-20615 (Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML me ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-20614 (A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4 ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-20613 (A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Pl ...) + NOT-FOR-US: Jenkins plugin +CVE-2022-20612 (A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and ...) + - jenkins <removed> CVE-2022-0005 RESERVED CVE-2022-0004 @@ -3308,76 +13855,76 @@ CVE-2022-20048 RESERVED CVE-2022-20047 RESERVED -CVE-2022-20046 - RESERVED -CVE-2022-20045 - RESERVED -CVE-2022-20044 - RESERVED -CVE-2022-20043 - RESERVED -CVE-2022-20042 - RESERVED -CVE-2022-20041 - RESERVED -CVE-2022-20040 - RESERVED -CVE-2022-20039 - RESERVED -CVE-2022-20038 - RESERVED -CVE-2022-20037 - RESERVED -CVE-2022-20036 - RESERVED -CVE-2022-20035 - RESERVED -CVE-2022-20034 - RESERVED -CVE-2022-20033 - RESERVED -CVE-2022-20032 - RESERVED -CVE-2022-20031 - RESERVED -CVE-2022-20030 - RESERVED -CVE-2022-20029 - RESERVED -CVE-2022-20028 - RESERVED -CVE-2022-20027 - RESERVED -CVE-2022-20026 - RESERVED -CVE-2022-20025 - RESERVED -CVE-2022-20024 - RESERVED -CVE-2022-20023 - RESERVED -CVE-2022-20022 - RESERVED -CVE-2022-20021 - RESERVED -CVE-2022-20020 - RESERVED -CVE-2022-20019 - RESERVED -CVE-2022-20018 - RESERVED -CVE-2022-20017 - RESERVED -CVE-2022-20016 - RESERVED -CVE-2022-20015 - RESERVED -CVE-2022-20014 - RESERVED -CVE-2022-20013 - RESERVED -CVE-2022-20012 - RESERVED +CVE-2022-20046 (In Bluetooth, there is a possible memory corruption due to a logic err ...) + NOT-FOR-US: MediaTek +CVE-2022-20045 (In Bluetooth, there is a possible service crash due to a use after fre ...) + NOT-FOR-US: MediaTek +CVE-2022-20044 (In Bluetooth, there is a possible service crash due to a use after fre ...) + NOT-FOR-US: MediaTek +CVE-2022-20043 (In Bluetooth, there is a possible escalation of privilege due to a mis ...) + NOT-FOR-US: MediaTek +CVE-2022-20042 (In Bluetooth, there is a possible information disclosure due to incorr ...) + NOT-FOR-US: MediaTek +CVE-2022-20041 (In Bluetooth, there is a possible escalation of privilege due to a mis ...) + NOT-FOR-US: MediaTek +CVE-2022-20040 (In power_hal_manager_service, there is a possible permission bypass du ...) + NOT-FOR-US: MediaTek +CVE-2022-20039 (In ccu driver, there is a possible memory corruption due to an integer ...) + NOT-FOR-US: MediaTek +CVE-2022-20038 (In ccu driver, there is a possible memory corruption due to an incorre ...) + NOT-FOR-US: MediaTek +CVE-2022-20037 (In ion driver, there is a possible information disclosure due to an in ...) + NOT-FOR-US: MediaTek +CVE-2022-20036 (In ion driver, there is a possible information disclosure due to an in ...) + NOT-FOR-US: MediaTek +CVE-2022-20035 (In vcu driver, there is a possible information disclosure due to a use ...) + NOT-FOR-US: MediaTek +CVE-2022-20034 (In Preloader XFLASH, there is a possible escalation of privilege due t ...) + NOT-FOR-US: MediaTek +CVE-2022-20033 (In camera driver, there is a possible out of bounds read due to an inc ...) + NOT-FOR-US: MediaTek +CVE-2022-20032 (In vow driver, there is a possible memory corruption due to a race con ...) + NOT-FOR-US: MediaTek +CVE-2022-20031 (In fb driver, there is a possible memory corruption due to a use after ...) + NOT-FOR-US: MediaTek +CVE-2022-20030 (In vow driver, there is a possible out of bounds write due to a stack- ...) + NOT-FOR-US: MediaTek +CVE-2022-20029 (In cmdq driver, there is a possible out of bounds read due to an incor ...) + NOT-FOR-US: MediaTek +CVE-2022-20028 (In Bluetooth, there is a possible out of bounds write due to a missing ...) + NOT-FOR-US: MediaTek +CVE-2022-20027 (In Bluetooth, there is a possible out of bounds write due to a missing ...) + NOT-FOR-US: MediaTek +CVE-2022-20026 (In Bluetooth, there is a possible out of bounds write due to a missing ...) + NOT-FOR-US: MediaTek +CVE-2022-20025 (In Bluetooth, there is a possible out of bounds write due to a missing ...) + NOT-FOR-US: MediaTek +CVE-2022-20024 (In system service, there is a possible permission bypass due to a miss ...) + NOT-FOR-US: MediaTek +CVE-2022-20023 (In Bluetooth, there is a possible application crash due to bluetooth f ...) + NOT-FOR-US: MediaTek +CVE-2022-20022 (In Bluetooth, there is a possible link disconnection due to bluetooth ...) + NOT-FOR-US: MediaTek +CVE-2022-20021 (In Bluetooth, there is a possible application crash due to bluetooth d ...) + NOT-FOR-US: MediaTek +CVE-2022-20020 (In libvcodecdrv, there is a possible information disclosure due to a m ...) + NOT-FOR-US: MediaTek +CVE-2022-20019 (In libMtkOmxGsmDec, there is a possible information disclosure due to ...) + NOT-FOR-US: MediaTek +CVE-2022-20018 (In seninf driver, there is a possible information disclosure due to un ...) + NOT-FOR-US: MediaTek +CVE-2022-20017 (In ion driver, there is a possible information disclosure due to an in ...) + NOT-FOR-US: MediaTek +CVE-2022-20016 (In vow driver, there is a possible memory corruption due to improper l ...) + NOT-FOR-US: MediaTek +CVE-2022-20015 (In kd_camera_hw driver, there is a possible information disclosure due ...) + NOT-FOR-US: MediaTek +CVE-2022-20014 (In vow driver, there is a possible memory corruption due to improper i ...) + NOT-FOR-US: MediaTek +CVE-2022-20013 (In vow driver, there is a possible memory corruption due to a race con ...) + NOT-FOR-US: MediaTek +CVE-2022-20012 (In mdp driver, there is a possible memory corruption due to an integer ...) + NOT-FOR-US: MediaTek CVE-2022-20011 RESERVED CVE-2022-20010 @@ -3400,3 +13947,17 @@ CVE-2022-20002 RESERVED CVE-2022-20001 RESERVED +CVE-2022-22590 [A use after free issue was addressed with improved memory management] + RESERVED + {DSA-5084-1 DSA-5083-1} + - webkit2gtk 2.34.5-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.5-1 + NOTE: https://webkitgtk.org/security/WSA-2022-0002.html +CVE-2022-22592 [A logic issue was addressed with improved state management] + RESERVED + {DSA-5084-1 DSA-5083-1} + - webkit2gtk 2.34.5-1 + [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) + - wpewebkit 2.34.5-1 + NOTE: https://webkitgtk.org/security/WSA-2022-0002.html diff --git a/data/DLA/list b/data/DLA/list index e65cfc93ef..21489709f1 100644 --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,299 @@ +[19 Feb 2022] DLA-2927-1 twisted - security update + {CVE-2020-10108 CVE-2020-10109 CVE-2022-21712} + [stretch] - twisted 16.6.0-2+deb9u1 +[18 Feb 2022] DLA-2926-1 zsh - security update + {CVE-2021-45444} + [stretch] - zsh 5.3.1-4+deb9u5 +[16 Feb 2022] DLA-2925-1 drupal7 - security update + {CVE-2022-25271} + [stretch] - drupal7 7.52-2+deb9u18 +[15 Feb 2022] DLA-2924-1 libxstream-java - security update + {CVE-2021-43859} + [stretch] - libxstream-java 1.4.11.1-1+deb9u5 +[15 Feb 2022] DLA-2923-1 h2database - security update + {CVE-2021-42392 CVE-2022-23221} + [stretch] - h2database 1.4.193-1+deb9u1 +[14 Feb 2022] DLA-2922-1 pgbouncer - security update + {CVE-2021-3935} + [stretch] - pgbouncer 1.7.2-2+deb9u1 +[14 Feb 2022] DLA-2921-1 thunderbird - security update + {CVE-2022-22754 CVE-2022-22756 CVE-2022-22759 CVE-2022-22760 CVE-2022-22761 CVE-2022-22763 CVE-2022-22764} + [stretch] - thunderbird 1:91.6.0-1~deb9u1 +[14 Feb 2022] DLA-2920-1 varnish - security update + {CVE-2022-23959} + [stretch] - varnish 5.0.0-7+deb9u3 +[12 Feb 2022] DLA-2919-1 python2.7 - security update + {CVE-2021-3177 CVE-2021-4189} + [stretch] - python2.7 2.7.13-2+deb9u6 +[12 Feb 2022] DLA-2918-1 debian-edu-config - security update + {CVE-2021-20001} + [stretch] - debian-edu-config 1.929+deb9u5 +[10 Feb 2022] DLA-2917-1 openjdk-8 - security update + {CVE-2022-21248 CVE-2022-21282 CVE-2022-21283 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296 CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21349 CVE-2022-21360 CVE-2022-21365} + [stretch] - openjdk-8 8u322-b06-1~deb9u1 +[09 Feb 2022] DLA-2916-1 firefox-esr - security update + {CVE-2022-22754 CVE-2022-22756 CVE-2022-22759 CVE-2022-22760 CVE-2022-22761 CVE-2022-22763 CVE-2022-22764} + [stretch] - firefox-esr 91.6.0esr-1~deb9u1 +[09 Feb 2022] DLA-2915-1 connman - security update + {CVE-2021-33833 CVE-2022-23096 CVE-2022-23097 CVE-2022-23098} + [stretch] - connman 1.33-3+deb9u3 +[07 Feb 2022] DLA-2914-1 zabbix - security update + {CVE-2022-23134} + [stretch] - zabbix 1:3.0.32+dfsg-0+deb9u2 +[07 Feb 2022] DLA-2913-1 xterm - security update + {CVE-2022-24130} + [stretch] - xterm 327-2+deb9u2 +[06 Feb 2022] DLA-2912-1 libphp-adodb - security update + {CVE-2021-3850} + [stretch] - libphp-adodb 5.20.9-1+deb9u1 +[04 Feb 2022] DLA-2911-1 apng2gif - security update + {CVE-2017-6960 CVE-2017-6961 CVE-2017-6962} + [stretch] - apng2gif 1.8-0.1~deb9u1 +[03 Feb 2022] DLA-2910-1 ldns - security update + {CVE-2017-1000231 CVE-2017-1000232 CVE-2020-19860 CVE-2020-19861} + [stretch] - ldns 1.7.0-1+deb9u1 +[03 Feb 2022] DLA-2909-1 strongswan - security update + {CVE-2021-45079} + [stretch] - strongswan 5.5.1-4+deb9u6 +[03 Feb 2022] DLA-2908-1 librecad - security update + {CVE-2021-45341 CVE-2021-45342 CVE-2021-45343} + [stretch] - librecad 2.1.2-1+deb9u3 +[01 Feb 2022] DLA-2907-1 apache2 - security update + {CVE-2021-44224 CVE-2021-44790} + [stretch] - apache2 2.4.25-3+deb9u12 +[01 Feb 2022] DLA-2906-1 python-django - security update + {CVE-2022-22818 CVE-2022-23833} + [stretch] - python-django 1:1.10.7-2+deb9u15 +[31 Jan 2022] DLA-2905-1 apache-log4j1.2 - security update + {CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307} + [stretch] - apache-log4j1.2 1.2.17-7+deb9u2 +[30 Jan 2022] DLA-2904-1 expat - security update + {CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990} + [stretch] - expat 2.2.0-2+deb9u4 +[29 Jan 2022] DLA-2903-1 libraw - security update + {CVE-2017-13735 CVE-2017-14265 CVE-2017-14348 CVE-2017-14608 CVE-2017-16909 CVE-2017-16910 CVE-2018-5800 CVE-2018-5801 CVE-2018-5802 CVE-2018-5804 CVE-2018-5805 CVE-2018-5806 CVE-2018-5807 CVE-2018-5808 CVE-2018-5810 CVE-2018-5811 CVE-2018-5812 CVE-2018-5813 CVE-2018-5815 CVE-2018-5817 CVE-2018-5818 CVE-2018-5819 CVE-2018-20363 CVE-2018-20364 CVE-2018-20365} + [stretch] - libraw 0.17.2-6+deb9u2 +[27 Jan 2022] DLA-2902-1 graphicsmagick - security update + {CVE-2020-12672} + [stretch] - graphicsmagick 1.3.30+hg15796-1~deb9u5 +[26 Jan 2022] DLA-2883-2 uriparser - regression update + {CVE-2021-46141} + [stretch] - uriparser 0.8.4-1+deb9u4 +[25 Jan 2022] DLA-2901-1 libxfont - security update + {CVE-2017-16611} + [stretch] - libxfont 1:2.0.1-3+deb9u2 +[25 Jan 2022] DLA-2900-1 lrzsz - security update + {CVE-2018-10195} + [stretch] - lrzsz 0.12.21-8+deb9u1 +[25 Jan 2022] DLA-2899-1 policykit-1 - security update + {CVE-2021-4034} + [stretch] - policykit-1 0.105-18+deb9u2 +[25 Jan 2022] DLA-2898-1 nss - security update + {CVE-2022-22747} + [stretch] - nss 2:3.26.2-1.1+deb9u5 +[24 Jan 2022] DLA-2897-1 apr - security update + {CVE-2017-12613} + [stretch] - apr 1.5.2-5+deb9u1 +[24 Jan 2022] DLA-2896-1 ipython - security update + {CVE-2022-21699} + [stretch] - ipython 5.1.0-3+deb9u1 +[24 Jan 2022] DLA-2895-1 qt4-x11 - security update + {CVE-2021-3481 CVE-2021-45930} + [stretch] - qt4-x11 4:4.8.7+dfsg-11+deb9u3 +[24 Jan 2022] DLA-2894-1 aide - security update + {CVE-2021-45417} + [stretch] - aide 0.16-1+deb9u1 +[23 Jan 2022] DLA-2893-1 pillow - security update + {CVE-2022-22815 CVE-2022-22816 CVE-2022-22817} + [stretch] - pillow 4.0.0-4+deb9u4 +[21 Jan 2022] DLA-2892-1 golang-1.7 - security update + {CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717} + [stretch] - golang-1.7 1.7.4-2+deb9u4 +[21 Jan 2022] DLA-2891-1 golang-1.8 - security update + {CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717} + [stretch] - golang-1.8 1.8.1-1+deb9u4 +[21 Jan 2022] DLA-2890-1 libspf2 - security update + {CVE-2021-33912 CVE-2021-33913} + [stretch] - libspf2 1.2.10-7+deb9u2 +[19 Jan 2022] DLA-2889-1 drupal7 - security update + {CVE-2016-7103 CVE-2010-5312 CVE-2021-41182 CVE-2021-41183} + [stretch] - drupal7 7.52-2+deb9u17 +[18 Jan 2022] DLA-2888-1 nvidia-graphics-drivers - security update + {CVE-2021-1056 CVE-2021-1076 CVE-2021-1093 CVE-2021-1094 CVE-2021-1095} + [stretch] - nvidia-graphics-drivers 390.144-1~deb9u1 +[18 Jan 2022] DLA-2887-1 lighttpd - security update + {CVE-2018-19052} + [stretch] - lighttpd 1.4.45-1+deb9u1 +[17 Jan 2022] DLA-2886-1 slurm-llnl - security update + {CVE-2019-12838 CVE-2020-12693 CVE-2020-27745 CVE-2021-31215} + [stretch] - slurm-llnl 16.05.9-1+deb9u5 +[17 Jan 2022] DLA-2885-1 qtsvg-opensource-src - security update + {CVE-2021-3481 CVE-2021-45930} + [stretch] - qtsvg-opensource-src 5.7.1~20161021-2.1+deb9u1 +[17 Jan 2022] DLA-2884-1 wordpress - security update + {CVE-2022-21661 CVE-2022-21662 CVE-2022-21663 CVE-2022-21664} + [stretch] - wordpress 4.7.22+dfsg-0+deb9u1 +[17 Jan 2022] DLA-2883-1 uriparser - security update + {CVE-2021-46141 CVE-2021-46142} + [stretch] - uriparser 0.8.4-1+deb9u3 +[17 Jan 2022] DLA-2882-1 sphinxsearch - security update + {CVE-2020-29050} + [stretch] - sphinxsearch 2.2.11-1.1+deb9u1 +[16 Jan 2022] DLA-2881-1 thunderbird - security update + {CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739 CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743 CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751} + [stretch] - thunderbird 1:91.5.0-1~deb9u1 +[16 Jan 2022] DLA-2880-1 firefox-esr - security update + {CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739 CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743 CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751} + [stretch] - firefox-esr 91.5.0esr-1~deb9u1 +[14 Jan 2022] DLA-2879-1 ghostscript - security update + {CVE-2021-45944 CVE-2021-45949} + [stretch] - ghostscript 9.26a~dfsg-0+deb9u8 +[12 Jan 2022] DLA-2878-1 roundcube - security update + {CVE-2021-46144} + [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u10 +[12 Jan 2022] DLA-2877-1 gdal - security update + {CVE-2019-17545 CVE-2021-45943} + [stretch] - gdal 2.1.2+dfsg-5+deb9u1 +[10 Jan 2022] DLA-2876-1 vim - security update + {CVE-2017-17087 CVE-2019-20807 CVE-2021-3778 CVE-2021-3796} + [stretch] - vim 2:8.0.0197-4+deb9u4 +[10 Jan 2022] DLA-2875-1 clamav - security update + [stretch] - clamav 0.103.4+dfsg-0+deb9u1 +[04 Jan 2022] DLA-2874-1 thunderbird - security update + {CVE-2021-4126 CVE-2021-38496 CVE-2021-38500 CVE-2021-38502 CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-43528 CVE-2021-43529 CVE-2021-43534 CVE-2021-43535 CVE-2021-43536 CVE-2021-43537 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542 CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 CVE-2021-44538} + [stretch] - thunderbird 1:91.4.1-1~deb9u1 +[03 Jan 2022] DLA-2480-2 salt - regression update + [stretch] - salt 2016.11.2+ds-1+deb9u10 +[31 Dec 2021] DLA-2873-1 aria2 - security update + {CVE-2019-3500} + [stretch] - aria2 1.30.0-2+deb9u1 +[31 Dec 2021] DLA-2872-1 agg - security update + {CVE-2019-6245} + [stretch] - agg 2.5+dfsg1-11+deb9u1 +[30 Dec 2021] DLA-2871-1 lxml - security update + {CVE-2021-43818} + [stretch] - lxml 3.7.1-1+deb9u5 +[29 Dec 2021] DLA-2870-1 apache-log4j2 - security update + {CVE-2021-44832} + [stretch] - apache-log4j2 2.12.4-0+deb9u1 +[29 Dec 2021] DLA-2869-1 xorg-server - security update + {CVE-2021-4008 CVE-2021-4009 CVE-2021-4011} + [stretch] - xorg-server 2:1.19.2-1+deb9u9 +[29 Dec 2021] DLA-2868-1 advancecomp - security update + {CVE-2018-1056 CVE-2019-8379 CVE-2019-8383 CVE-2019-9210} + [stretch] - advancecomp 1.20-1+deb9u1 +[29 Dec 2021] DLA-2857-2 postgis - regression update + [stretch] - postgis 2.3.1+dfsg-2+deb9u2 +[29 Dec 2021] DLA-2867-1 spip - security update + {CVE-2021-44118 CVE-2021-44120 CVE-2021-44122 CVE-2021-44123} + [stretch] - spip 3.1.4-4~deb9u4+deb9u2 +[29 Dec 2021] DLA-2866-1 uw-imap - security update + {CVE-2018-19518} + [stretch] - uw-imap 8:2007f~dfsg-5+deb9u1 +[29 Dec 2021] DLA-2865-1 resiprocate - security update + {CVE-2017-11521 CVE-2018-12584} + [stretch] - resiprocate 1:1.11.0~beta1-3+deb9u2 +[29 Dec 2021] DLA-2864-1 ruby-haml - security update + {CVE-2017-1002201} + [stretch] - ruby-haml 4.0.7-1+deb9u1 +[29 Dec 2021] DLA-2863-1 firefox-esr - security update + {CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-43534 CVE-2021-43535 CVE-2021-43536 CVE-2021-43537 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542 CVE-2021-43543 CVE-2021-43545 CVE-2021-43546} + [stretch] - firefox-esr 91.4.1esr-1~deb9u1 +[29 Dec 2021] DLA-2862-1 python-gnupg - security update + {CVE-2018-12020 CVE-2019-6690} + [stretch] - python-gnupg 0.3.9-1+deb9u1 +[28 Dec 2021] DLA-2861-1 rdflib - security update + {CVE-2019-7653} + [stretch] - rdflib 4.2.1-2+deb9u1 +[28 Dec 2021] DLA-2860-1 paramiko - security update + {CVE-2018-7750 CVE-2018-1000805} + [stretch] - paramiko 2.0.0-1+deb9u1 +[28 Dec 2021] DLA-2859-1 zziplib - security update + {CVE-2020-18442} + [stretch] - zziplib 0.13.62-3.2~deb9u2 +[28 Dec 2021] DLA-2858-1 libzip - security update + {CVE-2017-14107} + [stretch] - libzip 1.1.2-1.1+deb9u1 +[28 Dec 2021] DLA-2857-1 postgis - security update + {CVE-2017-18359} + [stretch] - postgis 2.3.1+dfsg-2+deb9u1 +[27 Dec 2021] DLA-2856-1 okular - security update + {CVE-2020-9359} + [stretch] - okular 4:16.08.2-1+deb9u2 +[27 Dec 2021] DLA-2855-1 monit - security update + {CVE-2019-11454 CVE-2019-11455} + [stretch] - monit 1:5.20.0-6+deb9u2 +[27 Dec 2021] DLA-2854-1 novnc - security update + {CVE-2017-18635} + [stretch] - novnc 1:0.4+dfsg+1+20131010+gitf68af8af3d-6+deb9u1 +[27 Dec 2021] DLA-2853-1 ruby2.3 - security update + {CVE-2021-41817 CVE-2021-41819} + [stretch] - ruby2.3 2.3.3-1+deb9u11 +[26 Dec 2021] DLA-2852-1 apache-log4j2 - security update + {CVE-2020-9488 CVE-2021-45105} + [stretch] - apache-log4j2 2.12.3-0+deb9u1 +[26 Dec 2021] DLA-2851-1 libextractor - security update + {CVE-2019-15531} + [stretch] - libextractor 1:1.3-4+deb9u4 +[26 Dec 2021] DLA-2850-1 libpcap - security update + {CVE-2019-15165} + [stretch] - libpcap 1.8.1-3+deb9u1 +[26 Dec 2021] DLA-2849-1 wireshark - security update + {CVE-2021-22207 CVE-2021-22235 CVE-2021-39921 CVE-2021-39922 CVE-2021-39923 CVE-2021-39924 CVE-2021-39925 CVE-2021-39928 CVE-2021-39929} + [stretch] - wireshark 2.6.20-0+deb9u2 +[17 Dec 2021] DLA-2848-1 libssh2 - security update + {CVE-2019-13115 CVE-2019-17498} + [stretch] - libssh2 1.7.0-1+deb9u2 +[15 Dec 2021] DLA-2847-1 mediawiki - security update + {CVE-2021-44858} + [stretch] - mediawiki 1:1.27.7-1+deb9u11 +[14 Dec 2021] DLA-2846-1 raptor2 - security update + {CVE-2020-25713} + [stretch] - raptor2 2.0.14-1+deb9u2 +[14 Dec 2021] DLA-2845-1 libsamplerate - security update + {CVE-2017-7697} + [stretch] - libsamplerate 0.1.8-8+deb9u1 +[13 Dec 2021] DLA-2844-1 privoxy - security update + {CVE-2021-44540 CVE-2021-44543} + [stretch] - privoxy 3.0.26-3+deb9u3 +[12 Dec 2021] DLA-2843-1 linux - security update + {CVE-2020-3702 CVE-2020-16119 CVE-2021-0920 CVE-2021-3612 CVE-2021-3653 CVE-2021-3655 CVE-2021-3679 CVE-2021-3732 CVE-2021-3753 CVE-2021-3760 CVE-2021-20317 CVE-2021-20321 CVE-2021-20322 CVE-2021-22543 CVE-2021-37159 CVE-2021-38160 CVE-2021-38198 CVE-2021-38199 CVE-2021-38204 CVE-2021-38205 CVE-2021-40490 CVE-2021-41864 CVE-2021-42008 CVE-2021-42739 CVE-2021-43389} + [stretch] - linux 4.9.290-1 +[12 Dec 2021] DLA-2842-1 apache-log4j2 - security update + {CVE-2021-44228} + [stretch] - apache-log4j2 2.7-2+deb9u1 +[08 Dec 2021] DLA-2836-2 nss - regression update + [stretch] - nss 2:3.26.2-1.1+deb9u4 +[06 Dec 2021] DLA-2841-1 runc - security update + {CVE-2021-43784} + [stretch] - runc 0.1.1+dfsg1-2+deb9u3 +[06 Dec 2021] DLA-2840-1 roundcube - security update + {CVE-2021-44025 CVE-2021-44026} + [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u9 +[03 Dec 2021] DLA-2839-1 gerbv - security update + {CVE-2021-40391} + [stretch] - gerbv 2.6.1-2+deb9u1 +[03 Dec 2021] DLA-2838-1 librecad - security update + {CVE-2021-21898 CVE-2021-21899 CVE-2021-21900} + [stretch] - librecad 2.1.2-1+deb9u2 +[02 Dec 2021] DLA-2837-1 gmp - security update + {CVE-2021-43618} + [stretch] - gmp 2:6.1.2+dfsg-1+deb9u1 +[02 Dec 2021] DLA-2836-1 nss - security update + {CVE-2021-43527} + [stretch] - nss 2:3.26.2-1.1+deb9u3 +[30 Nov 2021] DLA-2835-1 rsyslog - security update + {CVE-2019-17041 CVE-2019-17042} + [stretch] - rsyslog 8.24.0-1+deb9u1 +[30 Nov 2021] DLA-2834-1 uriparser - security update + {CVE-2018-20721} + [stretch] - uriparser 0.8.4-1+deb9u2 +[30 Nov 2021] DLA-2833-1 rsync - security update + {CVE-2018-5764} + [stretch] - rsync 3.1.2-1+deb9u3 +[29 Nov 2021] DLA-2832-1 opensc - security update + {CVE-2019-15945 CVE-2019-15946 CVE-2019-19479 CVE-2020-26570 CVE-2020-26571 CVE-2020-26572} + [stretch] - opensc 0.16.0-3+deb9u2 [28 Nov 2021] DLA-2831-1 libntlm - security update {CVE-2019-17455} [stretch] - libntlm 1.4-8+deb9u1 diff --git a/data/DSA/list b/data/DSA/list index 80c0b5b9b4..ebcb7e7c4e 100644 --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,260 @@ +[19 Feb 2022] DSA-5084-1 wpewebkit - security update + {CVE-2022-22589 CVE-2022-22590 CVE-2022-22592 CVE-2022-22620} + [bullseye] - wpewebkit 2.34.6-1~deb11u1 +[19 Feb 2022] DSA-5083-1 webkit2gtk - security update + {CVE-2022-22589 CVE-2022-22590 CVE-2022-22592 CVE-2022-22620} + [buster] - webkit2gtk 2.34.6-1~deb10u1 + [bullseye] - webkit2gtk 2.34.6-1~deb11u1 +[18 Feb 2022] DSA-5082-1 php7.4 - security update + {CVE-2021-21707 CVE-2021-21708} + [bullseye] - php7.4 7.4.28-1+deb11u1 +[18 Feb 2022] DSA-5081-1 redis - security update + {CVE-2022-0543} + [buster] - redis 5:5.0.14-1+deb10u2 + [bullseye] - redis 5:6.0.16-1+deb11u2 +[18 Feb 2022] DSA-5080-1 snapd - security update + {CVE-2021-44730 CVE-2021-44731} + [buster] - snapd 2.37.4-1+deb10u1 + [bullseye] - snapd 2.49-1+deb11u1 +[17 Feb 2022] DSA-5079-1 chromium - security update + {CVE-2022-0603 CVE-2022-0604 CVE-2022-0605 CVE-2022-0606 CVE-2022-0607 CVE-2022-0608 CVE-2022-0609 CVE-2022-0610} + [bullseye] - chromium 98.0.4758.102-1~deb11u1 +[16 Feb 2022] DSA-5078-1 zsh - security update + {CVE-2021-45444} + [buster] - zsh 5.7.1-1+deb10u1 + [bullseye] - zsh 5.8-6+deb11u1 +[15 Feb 2022] DSA-5077-1 librecad - security update + {CVE-2021-21898 CVE-2021-21899 CVE-2021-21900 CVE-2021-45341 CVE-2021-45342 CVE-2021-45343} + [buster] - librecad 2.1.3-1.2+deb10u1 + [bullseye] - librecad 2.1.3-1.3+deb11u1 +[15 Feb 2022] DSA-5076-1 h2database - security update + {CVE-2021-42392 CVE-2022-23221} + [buster] - h2database 1.4.197-4+deb10u1 + [bullseye] - h2database 1.4.197-4+deb11u1 +[13 Feb 2022] DSA-5075-1 minetest - security update + {CVE-2022-24300 CVE-2022-24301} + [buster] - minetest 0.4.17.1+repack-1+deb10u1 + [bullseye] - minetest 5.3.0+repack-2.1+deb11u1 +[13 Feb 2022] DSA-5074-1 thunderbird - security update + {CVE-2022-22754 CVE-2022-22756 CVE-2022-22759 CVE-2022-22760 CVE-2022-22761 CVE-2022-22763 CVE-2022-22764} + [buster] - thunderbird 1:91.6.0-1~deb10u1 + [bullseye] - thunderbird 1:91.6.0-1~deb11u1 +[12 Feb 2022] DSA-5073-1 expat - security update + {CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990} + [buster] - expat 2.2.6-2+deb10u2 + [bullseye] - expat 2.2.10-2+deb11u1 +[11 Feb 2022] DSA-5072-1 debian-edu-config - security update + {CVE-2021-20001} + [buster] - debian-edu-config 2.10.65+deb10u8 + [bullseye] - debian-edu-config 2.11.56+deb11u3 +[11 Feb 2022] DSA-5071-1 samba - security update + {CVE-2021-44142} + [buster] - samba 2:4.9.5+dfsg-5+deb10u3 + [bullseye] - samba 2:4.13.13+dfsg-1~deb11u3 +[10 Feb 2022] DSA-5070-1 cryptsetup - security update + {CVE-2021-4122} + [bullseye] - cryptsetup 2:2.3.7-1+deb11u1 +[09 Feb 2022] DSA-5069-1 firefox-esr - security update + {CVE-2022-22754 CVE-2022-22756 CVE-2022-22759 CVE-2022-22760 CVE-2022-22761 CVE-2022-22763 CVE-2022-22764} + [buster] - firefox-esr 91.6.0esr-1~deb10u1 + [bullseye] - firefox-esr 91.6.0esr-1~deb11u1 +[07 Feb 2022] DSA-5068-1 chromium - security update + {CVE-2022-0452 CVE-2022-0453 CVE-2022-0454 CVE-2022-0455 CVE-2022-0456 CVE-2022-0457 CVE-2022-0458 CVE-2022-0459 CVE-2022-0460 CVE-2022-0461 CVE-2022-0462 CVE-2022-0463 CVE-2022-0464 CVE-2022-0465 CVE-2022-0466 CVE-2022-0467 CVE-2022-0468 CVE-2022-0469 CVE-2022-0470} + [bullseye] - chromium 98.0.4758.80-1~deb11u1 +[03 Feb 2022] DSA-5067-1 ruby2.7 - security update + {CVE-2021-41816 CVE-2021-41817 CVE-2021-41819} + [bullseye] - ruby2.7 2.7.4-1+deb11u1 +[03 Feb 2022] DSA-5066-1 ruby2.5 - security update + {CVE-2021-28965 CVE-2021-31799 CVE-2021-31810 CVE-2021-32066 CVE-2021-41817 CVE-2021-41819} + [buster] - ruby2.5 2.5.5-3+deb10u4 +[31 Jan 2022] DSA-5065-1 ipython - security update + {CVE-2022-21699} + [buster] - ipython 5.8.0-1+deb10u1 + [bullseye] - ipython 7.20.0-1+deb11u1 +[29 Jan 2022] DSA-5064-1 python-nbxmpp - security update + {CVE-2021-41055} + [bullseye] - python-nbxmpp 2.0.2-1+deb11u1 +[29 Jan 2022] DSA-5047-2 prosody - regression update + [buster] - prosody 0.11.2-1+deb10u4 + [bullseye] - prosody 0.11.9-2+deb11u2 +[26 Jan 2022] DSA-5063-1 uriparser - security update + {CVE-2021-46141 CVE-2021-46142} + [buster] - uriparser 0.9.1-1+deb10u1 + [bullseye] - uriparser 0.9.4+dfsg-1+deb11u1 +[25 Jan 2022] DSA-5062-1 nss - security update + {CVE-2022-22747} + [buster] - nss 2:3.42.1-1+deb10u5 + [bullseye] - nss 2:3.61-1+deb11u2 +[25 Jan 2022] DSA-5061-1 wpewebkit - security update + {CVE-2022-22594 CVE-2021-30934 CVE-2021-30936 CVE-2021-30951 CVE-2021-30952 CVE-2021-30953 CVE-2021-30954 CVE-2021-30984} + [bullseye] - wpewebkit 2.34.4-1~deb11u1 +[25 Jan 2022] DSA-5060-1 webkit2gtk - security update + {CVE-2022-22594 CVE-2021-30934 CVE-2021-30936 CVE-2021-30951 CVE-2021-30952 CVE-2021-30953 CVE-2021-30954 CVE-2021-30984} + [buster] - webkit2gtk 2.34.4-1~deb10u1 + [bullseye] - webkit2gtk 2.34.4-1~deb11u1 +[25 Jan 2022] DSA-5059-1 policykit-1 - security update + {CVE-2021-4034} + [buster] - policykit-1 0.105-25+deb10u1 + [bullseye] - policykit-1 0.105-31+deb11u1 +[25 Jan 2022] DSA-5058-1 openjdk-17 - security update + {CVE-2022-21248 CVE-2022-21277 CVE-2022-21282 CVE-2022-21283 CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296 CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21360 CVE-2022-21365 CVE-2022-21366} + [bullseye] - openjdk-17 17.0.2+8-1~deb11u1 +[24 Jan 2022] DSA-5057-1 openjdk-11 - security update + {CVE-2022-21248 CVE-2022-21277 CVE-2022-21282 CVE-2022-21283 CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296 CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341 CVE-2022-21360 CVE-2022-21365 CVE-2022-21366} + [buster] - openjdk-11 11.0.14+9-1~deb10u1 + [bullseye] - openjdk-11 11.0.14+9-1~deb11u1 +[24 Jan 2022] DSA-5056-1 strongswan - security update + {CVE-2021-45079} + [buster] - strongswan 5.7.2-1+deb10u2 + [bullseye] - strongswan 5.9.1-1+deb11u2 +[24 Jan 2022] DSA-5055-1 util-linux - security update + {CVE-2021-3995 CVE-2021-3996} + [bullseye] - util-linux 2.36.1-8+deb11u1 +[23 Jan 2022] DSA-5054-1 chromium - security update + {CVE-2022-0289 CVE-2022-0290 CVE-2022-0291 CVE-2022-0292 CVE-2022-0293 CVE-2022-0294 CVE-2022-0295 CVE-2022-0296 CVE-2022-0297 CVE-2022-0298 CVE-2022-0300 CVE-2022-0301 CVE-2022-0302 CVE-2022-0303 CVE-2022-0304 CVE-2022-0305 CVE-2022-0306 CVE-2022-0307 CVE-2022-0308 CVE-2022-0309 CVE-2022-0310 CVE-2022-0311} + [bullseye] - chromium 97.0.4692.99-1~deb11u2 +[21 Jan 2022] DSA-5053-1 pillow - security update + {CVE-2022-22815 CVE-2022-22816 CVE-2022-22817} + [buster] - pillow 5.4.1-2+deb10u3 + [bullseye] - pillow 8.1.2+dfsg-0.3+deb11u1 +[21 Jan 2022] DSA-5052-1 usbview - security update + {CVE-2022-23220} + [buster] - usbview 2.0-21-g6fe2f4f-2+deb10u1 + [bullseye] - usbview 2.0-21-g6fe2f4f-2+deb11u1 +[20 Jan 2022] DSA-5051-1 aide - security update + {CVE-2021-45417} + [buster] - aide 0.16.1-1+deb10u1 + [bullseye] - aide 0.17.3-4+deb11u1 +[20 Jan 2022] DSA-5050-1 linux - security update + {CVE-2021-4155 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2021-28714 CVE-2021-28715 CVE-2021-39685 CVE-2021-45095 CVE-2021-45469 CVE-2021-45480 CVE-2022-0185 CVE-2022-23222} + [bullseye] - linux 5.10.92-1 +[20 Jan 2022] DSA-5049-1 flatpak - security update + {CVE-2021-43860 CVE-2022-21682} + [bullseye] - flatpak 1.10.7-0+deb11u1 +[15 Jan 2022] DSA-5048-1 libreswan - security update + {CVE-2022-23094} + [bullseye] - libreswan 4.3-1+deb11u1 +[15 Jan 2022] DSA-5047-1 prosody - security update + {CVE-2022-0217} + [buster] - prosody 0.11.2-1+deb10u3 + [bullseye] - prosody 0.11.9-2+deb11u1 +[14 Jan 2022] DSA-5046-1 chromium - security update + {CVE-2021-4052 CVE-2021-4053 CVE-2021-4054 CVE-2021-4055 CVE-2021-4056 CVE-2021-4057 CVE-2021-4058 CVE-2021-4059 CVE-2021-4061 CVE-2021-4062 CVE-2021-4063 CVE-2021-4064 CVE-2021-4065 CVE-2021-4066 CVE-2021-4067 CVE-2021-4068 CVE-2021-4078 CVE-2021-4079 CVE-2021-4098 CVE-2021-4099 CVE-2021-4100 CVE-2021-4101 CVE-2021-4102 CVE-2021-37956 CVE-2021-37957 CVE-2021-37958 CVE-2021-37959 CVE-2021-37961 CVE-2021-37962 CVE-2021-37963 CVE-2021-37964 CVE-2021-37965 CVE-2021-37966 CVE-2021-37967 CVE-2021-37968 CVE-2021-37969 CVE-2021-37970 CVE-2021-37971 CVE-2021-37972 CVE-2021-37973 CVE-2021-37974 CVE-2021-37975 CVE-2021-37976 CVE-2021-37977 CVE-2021-37978 CVE-2021-37979 CVE-2021-37980 CVE-2021-37981 CVE-2021-37982 CVE-2021-37983 CVE-2021-37984 CVE-2021-37985 CVE-2021-37986 CVE-2021-37987 CVE-2021-37988 CVE-2021-37989 CVE-2021-37990 CVE-2021-37991 CVE-2021-37992 CVE-2021-37993 CVE-2021-37994 CVE-2021-37995 CVE-2021-37996 CVE-2021-37997 CVE-2021-37998 CVE-2021-37999 CVE-2021-38000 CVE-2021-38001 CVE-2021-38002 CVE-2021-38003 CVE-2021-38004 CVE-2021-38005 CVE-2021-38006 CVE-2021-38007 CVE-2021-38008 CVE-2021-38009 CVE-2021-38010 CVE-2021-38011 CVE-2021-38012 CVE-2021-38013 CVE-2021-38014 CVE-2021-38015 CVE-2021-38016 CVE-2021-38017 CVE-2021-38018 CVE-2021-38019 CVE-2021-38020 CVE-2021-38021 CVE-2021-38022 CVE-2022-0096 CVE-2022-0097 CVE-2022-0098 CVE-2022-0099 CVE-2022-0100 CVE-2022-0101 CVE-2022-0102 CVE-2022-0103 CVE-2022-0104 CVE-2022-0105 CVE-2022-0106 CVE-2022-0107 CVE-2022-0108 CVE-2022-0109 CVE-2022-0110 CVE-2022-0111 CVE-2022-0112 CVE-2022-0113 CVE-2022-0114 CVE-2022-0115 CVE-2022-0116 CVE-2022-0117 CVE-2022-0118 CVE-2022-0120} + [bullseye] - chromium 97.0.4692.71-0.1~deb11u1 +[14 Jan 2022] DSA-5045-1 thunderbird - security update + {CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739 CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743 CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751} + [buster] - thunderbird 1:91.5.0-2~deb10u1 + [bullseye] - thunderbird 1:91.5.0-2~deb11u1 +[13 Jan 2022] DSA-5044-1 firefox-esr - security update + {CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739 CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743 CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751} + [buster] - firefox-esr 91.5.0esr-1~deb10u1 + [bullseye] - firefox-esr 91.5.0esr-1~deb11u1 +[12 Jan 2022] DSA-5043-1 lxml - security update + {CVE-2021-43818} + [buster] - lxml 4.3.2-1+deb10u4 + [bullseye] - lxml 4.6.3+dfsg-0.1+deb11u1 +[12 Jan 2022] DSA-5042-1 epiphany-browser - security update + {CVE-2021-45085 CVE-2021-45086 CVE-2021-45087 CVE-2021-45088} + [bullseye] - epiphany-browser 3.38.2-1+deb11u1 +[11 Jan 2022] DSA-5041-1 cfrpki - security update + {CVE-2021-3761 CVE-2021-3907 CVE-2021-3908 CVE-2021-3909 CVE-2021-3910 CVE-2021-3911 CVE-2021-3912 CVE-2021-43173 CVE-2021-43174} + [bullseye] - cfrpki 1.4.2-1~deb11u1 +[11 Jan 2022] DSA-5040-1 lighttpd - security update + {CVE-2022-22707} + [buster] - lighttpd 1.4.53-4+deb10u2 + [bullseye] - lighttpd 1.4.59-1+deb11u1 +[11 Jan 2022] DSA-5039-1 wordpress - security update + {CVE-2022-21661 CVE-2022-21662 CVE-2022-21663 CVE-2022-21664} + [buster] - wordpress 5.0.15+dfsg1-0+deb10u1 + [bullseye] - wordpress 5.7.5+dfsg1-0+deb11u1 +[08 Jan 2022] DSA-5038-1 ghostscript - security update + {CVE-2021-45944 CVE-2021-45949} + [buster] - ghostscript 9.27~dfsg-2+deb10u5 + [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u2 +[08 Jan 2022] DSA-5037-1 roundcube - security update + {CVE-2021-46144} + [buster] - roundcube 1.3.17+dfsg.1-1~deb10u2 + [bullseye] - roundcube 1.4.13+dfsg.1-1~deb11u1 +[06 Jan 2022] DSA-5036-1 sphinxsearch - security update + {CVE-2020-29050} + [buster] - sphinxsearch 2.2.11-2+deb10u1 +[04 Jan 2022] DSA-5035-1 apache2 - security update + {CVE-2021-44224 CVE-2021-44790} + [buster] - apache2 2.4.38-3+deb10u7 + [bullseye] - apache2 2.4.52-1~deb11u2 +[02 Jan 2022] DSA-5034-1 thunderbird - security update + {CVE-2021-4126 CVE-2021-38496 CVE-2021-38500 CVE-2021-38502 CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-43528 CVE-2021-43529 CVE-2021-43534 CVE-2021-43535 CVE-2021-43536 CVE-2021-43537 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542 CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 CVE-2021-44538} + [buster] - thunderbird 1:91.4.1-1~deb10u1 + [bullseye] - thunderbird 1:91.4.1-1~deb11u1 +[30 Dec 2021] DSA-5033-1 fort-validator - security update + {CVE-2021-3907 CVE-2021-3909 CVE-2021-43173 CVE-2021-43114} + [bullseye] - fort-validator 1.5.3-1~deb11u1 +[28 Dec 2021] DSA-5032-1 djvulibre - security update + {CVE-2019-15142 CVE-2019-15143 CVE-2019-15144 CVE-2019-15145 CVE-2019-18804 CVE-2021-3500 CVE-2021-3630 CVE-2021-32490 CVE-2021-32491 CVE-2021-32492 CVE-2021-32493} + [buster] - djvulibre 3.5.27.1-10+deb10u1 +[23 Dec 2021] DSA-5031-1 wpewebkit - security update + {CVE-2021-30887 CVE-2021-30890} + [bullseye] - wpewebkit 2.34.3-1~deb11u1 +[23 Dec 2021] DSA-5030-1 webkit2gtk - security update + {CVE-2021-30887 CVE-2021-30890} + [buster] - webkit2gtk 2.34.3-1~deb10u1 + [bullseye] - webkit2gtk 2.34.3-1~deb11u1 +[22 Dec 2021] DSA-5000-2 openjdk-11 - security update + {CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35603} + [buster] - openjdk-11 11.0.13+8-1~deb10u1 +[22 Dec 2021] DSA-5029-1 sogo - security update + {CVE-2021-33054} + [buster] - sogo 4.0.7-1+deb10u2 + [bullseye] - sogo 5.0.1-4+deb11u1 +[22 Dec 2021] DSA-5028-1 spip - security update + {CVE-2021-44118 CVE-2021-44120 CVE-2021-44122 CVE-2021-44123} + [buster] - spip 3.2.4-1+deb10u5 + [bullseye] - spip 3.2.11-3+deb11u1 +[21 Dec 2021] DSA-5027-1 xorg-server - security update + {CVE-2021-4008 CVE-2021-4009 CVE-2021-4010 CVE-2021-4011} + [buster] - xorg-server 2:1.20.4-1+deb10u4 + [bullseye] - xorg-server 2:1.20.11-1+deb11u1 +[19 Dec 2021] DSA-5026-1 firefox-esr - security update + {CVE-2021-43546 CVE-2021-43545 CVE-2021-43543 CVE-2021-43542 CVE-2021-43541 CVE-2021-43539 CVE-2021-43538 CVE-2021-43537 CVE-2021-43536 CVE-2021-43535 CVE-2021-43534 CVE-2021-38509 CVE-2021-38508 CVE-2021-38507 CVE-2021-38506 CVE-2021-38504 CVE-2021-38503} + [bullseye] - firefox-esr 91.4.1esr-1~deb11u1 +[19 Dec 2021] DSA-5025-1 tang - security update + {CVE-2021-4076} + [bullseye] - tang 8-3+deb11u1 +[18 Dec 2021] DSA-5024-1 apache-log4j2 - security update + {CVE-2021-45105} + [buster] - apache-log4j2 2.17.0-1~deb10u1 + [bullseye] - apache-log4j2 2.17.0-1~deb11u1 +[18 Dec 2021] DSA-5023-1 modsecurity-apache - security update + {CVE-2021-42717} + [buster] - modsecurity-apache 2.9.3-1+deb10u1 + [bullseye] - modsecurity-apache 2.9.3-3+deb11u1 +[16 Dec 2021] DSA-5022-1 apache-log4j2 - security update + {CVE-2021-45046} + [buster] - apache-log4j2 2.16.0-1~deb10u1 + [bullseye] - apache-log4j2 2.16.0-1~deb11u1 +[15 Dec 2021] DSA-5021-1 mediawiki - security update + {CVE-2021-44857 CVE-2021-44858 CVE-2021-45038} + [bullseye] - mediawiki 1:1.35.4-1+deb11u2 +[11 Dec 2021] DSA-5020-1 apache-log4j2 - security update + {CVE-2021-44228} + [buster] - apache-log4j2 2.15.0-1~deb10u1 + [bullseye] - apache-log4j2 2.15.0-1~deb11u1 +[10 Dec 2021] DSA-5019-1 wireshark - security update + {CVE-2021-22207 CVE-2021-22222 CVE-2021-22235 CVE-2021-39920 CVE-2021-39921 CVE-2021-39922 CVE-2021-39923 CVE-2021-39924 CVE-2021-39925 CVE-2021-39926 CVE-2021-39928 CVE-2021-39929} + [bullseye] - wireshark 3.4.10-0+deb11u1 +[09 Dec 2021] DSA-5018-1 python-babel - security update + {CVE-2021-42771} + [buster] - python-babel 2.6.0+dfsg.1-1+deb10u1 +[05 Dec 2021] DSA-5017-1 xen - security update + {CVE-2021-28702 CVE-2021-28704 CVE-2021-28705 CVE-2021-28706 CVE-2021-28707 CVE-2021-28708 CVE-2021-28709} + [bullseye] - xen 4.14.3+32-g9de3671772-1~deb11u1 +[01 Dec 2021] DSA-5016-1 nss - security update + {CVE-2021-43527} + [buster] - nss 2:3.42.1-1+deb10u4 + [bullseye] - nss 2:3.61-1+deb11u1 +[30 Nov 2021] DSA-5015-1 samba - security update + {CVE-2020-25717} + [buster] - samba 2:4.9.5+dfsg-5+deb10u2 [28 Nov 2021] DSA-5014-1 icu - security update {CVE-2020-21913} [buster] - icu 63.1-6+deb10u2 @@ -58,10 +315,10 @@ {CVE-2020-19143} [buster] - tiff 4.1.0+git191117-2~deb10u3 [29 Oct 2021] DSA-4996-1 wpewebkit - security update - {CVE-2021-30846 CVE-2021-30851 CVE-2021-42762} + {CVE-2021-30818 CVE-2021-30823 CVE-2021-30846 CVE-2021-30851 CVE-2021-30884 CVE-2021-30888 CVE-2021-30889 CVE-2021-42762 CVE-2021-45481 CVE-2021-45483} [bullseye] - wpewebkit 2.34.1-1~deb11u1 [29 Oct 2021] DSA-4995-1 webkit2gtk - security update - {CVE-2021-30846 CVE-2021-30851 CVE-2021-42762} + {CVE-2021-30818 CVE-2021-30823 CVE-2021-30846 CVE-2021-30851 CVE-2021-30884 CVE-2021-30888 CVE-2021-30889 CVE-2021-42762 CVE-2021-45481 CVE-2021-45483} [buster] - webkit2gtk 2.34.1-1~deb10u1 [bullseye] - webkit2gtk 2.34.1-1~deb11u1 [28 Oct 2021] DSA-4994-1 bind9 - security update @@ -128,10 +385,10 @@ {CVE-2021-28694 CVE-2021-28695 CVE-2021-28696 CVE-2021-28697 CVE-2021-28698 CVE-2021-28699 CVE-2021-28700 CVE-2021-28701} [bullseye] - xen 4.14.3-1~deb11u1 [20 Sep 2021] DSA-4976-1 wpewebkit - security update - {CVE-2021-30848 CVE-2021-30849 CVE-2021-30858} + {CVE-2021-30809 CVE-2021-30836 CVE-2021-30848 CVE-2021-30849 CVE-2021-30858 CVE-2021-45482} [bullseye] - wpewebkit 2.32.4-1~deb11u1 [20 Sep 2021] DSA-4975-1 webkit2gtk - security update - {CVE-2021-30848 CVE-2021-30849 CVE-2021-30858} + {CVE-2021-30809 CVE-2021-30836 CVE-2021-30848 CVE-2021-30849 CVE-2021-30858 CVE-2021-45482} [buster] - webkit2gtk 2.32.4-1~deb10u1 [bullseye] - webkit2gtk 2.32.4-1~deb11u1 [19 Sep 2021] DSA-4974-1 nextcloud-desktop - security update diff --git a/data/dla-needed.txt b/data/dla-needed.txt index ff63a645c7..3718f8e769 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -13,12 +13,14 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -ansible (Lee Garrett) +ansible NOTE: 20210411: As discussed with the maintainer I will update Buster first and NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- -debian-archive-keyring +asterisk (Abhijith PA) +-- +debian-archive-keyring (Anton) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) NOTE: 20211003: waiting for Jonathan to get back as his keys @@ -27,78 +29,71 @@ debian-archive-keyring NOTE: 20211018: Jonathan is prepping the branch; will work NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) -- -firefox-esr (Emilio) - NOTE: 20211122: blocked on toolchain backports (pochu) +expat (Emilio) + NOTE: 20220221: please wait for DSA first. (Anton) -- -firmware-nonfree (Markus Koschany) +firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag + NOTE: 20211207: Intend to release this week. -- -gerbv (Anton) - NOTE: 20211107: The fix has only one-line! But... be sure that the fix will help. (Anton) - NOTE: 20211107: Please take the package if you can reproduce the issue with valgrind/AddressSanitizer/Leaksanitizer (Anton) - NOTE: 20211107: The simple fix will unlikely help. (Anton) - NOTE: 20211121: Still needs to be investigated with extra-tool. (Anton) - NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/gmp/ +freecad (Emilio) + NOTE: 20220221: please wait for DSA first. (Anton) -- -gmp (Anton) - NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/gmp/ +gif2apng (Anton) + NOTE: 20220114: orphaned package with inactive upstream, maybe coordinate with Debian QA to write our own patches (Beuc) + NOTE: 20220114: CVEs unrelated to apng2gif's (Beuc) + NOTE: 20220221: WIP (Anton) -- gpac (Roberto C. Sánchez) NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) + NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) -- -libgit2 (Utkarsh) - NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed - NOTE: 20211029: for jessie in DLA-1477-1 and should also be fixed in stretch - NOTE: 20211029: 4 other CVEs might also be worth fixing (bunk) - NOTE: 20211029: taking this with my maintainer hat on; will investigate - NOTE: 20211029: and TAL later next week. (utkarsh) - NOTE: 20211116: backports prepped; checking build and smoke-testing package. (utkarsh) +htmldoc (Thorsten Alteholz) +-- +intel-microcode + NOTE: 20220213: please recheck -- -librecad (Sylvain Beucler) - NOTE: 20211127: also take care of other suites +libarchive (Thorsten Alteholz) + NOTE: 20220213: testing package -- -libssh2 (Ola Lundqvist) - NOTE: 20211031: CVE-2019-13115 and CVE-2019-17498 were fixed in jessie DLAs - NOTE: 20211031: but still need fixing in stretch and buster. (bunk) - NOTE: 20211116: Work in progress for stretch. (ola) +libgit2 (Utkarsh) + NOTE: 20220208: got clearance. will upload this week. (utkarsh) + NOTE: 20220221: had been severely ill the past week. shall get it done soon. (utkarsh) -- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- -nvidia-graphics-drivers - NOTE: package is in non-free but also in packages-to-support - NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077 - NOTE: 20211108: nvidia-graphics-drivers-legacy-390xx 390.144-1 in buster/bullseye/bookworm - NOTE: 20211108: now fixes all 5 CVEs (bunk) --- -opensc (Adrian Bunk) +mariadb-10.1 + NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See discussion https://lists.debian.org/debian-lts/2022/02/msg00005.html and coordinate with maintainer (Anton) -- -pgbouncer (Thorsten Alteholz) - NOTE: 20211128: also help with other releases --- -puppet - NOTE: please recheck whether really affected --- -roundcube (Markus Koschany) +nvidia-graphics-drivers + NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc) + NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential + NOTE: 20220209: backport (apo) -- -rsync (Adrian Bunk) +pjproject (Abhijith PA) + NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu) + NOTE: 20220215: Asterisk and ring have embedded copy of pjproject (abhijith) -- -rustc (Roberto C. Sánchez) - NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable - NOTE: https://bugs.debian.org/928422 - NOTE: Perhaps fix with the next rustc update for a new Firefox? (bunk) - NOTE: 20211101: working on llvm-toolchain-11 update, which is needed by rustc (roberto) - NOTE: 20211112: llvm-toolchain-11 update is now uploaded (roberto) +ring (Abhijith PA) -- -samba (Anton) +samba NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/ + NOTE: 20211212: Fix is too large, coordination with ELTS-upload (anton) + NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh) + NOTE: 20220125: ftbfs, wip. (utkarsh) -- thunderbird (Emilio) - NOTE: 20211122: blocked on toolchain backports (pochu) -- -wireshark (Adrian Bunk) - NOTE: 20211119: Check https://salsa.debian.org/security-tracker-team/security-tracker/commit/d55b7eff90db8487e20106c2c09e61293a477e89 (lamby) +tiff (Thorsten Alteholz) +-- +ujson (Anton) + NOTE: 20220121: please reheck, at least the mentioned function is available in Stretch + NOTE: 20220206: https://salsa.debian.org/lts-team/packages/ujson Investigating, whether affected or not (Anton) + NOTE: 20220221: WIP (Anton) +-- +vim -- diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index f01e1312fa..29d7c49154 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -12,18 +12,16 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -- -condor +asterisk/oldstable -- -chromium +condor -- -djvulibre +expat (carnil) + Waiting for final fix upstream and first exposure in unstable -- faad2/oldstable (jmm) -- -firefox-esr - Rust toolchain updates needed --- -gpac (jmm) +freecad (aron) -- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point @@ -33,32 +31,17 @@ ndpi/oldstable -- nodejs (jmm) -- -puppetdb (jmm) --- python-pysaml2 (jmm) -- -rabbitmq-server +rpki-client/stable + new 7.6 release required libretls, which isn't in Bullseye -- runc -- -samba/oldstable (carnil) - We will likely only address the 'min domain uid' patch, the fixes for the CVEs - are otherwise quite intrusive. --- -sogo - Maintainer preparing updates --- thunderbird (jmm) - Rust toolchain updates needed -- trafficserver (jmm) wait until status for CVE-2021-38161 is clarified (upstream patch got reverted) -- -varnish --- -wireshark --- -xen - Maintainer proposed an update, but might be very well as well an option via point release - given the timeline and the kernel upgrade pending. +varnish (fw) -- diff --git a/data/embedded-code-copies b/data/embedded-code-copies index bac2d8476f..17822518b9 100644 --- a/data/embedded-code-copies +++ b/data/embedded-code-copies @@ -1513,6 +1513,10 @@ pyparsing - matplotlib 1.3.0-1 (embed; bug #531024; bug #555369) - zhpy 1.7.3.1-1 (embed; bug #555370) - polybori <unknown> (embed) + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html - python-whoosh <unknown> (embed) - twill <unknown> (embed) - zope-textindexng3 <unknown> (embed) @@ -1648,11 +1652,19 @@ python2.7 NOTE: core functionality based on Python difflib code with changed output format - zodbpickle <unfixable> (fork) NOTE: embeds outdated stdlib modules: pickle, cpickle + - pypy <unfixable> (fork) + NOTE: embeds stdlib python3.6 - zodbpickle <unfixable> (fork) NOTE: embeds outdated stdlib modules: pickle, cpickle +python3.7 + - pypy3 <unfixable> (fork) + NOTE: embeds stdlib + - python2-pip <unfixable> (embed) + NOTE: embeds contextlib - https://lists.debian.org/debian-python/2021/09/msg00031.html + argparse - twill <unfixed> (embed; bug #555347) - ipython <unfixed> (embed; bug #555348) @@ -1756,6 +1768,7 @@ unicode-data - boost1.63 <unfixed> (embed; bug #852763) - boost1.67 <unfixed> (embed; bug #920319) - boost1.71 <unfixed> (embed; bug #963587) + - boost1.74 <unfixed> (embed; bug #1005201) - glibc <unfixed> (modified-embed) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21533 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=14095 @@ -2875,7 +2888,7 @@ dcraw libraw - libkdcraw 4:4.12.3-1 - - darktable <unfixed> (modified-embed; bug #682980) + - darktable <unfixed> (modified-embed; bug #1002876) - shotwell <unfixed> NOTE: possibly fixed in wheezy and greater @@ -2911,9 +2924,6 @@ automysqlbackup - autopostgresqlbackup <unfixed> NOTE: fork -python-pip - - python-virtualenv <unfixed> - scrypt - python-scrypt <unfixed> (embed; wontfix; package in NEW) NOTE: upstream scrypt does not provide a shared library/API @@ -3558,8 +3568,173 @@ python-py - pypy <unfixed> (embed) - pypy3 <unfixed> (embed) +pytest + - pypy <unfixed> (modified-embed) + - pypy3 <unfixed> (modified-embed) + +python-cffi + - pypy <unfixed> (embed) + - pypy3 <unfixed> (embed) + +python-cryptography: + - pypy <unfixed> (embed) + - pypy3 <unfixed> (embed) + chezscheme - racket <unfixable> (fork) ccextractor - gpac 0.93+ds2-1 (modified-embed; bug #994754) + +xorg-server + - xwayland <unfixable> (fork) + +python-cachecontrol + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-certifi + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +chardet + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-colorama + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +distlib + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-distro + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +html5lib + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-idna + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-msgpack + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-packaging + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +pep517 + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +setuptools + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +platformdirs + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-progress + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +requests + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-resolvelib + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +six + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-tenacity + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-tomli + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-urllib3 + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-webencodings + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +appdirs + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-ipaddress + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-retrying + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +python-toml + - python2-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +pygments + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +rich + - python-pip <unfixable> (embed) + NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html + +asterisk + - pjproject <unfixed> (embed) + +ring + - pjproject <unfixed> (embed) diff --git a/data/next-oldstable-point-update.txt b/data/next-oldstable-point-update.txt index ff3d12b52a..544f62dcf4 100644 --- a/data/next-oldstable-point-update.txt +++ b/data/next-oldstable-point-update.txt @@ -87,14 +87,154 @@ CVE-2019-1010317 CVE-2019-1010319 [buster] - wavpack 5.1.0-6+deb10u1 CVE-2021-35604 - [buster] - mariadb-10.3 1:10.3.32-0+deb10u1 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 +CVE-2021-46662 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 +CVE-2021-46667 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 +CVE-2021-46659 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 +CVE-2022-24048 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 +CVE-2022-24050 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 +CVE-2022-24051 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 +CVE-2022-24052 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 +CVE-2021-46661 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 +CVE-2021-46663 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 +CVE-2021-46664 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 +CVE-2021-46665 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 +CVE-2021-46668 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 CVE-2021-43331 [buster] - mailman 1:2.1.29-1+deb10u3 CVE-2021-43332 [buster] - mailman 1:2.1.29-1+deb10u3 +CVE-2021-44227 + [buster] - mailman 1:2.1.29-1+deb10u4 CVE-2019-14462 [buster] - libmodbus 3.1.4-2+deb10u1 CVE-2019-14463 [buster] - libmodbus 3.1.4-2+deb10u1 CVE-2021-43618 [buster] - gmp 2:6.1.2+dfsg-4+deb10u1 +CVE-2021-37146 + [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u3 +CVE-2021-40391 + [buster] - gerbv 2.7.0-1+deb10u1 +CVE-2021-44540 + [buster] - privoxy 3.0.28-2+deb10u2 +CVE-2021-44543 + [buster] - privoxy 3.0.28-2+deb10u2 +CVE-2020-12672 + [buster] - graphicsmagick 1.4+really1.3.35-1~deb10u2 +CVE-2020-16117 + [buster] - evolution-data-server 3.30.5-1+deb10u2 +CVE-2020-15953 + [buster] - libetpan 1.9.3-2+deb10u1 +CVE-2019-10172 + [buster] - libjackson-json-java 1.9.13-2~deb10u1 +CVE-2017-15095 + [buster] - libjackson-json-java 1.9.13-2~deb10u1 +CVE-2017-7525 + [buster] - libjackson-json-java 1.9.13-2~deb10u1 +CVE-2021-22207 + [buster] - wireshark 2.6.20-0+deb10u3 +CVE-2021-22235 + [buster] - wireshark 2.6.20-0+deb10u3 +CVE-2021-39921 + [buster] - wireshark 2.6.20-0+deb10u3 +CVE-2021-39922 + [buster] - wireshark 2.6.20-0+deb10u3 +CVE-2021-39923 + [buster] - wireshark 2.6.20-0+deb10u3 +CVE-2021-39924 + [buster] - wireshark 2.6.20-0+deb10u3 +CVE-2021-39928 + [buster] - wireshark 2.6.20-0+deb10u3 +CVE-2021-39929 + [buster] - wireshark 2.6.20-0+deb10u3 +CVE-2020-25693 + [buster] - cimg 2.4.5+dfsg-1+deb10u1 +CVE-2020-0499 + [buster] - flac 1.3.2-3+deb10u1 +CVE-2022-20698 + [buster] - clamav 0.103.5+dfsg-0+deb10u1 +CVE-2020-25713 + [buster] - raptor2 2.0.14-1.1~deb10u2 +CVE-2019-7572 + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 +CVE-2019-7573 + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 +CVE-2019-7574 + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 +CVE-2019-7575 + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 +CVE-2019-7576 + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 +CVE-2019-7577 + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 +CVE-2019-7578 + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 +CVE-2019-7635 + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 +CVE-2019-7636 + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 +CVE-2019-7637 + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 +CVE-2019-7638 + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 +CVE-2019-13616 + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 +CVE-2020-18442 + [buster] - zziplib 0.13.62-3.2+deb10u1 +CVE-2020-8955 + [buster] - weechat 2.3-1+deb10u1 +CVE-2020-9759 + [buster] - weechat 2.3-1+deb10u1 +CVE-2020-9760 + [buster] - weechat 2.3-1+deb10u1 +CVE-2021-40516 + [buster] - weechat 2.3-1+deb10u1 +CVE-2019-15945 + [buster] - opensc 0.19.0-1+deb10u1 +CVE-2019-15946 + [buster] - opensc 0.19.0-1+deb10u1 +CVE-2019-19479 + [buster] - opensc 0.19.0-1+deb10u1 +CVE-2019-20792 + [buster] - opensc 0.19.0-1+deb10u1 +CVE-2020-26570 + [buster] - opensc 0.19.0-1+deb10u1 +CVE-2020-26571 + [buster] - opensc 0.19.0-1+deb10u1 +CVE-2020-26572 + [buster] - opensc 0.19.0-1+deb10u1 +CVE-2019-17041 + [buster] - rsyslog 8.1901.0-1+deb10u1 +CVE-2019-17042 + [buster] - rsyslog 8.1901.0-1+deb10u1 +CVE-2019-15165 + [buster] - libpcap 1.8.1-6+deb10u1 +CVE-2019-15531 + [buster] - libextractor 1:1.8-2+deb10u1 +CVE-2021-46671 + [buster] - atftp 0.7.git20120829-3.2~deb10u3 +CVE-2022-24130 + [buster] - xterm 344-1+deb10u2 +CVE-2021-4104 + [buster] - apache-log4j1.2 1.2.17-8+deb10u2 +CVE-2022-23302 + [buster] - apache-log4j1.2 1.2.17-8+deb10u2 +CVE-2022-23305 + [buster] - apache-log4j1.2 1.2.17-8+deb10u2 +CVE-2022-23307 + [buster] - apache-log4j1.2 1.2.17-8+deb10u2 +CVE-2021-44832 + [buster] - apache-log4j2 2.17.1-1~deb10u1 diff --git a/data/next-point-update.txt b/data/next-point-update.txt index abad834dcb..66b78763c0 100644 --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -1,42 +1,120 @@ -CVE-2019-11098 - [bullseye] - edk2 2020.11-2+deb11u1 -CVE-2021-38155 - [bullseye] - keystone 2:18.0.0-3+deb11u1 +CVE-2021-42343 + [bullseye] - dask.distributed 2021.01.0+ds.1-2.1+deb11u1 CVE-2021-3654 [bullseye] - nova 2:22.2.2-1+deb11u1 -CVE-2021-36221 - [bullseye] - golang-1.15 1.15.15-1~deb11u1 -CVE-2021-39293 - [bullseye] - golang-1.15 1.15.15-1~deb11u1 CVE-2021-40083 [bullseye] - knot-resolver 5.3.1-1+deb11u1 -CVE-2021-3770 - [bullseye] - vim 2:8.2.2434-3+deb11u1 -CVE-2021-3778 - [bullseye] - vim 2:8.2.2434-3+deb11u1 -CVE-2021-3796 - [bullseye] - vim 2:8.2.2434-3+deb11u1 -CVE-2020-28282 - [bullseye] - node-getobject 0.1.0-2+deb11u1 -CVE-2021-38714 - [bullseye] - plib 1.8.5-8+deb11u1 -CVE-2021-3802 - [bullseye] - udisks2 2.9.2-2+deb11u1 -CVE-2021-41184 - [bullseye] - jqueryui 1.12.1+dfsg-8+deb11u1 -CVE-2021-42917 - [bullseye] - kodi 2:19.1+dfsg2-2+deb11u1 -CVE-2021-43612 - [bullseye] - lldpd 1.0.12-1+deb11u1 -CVE-2021-40985 - [bullseye] - htmldoc 1.9.11-4+deb11u1 -CVE-2021-43579 - [bullseye] - htmldoc 1.9.11-4+deb11u1 -CVE-2021-35604 - [bullseye] - mariadb-10.5 1:10.5.13-0+deb11u1 -CVE-2021-3918 - [bullseye] - node-json-schema 0.3.0+~7.0.6-1+deb11u1 -CVE-2021-43618 - [bullseye] - gmp 2:6.2.1+dfsg-1+deb11u1 CVE-2021-41270 [bullseye] - symfony 4.4.19+dfsg-2+deb11u1 +CVE-2021-35604 + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 +CVE-2021-46667 + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 +CVE-2021-46662 + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 +CVE-2021-46659 + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 +CVE-2022-24048 + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 +CVE-2022-24050 + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 +CVE-2022-24051 + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 +CVE-2022-24052 + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 +CVE-2021-46661 + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 +CVE-2021-46663 + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 +CVE-2021-46664 + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 +CVE-2021-46665 + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 +CVE-2021-46668 + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 +CVE-2021-44917 + [bullseye] - gnuplot 5.4.1+dfsg1-1+deb11u1 +CVE-2021-45379 + [bullseye] - glewlwyd 2.5.2-2+deb11u2 +CVE-2021-23177 + [bullseye] - libarchive 3.4.3-2+deb11u1 +CVE-2021-31566 + [bullseye] - libarchive 3.4.3-2+deb11u1 +CVE-2021-43808 + [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1 +CVE-2021-43617 + [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1 +CVE-2021-32718 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 +CVE-2021-32719 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 +CVE-2021-22116 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 +CVE-2018-1279 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 +CVE-2021-36980 + [bullseye] - openvswitch 2.15.0+ds1-2+deb11u1 +CVE-2022-0155 + [bullseye] - node-follow-redirects 1.13.1-1+deb11u1 +CVE-2022-0536 + [bullseye] - node-follow-redirects 1.13.1-1+deb11u1 +CVE-2021-45115 + [bullseye] - python-django 2:2.2.26-1~deb11u1 +CVE-2021-45116 + [bullseye] - python-django 2:2.2.26-1~deb11u1 +CVE-2021-45452 + [bullseye] - python-django 2:2.2.26-1~deb11u1 +CVE-2022-21670 + [bullseye] - node-markdown-it 10.0.0+dfsg-2+deb11u1 +CVE-2022-20698 + [bullseye] - clamav 0.103.5+dfsg-0+deb11u1 +CVE-2021-3997 + [bullseye] - systemd 247.3-7 +CVE-2020-18442 + [bullseye] - zziplib 0.13.62-3.3+deb11u1 +CVE-2022-0235 + [bullseye] - node-fetch 2.6.1-5+deb11u1 +CVE-2021-40516 + [bullseye] - weechat 3.0-1+deb11u1 +CVE-2021-23518 + [bullseye] - node-cached-path-relative 1.0.2-1+deb11u1 +CVE-2021-44273 + [bullseye] - e2guardian 5.3.4-1+deb11u1 +CVE-2021-46671 + [bullseye] - atftp 0.7.git20120829-3.3+deb11u2 +CVE-2022-24130 + [bullseye] - xterm 366-1+deb11u1 +CVE-2022-21814 + [bullseye] - nvidia-graphics-drivers-tesla-450 450.172.01-1~deb11u1 + [bullseye] - nvidia-graphics-drivers 470.103.01-1~deb11u1 +CVE-2022-21813 + [bullseye] - nvidia-graphics-drivers-tesla-450 450.172.01-1~deb11u1 + [bullseye] - nvidia-graphics-drivers 470.103.01-1~deb11u1 +CVE-2021-3803 + [bullseye] - node-nth-check 2.0.0-1+deb11u1 +CVE-2021-33623 + [bullseye] - node-trim-newlines 3.0.0-1+deb11u1 +CVE-2022-23806 + [bullseye] - golang-1.15 1.15.15-1~deb11u3 +CVE-2022-23772 + [bullseye] - golang-1.15 1.15.15-1~deb11u3 +CVE-2022-23773 + [bullseye] - golang-1.15 1.15.15-1~deb11u3 +CVE-2021-4104 + [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 +CVE-2022-23302 + [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 +CVE-2022-23305 + [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 +CVE-2022-23307 + [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 +CVE-2021-44832 + [bullseye] - apache-log4j2 2.17.1-1~deb11u1 +CVE-2021-43396 + [bullseye] - glibc 2.31-13+deb11u3 +CVE-2022-23218 + [bullseye] - glibc 2.31-13+deb11u3 +CVE-2022-23219 + [bullseye] - glibc 2.31-13+deb11u3 +CVE-2021-33574 + [bullseye] - glibc 2.31-13+deb11u3 diff --git a/data/packages/removed-packages b/data/packages/removed-packages index 381c664dce..210993b454 100644 --- a/data/packages/removed-packages +++ b/data/packages/removed-packages @@ -817,3 +817,6 @@ ruby-rexml openjdk-15 nvidia-graphics-drivers-tesla-440 opentmpfiles +php8.0 +rust-rand-core-0.3 +ansible-base diff --git a/doc/security-team.d.o/glossary b/doc/security-team.d.o/glossary index 70e086815d..80ea387ddf 100644 --- a/doc/security-team.d.o/glossary +++ b/doc/security-team.d.o/glossary @@ -1,18 +1,25 @@ # Glossary -TODO: NFU, DLA, SPU, embargo, etc... - <a id="CVE">CVE id</a> : *Common Vulnerabilities and Exposures* id. In order to refer to a vulnerability, an id provided by [MITRE](#mitre) is used. This id is unique for each public vulnerability. [Website](https://cve.mitre.org/) +<a id="dla">DLA</a> +: A Security Advisory from the Debian Long Term Support team that affects older versions of Debian. [Example DLA](https://lists.debian.org/debian-lts-announce/2021/10/msg00033.html) + +<a id="dsa">DSA</a> +: An official Debian Security Advisory is called a DSA for short. [Example DSA](https://www.debian.org/security/2021/dsa-5014) + +<a id="dtsa">DTSA</a> +: An official Debian Security Advisory for the testing suite (historic, no longer in use) + <a id="mitre">MITRE</a> : The MITRE Corporation, a US based not-for-profit company, best known for maintaining the [CVE](#CVE) id system. [Website](https://www.mitre.org/) +<a id="nfu">NFU</a> +: Not For Us. This designation is placed on a CVE that does not directly affect Debian. [More info on NFU](https://security-team.debian.org/security_tracker.html#issues-not-for-us-nfu) + <a id="oss-sec">oss-security</a> : *Open Source Software Security*. Community for open source software security research, best known for its equally named mailing list. [Website](http://oss-security.openwall.org/) - -<a id="dsa">DSA</a> -: An official Debian Security Advisory is called a DSA for short. [Example DSA](https://www.debian.org/security/2021/dsa-5014) diff --git a/doc/security-team.d.o/security_tracker b/doc/security-team.d.o/security_tracker index 7a42cbb61a..74d3687271 100644 --- a/doc/security-team.d.o/security_tracker +++ b/doc/security-team.d.o/security_tracker @@ -16,6 +16,18 @@ online. Everything is designed to be very simple to use, transparent and easy to see what other people are working on so you can work on other things. +The Debian Security Tracker is only concerned with how specific vulnerabilities affect +Debian. Many vulnerabilities are triaged as NFU (`NOT-FOR-US`) simply because the +vulnerable software is not (yet) packaged for Debian. Triage comments on any specific +vulnerability only reflect the possible impact on a system running Debian. + +For example, systems with some additional or modified packages compared to Debian need +a separate triage process for every NFU to find ones which are relevant to what has +been added as well as a triage on packages which differ from Debian. + +Entries in the Debian Security Tracker do not imply anything about how a vulnerability +may affect systems other than Debian. + Gentle Introduction ------------------- @@ -421,6 +433,11 @@ assess these levels. Certain packages may get higher or lower rating than usual, based on their importance. +Assessments of severity are made against the binaries as provided by Debian. For each +vulnerability, the severity assigned within the Debian Security Tracker only relates to +how Debian views that vulnerability and how quickly the fix may need to be applied to +the specified package(s) within Debian. + ### Vulnerabilities without an assigned CVE id If you learn of a vulnerability to which no CVE id has been assigned yet, you can @@ -541,22 +558,65 @@ cross-reference will be added automatically by the cron job. However, you do need to add `[lenny]` or `[squeeze]` entries to `CVE/list` when there is a `no-dsa` or `not-affected` condition. +Summary of tracker syntax +------------------------- + +For a vulnerability in a package in Debian or proposed for introduction into Debian, +the syntax should contain at least the `PKG_NAME` tabbed line and a `NOTE:` providing a +URL to useful references, like commit references, bug tracker entries and advisories. +Other lines are added, where relevant, within the general syntax. + + CVE-YYYY-NNNNNN [(description)] + \t RESERVED + \t - PKG_NAME [PKG_TAG | PKG_FIX_VERSION] SEVERITY_LEVEL (free text comment) + \t [codename] - PKG_NAME [PKG_TAG | PKG_FIX_VERSION] (free text comment) + \t NOTE: + \t TODO: + +- Each tabbed line, except `RESERVED`, can be repeated, e.g. for code embedded in + multiple packages and/or to cover multiple suites. Codenames are listed in order of + the release date. +- PKG_NAME is the source package name in the archive. +- PKG_TAG : `<no-dsa>` | `<unfixed>` | `<undetermined>` | `<not-affected>` | `<itp>` +- SEVERITY_LEVEL : `(unimportant)` | `(low)` | `(medium)` | `(high)` +- The pre-commit hook will check the syntax of each entry. + +The description of the CVE is not edited in the security tracker but it will be +shortened in the tracker page for the vulnerability. A temporary description can be +added with the `[description]` syntax, for example for clarification. This will not be +overridden by an automatic update unless there is a change in the description of the +CVE in the MITRE feed. + +For `<itp>`, the comment needs to include the bug number as `(bug #NNNNNNNNNN)`. (The +`<itp>` package tag is used for both ITP and RFP bugs - +see [ITP/RFP packages](#issues-in-itp-andor-rfp-packages)) + +`NOTE:` annotations are often used for URLs for more information but can also be +used for descriptive comments. + Checking in your changes ------------------------ After thoroughly researching each issue (as described above) and editing the relevant files, commit your changes. Peer review is (hopefully) done via the mailing list and IRC notifications (see [Automatic issue updates](#automatic-issue-updates) above). -However, changes to the tracker website itself (e.g., the files in lib/* -and bin/tracker_service.py) should be vetted and approved before being +However, changes to the tracker website itself (e.g., the files in `lib/*` +and `bin/tracker_service.py`) should be vetted and approved before being committed. The preferred way to do this is to send a patch to the -debian-security-tracker@lists.debian.org mailing list. +`debian-security-tracker@lists.debian.org` mailing list or a merge request in Salsa. + +- [Salsa](https://salsa.debian.org/security-tracker-team/security-tracker/) +- [https://lists.debian.org/debian-security-tracker/](https://lists.debian.org/debian-security-tracker/) Commits are checked for syntax errors before they are actually committed, and you'll receive an error and your commit is aborted if it is in error. To check your changes yourself beforehand, use `make check-syntax` from the root of the Git directory. +Note: It can be useful to use `git worktree` support for merging changes to master and +ease issues that can occur when someone else has committed in between. See [git +worktree (1)](https://manpages.debian.org/unstable/git-man/git-worktree.1.en.html). + Following up on security issues ------------------------------- @@ -573,7 +633,7 @@ Tracking of security bugs in the BTS and linking them to a user tag by CVE -------------------------------------------------------------------------- There's an automated tagging of security-related bugs to CVE IDs through -the user tag security for the user debian-security@lists.debian.org. +the user tag security for the user `debian-security@lists.debian.org`. All bugs added to the tracker are automatically tagged. You can use the search @@ -594,11 +654,93 @@ with the following content: Contributing with the security tracker code ------------------------------------------- -Either fill a bug against the security-tracker pseudo-package attaching the patch -to be reviewed or create a merge request for the security-tracker project. +Either file a bug against the `security-tracker` pseudo-package attaching the patch +to be reviewed or create a merge request for the security-tracker project in Salsa. + +### Helper scripts for one-off updates + +On success, scripts output a snippet of the main CVE list showing the new CVE +information. Make sure to check for warnings and errors reported by the script. The +output file needs to be manually reviewed and can then be merged using +`./bin/merge-cve-files` or sent for review by the security team by email. + +##### Updating a vulnerability + +* Mark a given released suite as not affected for a specific CVE and source package: + + `./bin/update-vuln --cve CVE --src SRC --suite SUITE` + +* Add a bug number to an existing CVE entry + + `./bin/update-vuln --cve CVE --number 1000000` + +* Add a note to a specific CVE entry + + `./bin/update-vuln --cve CVE --note "quoted note string"` + +Example workflow: + + ./bin/update-vuln --cve CVE-YYYY-NNNNN ... + +check for error and warning messages & merge into the main CVE list: + + ./bin/merge-cve-files ./CVE-YYYY-NNNNN.list + +review change to data/CVE/list + + git diff data/CVE/list + rm ./CVE-YYYY-NNNNN.list + +.. repeat for additional entries to this or other CVEs. + + git add data/CVE/list + git commit + +#### Retrieve fixes in uploads to unstable + +`./bin/grab-cve-in-fix` supports different ways to retrieve one or more CVEs as fixed in unstable: + +- Using information directly from the upload into unstable: + + `cat changes | ./bin/grab-cve-in-fix --input` + +- Using information in the lists.debian.org archive: + + `./bin/grab-cve-in-fix --archive https://lists.debian.org/debian-devel-changes/2021/12/msg01280.html` + +- Using information in the package tracker: + + `./bin/grab-cve-in-fix --tracker https://tracker.debian.org/news/1285227/accepted-freerdp2-241dfsg1-1-source-into-unstable/` + +- Using local caches in the security-tracker: + + `./bin/grab-cve-in-fix --src SRC --cves [CVES...]` + +Note: to use `STDIN` with the --input option, the changes content must be signed - i.e. +as it would appear in notifications after the upload. This can be used to double-check +your CVE list before uploading to ftp-master. `./bin/grab-cve-in-fix` will report if a +CVE does not exist or if the CVE is attributed to a different package. **TODO** (further details) +### Contributing ongoing triage work + +Some familiarity with the tooling and syntax will be needed for this, as with any development +project. + +* `./bin/check-new-issues` - use the -h option to see the help output. + +* `./bin/report-vuln` - generate the correct email body to report a bug against a source package + relating to an unfixed CVE(s). + +### Useful search support for checking new CVEs + +- [https://www.debian.org/distrib/packages#search_packages](https://www.debian.org/distrib/packages#search_packages) +- [https://wnpp.debian.net/](https://wnpp.debian.net/) (Be aware, forwarded ITPs might + not be found, so check the [WNPP bug list](https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=wnpp;dist=unstable) also) +- [https://tracker.debian.org/](https://tracker.debian.org/) +- [https://codesearch.debian.net/](https://codesearch.debian.net/) + Setting up a local testing instance ----------------------------------- diff --git a/org/lts-frontdesk.2022.txt b/org/lts-frontdesk.2022.txt index 9907f14fa9..c9ee8c5572 100644 --- a/org/lts-frontdesk.2022.txt +++ b/org/lts-frontdesk.2022.txt @@ -16,50 +16,50 @@ From 10-01 to 16-01:Sylvain Beucler <beuc@beuc.net> From 17-01 to 23-01:Thorsten Alteholz <debian@alteholz.de> From 24-01 to 30-01:Utkarsh Gupta <guptautkarsh2102@gmail.com> From 31-01 to 06-02:Sylvain Beucler <beuc@beuc.net> -From 07-02 to 13-02:Chris Lamb <chris@chris-lamb.co.uk> +From 07-02 to 13-02:Thorsten Alteholz <squeeze-lts@alteholz.de> From 14-02 to 20-02:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 21-02 to 27-02:Thorsten Alteholz <debian@alteholz.de> -From 28-02 to 06-03:Sylvain Beucler <beuc@beuc.net> -From 07-03 to 13-03:Chris Lamb <chris@chris-lamb.co.uk> -From 14-03 to 20-03:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 21-03 to 27-03:Thorsten Alteholz <debian@alteholz.de> +From 21-02 to 27-02:Anton Gladky <gladky.anton@gmail.com> +From 28-02 to 06-03:Chris Lamb <chris@chris-lamb.co.uk> +From 07-03 to 13-03:Emilio Pozuelo Monfort <pochu27@gmail.com> +From 14-03 to 20-03:Markus Koschany <markus@koschany.net> +From 21-03 to 27-03:Ola Lundqvist <ola@inguza.com> From 28-03 to 03-04:Sylvain Beucler <beuc@beuc.net> -From 04-04 to 10-04:Chris Lamb <chris@chris-lamb.co.uk> +From 04-04 to 10-04:Thorsten Alteholz <squeeze-lts@alteholz.de> From 11-04 to 17-04:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 18-04 to 24-04:Thorsten Alteholz <debian@alteholz.de> -From 25-04 to 01-05:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 02-05 to 08-05:Sylvain Beucler <beuc@beuc.net> -From 09-05 to 15-05:Chris Lamb <chris@chris-lamb.co.uk> -From 16-05 to 22-05:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 23-05 to 29-05:Thorsten Alteholz <debian@alteholz.de> -From 30-05 to 05-06:Sylvain Beucler <beuc@beuc.net> -From 06-06 to 12-06:Chris Lamb <chris@chris-lamb.co.uk> -From 13-06 to 19-06:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 20-06 to 26-06:Thorsten Alteholz <debian@alteholz.de> -From 27-06 to 03-07:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 04-07 to 10-07:Sylvain Beucler <beuc@beuc.net> -From 11-07 to 17-07:Chris Lamb <chris@chris-lamb.co.uk> -From 18-07 to 24-07:Thorsten Alteholz <debian@alteholz.de> -From 25-07 to 31-07:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 01-08 to 07-08:Sylvain Beucler <beuc@beuc.net> -From 08-08 to 14-08:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 15-08 to 21-08:Chris Lamb <chris@chris-lamb.co.uk> -From 22-08 to 28-08:Thorsten Alteholz <debian@alteholz.de> -From 29-08 to 04-09:Sylvain Beucler <beuc@beuc.net> -From 05-09 to 11-09:Chris Lamb <chris@chris-lamb.co.uk> -From 12-09 to 18-09:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 19-09 to 25-09:Thorsten Alteholz <debian@alteholz.de> -From 26-09 to 02-10:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 03-10 to 09-10:Sylvain Beucler <beuc@beuc.net> -From 10-10 to 16-10:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 17-10 to 23-10:Chris Lamb <chris@chris-lamb.co.uk> -From 24-10 to 30-10:Thorsten Alteholz <debian@alteholz.de> -From 31-10 to 06-11:Sylvain Beucler <beuc@beuc.net> -From 07-11 to 13-11:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 14-11 to 20-11:Anton Gladky <gladk@debian.org> -From 21-11 to 27-11:Thorsten Alteholz <debian@alteholz.de> -From 28-11 to 04-12:Sylvain Beucler <beuc@beuc.net> -From 05-12 to 11-12:Chris Lamb <chris@chris-lamb.co.uk> -From 12-12 to 18-12:Thorsten Alteholz <debian@alteholz.de> -From 19-12 to 25-12:Utkarsh Gupta <guptautkarsh2102@gmail.com> -From 26-12 to 01-01:Anton Gladky <gladk@debian.org> +From 18-04 to 24-04:Anton Gladky <gladky.anton@gmail.com> +From 25-04 to 01-05:Chris Lamb <chris@chris-lamb.co.uk> +From 02-05 to 08-05:Emilio Pozuelo Monfort <pochu27@gmail.com> +From 09-05 to 15-05:Markus Koschany <markus@koschany.net> +From 16-05 to 22-05:Ola Lundqvist <ola@inguza.com> +From 23-05 to 29-05:Sylvain Beucler <beuc@beuc.net> +From 30-05 to 05-06:Thorsten Alteholz <squeeze-lts@alteholz.de> +From 06-06 to 12-06:Utkarsh Gupta <guptautkarsh2102@gmail.com> +From 13-06 to 19-06:Anton Gladky <gladky.anton@gmail.com> +From 20-06 to 26-06:Chris Lamb <chris@chris-lamb.co.uk> +From 27-06 to 03-07:Emilio Pozuelo Monfort <pochu27@gmail.com> +From 04-07 to 10-07: +From 11-07 to 17-07: +From 18-07 to 24-07: +From 25-07 to 31-07: +From 01-08 to 07-08: +From 08-08 to 14-08: +From 15-08 to 21-08: +From 22-08 to 28-08: +From 29-08 to 04-09: +From 05-09 to 11-09: +From 12-09 to 18-09: +From 19-09 to 25-09: +From 26-09 to 02-10: +From 03-10 to 09-10: +From 10-10 to 16-10: +From 17-10 to 23-10: +From 24-10 to 30-10: +From 31-10 to 06-11: +From 07-11 to 13-11: +From 14-11 to 20-11: +From 21-11 to 27-11: +From 28-11 to 04-12: +From 05-12 to 11-12: +From 12-12 to 18-12: +From 19-12 to 25-12: +From 26-12 to 01-01:
\ No newline at end of file |